CVE-2026-5736

Received Received - Intake

SQL Injection in PowerJob InstanceController Enables Remote Exploitation

Publication date: 2026-04-07

Last updated on: 2026-04-29

Assigner: VulDB

Description

A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument customQuery leads to sql injection. Remote exploitation of the attack is possible. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-07

Last Modified

2026-04-29

Generated

2026-06-16

AI Q&A

2026-04-07

EPSS Evaluated

2026-06-14

NVD

CVE-2026-5736

EUVD

EUVD-2026-19893

Affected Vendors & Products

Vendor	Product	Version / Range
tech	powerjob	5.1.0
tech	powerjob	5.1.1
tech	powerjob	5.1.2
tech	powerjob	From 5.1.0 (inc) to 5.1.2 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Compliance Impact

The vulnerability CVE-2026-5736 allows unauthenticated remote code execution via SQL injection in PowerJob versions 5.1.0 to 5.1.2. This security flaw can lead to unauthorized access and manipulation of sensitive data, which may result in violations of data protection regulations such as GDPR and HIPAA.

Specifically, the lack of authentication and permission checks on a sensitive API endpoint combined with insufficient SQL injection filtering can enable attackers to execute arbitrary system commands remotely. Such unauthorized access and potential data breaches undermine the confidentiality, integrity, and availability of protected data, core principles required by compliance standards.

Therefore, organizations using affected versions of PowerJob without applying the recommended patches risk non-compliance with regulations that mandate strict access controls and protection against unauthorized data access or modification.

Executive Summary

CVE-2026-5736 is a critical vulnerability in PowerJob versions 5.1.0 through 5.1.2 that allows unauthenticated remote code execution via SQL injection. The vulnerability arises from two main issues in the `/instance/detailPlus` API endpoint: first, the `getInstanceDetailPlus` method lacks authentication and permission checks, allowing anyone to access it without credentials; second, the `customQuery` parameter is vulnerable to SQL injection because the blacklist filtering dangerous SQL keywords is incomplete and misses critical H2 database commands like RUNSCRIPT, CALL, LINK, and SCRIPT.

Attackers can exploit this by sending specially crafted SQL commands through the `customQuery` parameter, which the H2 database engine executes. This can lead to arbitrary code execution on the server, including running remote scripts and system commands. The vulnerability is exacerbated by the fact that the endpoint does not enforce permission checks, and the blacklist filtering is based on simple substring matching, which can be bypassed.

Impact Analysis

This vulnerability allows unauthenticated attackers to remotely execute arbitrary system commands on the server running PowerJob. This can lead to full compromise of the affected system, including unauthorized data access, data modification, service disruption, and potential lateral movement within the network.

Specifically, attackers can inject malicious SQL commands that execute remote scripts and create aliases to run system commands, effectively gaining control over the server environment without any authentication.

Detection Guidance

Detection of this vulnerability involves identifying unauthorized access attempts to the `/instance/detailPlus` API endpoint and monitoring for suspicious SQL injection payloads in the `customQuery` parameter.

Specifically, look for POST requests to `/instance/detailPlus` containing SQL keywords such as RUNSCRIPT, CALL, LINK, or SCRIPT within the `customQuery` parameter, which are indicators of attempted exploitation.

Network or application logs can be searched for these patterns. For example, using command-line tools like grep on server logs:

grep -iE 'POST /instance/detailPlus' /path/to/access.log | grep -iE 'runscript|call|link|script'
grep -iE 'customQuery=.*(runscript|call|link|script)' /path/to/application.log

Additionally, monitoring for unauthenticated access to this endpoint is important since the vulnerability allows pre-authentication exploitation.

Mitigation Strategies

Immediate mitigation steps include applying the patches that add authentication and authorization checks to the `/instance/detailPlus` endpoint and extending the SQL injection blacklist.

Add the `@ApiPermission` annotation to the `getInstanceDetailPlus` method to enforce permission checks, requiring appropriate roles and permissions.
Extend the SQL injection blacklist for the `customQuery` parameter to include H2-specific dangerous keywords such as RUNSCRIPT, CALL, LINK, and SCRIPT.

Furthermore, consider restricting the allowed SQL grammar in `customQuery` to a safe subset, disallowing statement separators and SQL comment syntax to reduce injection risk.

If patches are not immediately available, restrict network access to the vulnerable endpoints and monitor for suspicious activity as a temporary measure.

Hi! I’m here to help you understand CVE-2026-5736. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-5736

SQL Injection in PowerJob InstanceController Enables Remote Exploitation

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart