Common Weakness Enumeration

CWE-943

Improper Neutralization of Special Elements in Data Query Logic

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

CVE-2026-40351 (GCVE-0-2026-40351)

Vulnerability from cvelistv5 – Published: 2026-04-17 21:05 – Updated: 2026-04-20 14:57
VLAI
Title
FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass
Summary
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
Impacted products
Vendor Product Version
labring FastGPT Affected: < 4.14.9.5
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40351",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-20T14:47:36.369173Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-20T14:57:15.664Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FastGPT",
          "vendor": "labring",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.14.9.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {\"$ne\": \"\"}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T21:05:05.911Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/labring/FastGPT/security/advisories/GHSA-x8mx-2mr7-h9xg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-x8mx-2mr7-h9xg"
        },
        {
          "name": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d"
        },
        {
          "name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"
        }
      ],
      "source": {
        "advisory": "GHSA-x8mx-2mr7-h9xg",
        "discovery": "UNKNOWN"
      },
      "title": "FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40351",
    "datePublished": "2026-04-17T21:05:05.911Z",
    "dateReserved": "2026-04-10T22:50:01.359Z",
    "dateUpdated": "2026-04-20T14:57:15.664Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40352 (GCVE-0-2026-40352)

Vulnerability from cvelistv5 – Published: 2026-04-17 21:09 – Updated: 2026-04-20 13:36
VLAI
Title
FastGPT: NoSQL Injection in updatePasswordByOld Leads to Account Takeover
Summary
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged session to change the password of their account (or others if combined with ID manipulation) without knowing the current one, leading to full account takeover and persistence. This issue has been fixed in version 4.14.9.5.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
Impacted products
Vendor Product Version
labring FastGPT Affected: < 4.14.9.5
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40352",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-20T13:23:11.617519Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-20T13:36:06.464Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FastGPT",
          "vendor": "labring",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.14.9.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the \"old password\" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged session to change the password of their account (or others if combined with ID manipulation) without knowing the current one, leading to full account takeover and persistence. This issue has been fixed in version 4.14.9.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T21:09:32.913Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/labring/FastGPT/security/advisories/GHSA-422w-vrfj-72g6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-422w-vrfj-72g6"
        },
        {
          "name": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d"
        },
        {
          "name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"
        }
      ],
      "source": {
        "advisory": "GHSA-422w-vrfj-72g6",
        "discovery": "UNKNOWN"
      },
      "title": "FastGPT: NoSQL Injection in updatePasswordByOld Leads to Account Takeover"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40352",
    "datePublished": "2026-04-17T21:09:32.913Z",
    "dateReserved": "2026-04-10T22:50:01.359Z",
    "dateUpdated": "2026-04-20T13:36:06.464Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41274 (GCVE-0-2026-41274)

Vulnerability from cvelistv5 – Published: 2026-04-23 21:12 – Updated: 2026-04-24 18:19
VLAI
Title
Flowise: Cypher Injection in GraphCypherQAChain
Summary
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41274",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T16:20:30.518456Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T18:19:51.514Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Flowise",
          "vendor": "FlowiseAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.1.0"
            }
          ]
        },
        {
          "product": "flowise-components",
          "vendor": "FlowiseAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-23T21:12:51.627Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc"
        }
      ],
      "source": {
        "advisory": "GHSA-28g4-38q8-3cwc",
        "discovery": "UNKNOWN"
      },
      "title": "Flowise: Cypher Injection in GraphCypherQAChain"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41274",
    "datePublished": "2026-04-23T21:12:51.627Z",
    "dateReserved": "2026-04-18T14:01:46.802Z",
    "dateUpdated": "2026-04-24T18:19:51.514Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41327 (GCVE-0-2026-41327)

Vulnerability from cvelistv5 – Published: 2026-04-24 18:27 – Updated: 2026-04-24 19:05
VLAI
Title
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field
Summary
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
Impacted products
Vendor Product Version
dgraph-io dgraph Affected: < 25.3.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41327",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T19:04:19.112167Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T19:05:56.125Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dgraph",
          "vendor": "dgraph-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 25.3.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph\u0027s default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a crafted cond field in an upsert mutation. The cond value is concatenated directly into a DQL query string via strings.Builder.WriteString after only a cosmetic strings.Replace transformation. No escaping, parameterization, or structural validation is applied. An attacker injects an additional DQL query block into the cond string, which the DQL parser accepts as a syntactically valid named query block. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T18:27:51.477Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-mrxx-39g5-ph77"
        },
        {
          "name": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3"
        }
      ],
      "source": {
        "advisory": "GHSA-mrxx-39g5-ph77",
        "discovery": "UNKNOWN"
      },
      "title": "Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41327",
    "datePublished": "2026-04-24T18:27:51.477Z",
    "dateReserved": "2026-04-20T14:01:46.672Z",
    "dateUpdated": "2026-04-24T19:05:56.125Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41328 (GCVE-0-2026-41328)

Vulnerability from cvelistv5 – Published: 2026-04-24 18:25 – Updated: 2026-04-24 19:57
VLAI
Title
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field
Summary
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position. The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
Impacted products
Vendor Product Version
dgraph-io dgraph Affected: < 25.3.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41328",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T19:57:33.326072Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T19:57:59.743Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-x92x-px7w-4gx4"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dgraph",
          "vendor": "dgraph-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 25.3.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph\u0027s default configuration where ACL is not enabled. The attack requires two HTTP POSTs to port 8080. The first sets up a schema predicate with @unique @index(exact) @lang via /alter (also unauthenticated in default config). The second sends a crafted JSON mutation to /mutate?commitNow=true where a JSON key contains the predicate name followed by @ and a DQL injection payload in the language tag position. The injection exploits the addQueryIfUnique function in edgraph/server.go, which constructs DQL queries using fmt.Sprintf with unsanitized predicateName that includes the raw pred.Lang value. The Lang field is extracted from JSON mutation keys by x.PredicateLang(), which splits on @, and is never validated by any function in the codebase. The attacker injects a closing parenthesis to escape the eq() function, adds an arbitrary named query block, and uses a # comment to neutralize trailing template syntax. The injected query executes server-side and its results are returned in the HTTP response. This vulnerability is fixed in 25.3.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T18:25:43.894Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-x92x-px7w-4gx4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-x92x-px7w-4gx4"
        }
      ],
      "source": {
        "advisory": "GHSA-x92x-px7w-4gx4",
        "discovery": "UNKNOWN"
      },
      "title": "Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41328",
    "datePublished": "2026-04-24T18:25:43.894Z",
    "dateReserved": "2026-04-20T14:01:46.672Z",
    "dateUpdated": "2026-04-24T19:57:59.743Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41696 (GCVE-0-2026-41696)

Vulnerability from cvelistv5 – Published: 2026-06-09 23:47 – Updated: 2026-06-10 17:53
VLAI
Title
Spring Data MongoDB Bind Parameter Literal Quoting Breakout
Summary
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
Impacted products
Vendor Product Version
Spring Spring Data MongoDB Affected: 5.0.0 , < 5.0.6 (custom)
Affected: 4.5.0 , < 4.5.12 (custom)
Affected: 4.4.0 , < 4.4.15 (custom)
Affected: 4.3.0 , < 4.3.17 (custom)
Affected: 4.2.0 , < 4.2.16 (custom)
Affected: 4.1.0 , < 4.1.15 (custom)
Affected: 4.0.0 , < 4.0.16 (custom)
Affected: 3.4.0 , < 3.4.20 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41696",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T17:52:05.245642Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T17:53:14.235Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring Data MongoDB",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "5.0.6",
              "status": "affected",
              "version": "5.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.5.12",
              "status": "affected",
              "version": "4.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.4.15",
              "status": "affected",
              "version": "4.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.3.17",
              "status": "affected",
              "version": "4.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.2.16",
              "status": "affected",
              "version": "4.2.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.1.15",
              "status": "affected",
              "version": "4.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.0.16",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.4.20",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.\n\nAffected versions:\nSpring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19."
            }
          ],
          "value": "Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.\n\nAffected versions:\nSpring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker who can supply a crafted string to a @Query regex binding can break out of literal quoting, potentially exposing unauthorized data or bypassing intended query filters."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T23:47:37.883Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2026-41696"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Spring Data MongoDB Bind Parameter Literal Quoting Breakout",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-41696",
    "datePublished": "2026-06-09T23:47:37.883Z",
    "dateReserved": "2026-04-22T06:21:22.981Z",
    "dateUpdated": "2026-06-10T17:53:14.235Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41697 (GCVE-0-2026-41697)

Vulnerability from cvelistv5 – Published: 2026-06-09 23:47 – Updated: 2026-06-27 21:33
VLAI
Title
Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern
Summary
Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
Impacted products
Vendor Product Version
Spring Spring Data Relational Affected: 4.0.0 , < 4.0.5.1 (custom)
Affected: 3.5.0 , < 3.5.11.1 (custom)
Affected: 3.4.0 , < 3.4.15 (custom)
Affected: 3.3.0 , < 3.3.17 (custom)
Affected: 3.2.0 , < 3.2.16 (custom)
Affected: 3.1.0 , < 3.1.15 (custom)
Affected: 3.0.0 , < 3.0.16 (custom)
Affected: 2.4.0 , < 2.4.20 (custom)
Create a notification for this product.
Spring Spring Data JDBC Affected: 4.0.0 , < 4.0.5.1 (custom)
Affected: 3.5.0 , < 3.5.11.1 (custom)
Affected: 3.4.0 , < 3.4.15 (custom)
Affected: 3.3.0 , < 3.3.17 (custom)
Affected: 3.2.0 , < 3.2.16 (custom)
Affected: 3.1.0 , < 3.1.15 (custom)
Affected: 3.0.0 , < 3.0.16 (custom)
Affected: 2.4.0 , < 2.4.20 (custom)
Create a notification for this product.
Spring Spring Data R2DBC Affected: 4.0.0 , < 4.0.5.1 (custom)
Affected: 3.5.0 , < 3.5.11.1 (custom)
Affected: 3.4.0 , < 3.4.15 (custom)
Affected: 3.3.0 , < 3.3.17 (custom)
Affected: 3.2.0 , < 3.2.16 (custom)
Affected: 3.1.0 , < 3.1.15 (custom)
Affected: 3.0.0 , < 3.0.16 (custom)
Affected: 1.5.0 , < 1.5.20 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41697",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T17:51:14.731749Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T17:51:30.646Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring Data Relational",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "4.0.5.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.5.11.1",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.4.15",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.3.17",
              "status": "affected",
              "version": "3.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.2.16",
              "status": "affected",
              "version": "3.2.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.1.15",
              "status": "affected",
              "version": "3.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.0.16",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "2.4.20",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Spring Data JDBC",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "4.0.5.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.5.11.1",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.4.15",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.3.17",
              "status": "affected",
              "version": "3.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.2.16",
              "status": "affected",
              "version": "3.2.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.1.15",
              "status": "affected",
              "version": "3.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.0.16",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "2.4.20",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Spring Data R2DBC",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "4.0.5.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.5.11.1",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.4.15",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.3.17",
              "status": "affected",
              "version": "3.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.2.16",
              "status": "affected",
              "version": "3.2.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.1.15",
              "status": "affected",
              "version": "3.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.0.16",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "1.5.20",
              "status": "affected",
              "version": "1.5.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference.\n\nAffected versions:\nSpring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19."
            }
          ],
          "value": "Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference.\n\nAffected versions:\nSpring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker who can supply wildcard characters to a Query By Example probe can perform boolean-based blind data inference against the queried entity."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T21:33:25.580Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2026-41697"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-41697",
    "datePublished": "2026-06-09T23:47:42.091Z",
    "dateReserved": "2026-04-22T06:21:22.981Z",
    "dateUpdated": "2026-06-27T21:33:25.580Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42156 (GCVE-0-2026-42156)

Vulnerability from cvelistv5 – Published: 2026-05-12 23:00 – Updated: 2026-05-13 12:07
VLAI
Title
Flowsint: Cypher query injection in node type on node creation
Summary
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
Impacted products
Vendor Product Version
reconurge flowsint Affected: < 1.2.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42156",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T12:06:52.985812Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T12:07:00.524Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "flowsint",
          "vendor": "reconurge",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T23:00:03.440Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p"
        }
      ],
      "source": {
        "advisory": "GHSA-h5m2-c2c5-968p",
        "discovery": "UNKNOWN"
      },
      "title": "Flowsint: Cypher query injection in node type on node creation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42156",
    "datePublished": "2026-05-12T23:00:03.440Z",
    "dateReserved": "2026-04-24T17:15:21.835Z",
    "dateUpdated": "2026-05-13T12:07:00.524Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42316 (GCVE-0-2026-42316)

Vulnerability from cvelistv5 – Published: 2026-05-11 16:41 – Updated: 2026-05-11 17:27
VLAI
Title
KQL injection via kusto.tables.topics.mapping in kafka-sink-azure-kusto
Summary
kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping entry were interpolated directly into KQL management/query commands via String.formatted(...) (e.g., FETCH_TABLE_COMMAND.formatted(table) → "<table> | count", FETCH_TABLE_MAPPING_COMMAND.formatted(table, format, mapping) → ".show table <table> ingestion <format> mapping '<mapping>'"). An actor able to influence the connector configuration (for example, someone with permissions to submit or edit Kafka Connect connector configs) could embed KQL metacharacters (;, |, ') to execute arbitrary management commands in the context of the connector's service principal — enabling schema enumeration/modification, ingestion-mapping tampering, or changes to streaming/retention policies on the target Azure Data Explorer database. This is a tampering vulnerability. Exploitation requires privileged access to the connector configuration; no end-user interaction or Kafka record payload is involved. This vulnerability is fixed in 5.2.3.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42316",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T17:27:18.333065Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T17:27:23.704Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kafka-sink-azure-kusto",
          "vendor": "Azure",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.2.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping entry were interpolated directly into KQL management/query commands via String.formatted(...) (e.g., FETCH_TABLE_COMMAND.formatted(table) \u2192 \"\u003ctable\u003e | count\", FETCH_TABLE_MAPPING_COMMAND.formatted(table, format, mapping) \u2192 \".show table \u003ctable\u003e ingestion \u003cformat\u003e mapping \u0027\u003cmapping\u003e\u0027\"). An actor able to influence the connector configuration (for example, someone with permissions to submit or edit Kafka Connect connector configs) could embed KQL metacharacters (;, |, \u0027) to execute arbitrary management commands in the context of the connector\u0027s service principal \u2014 enabling schema enumeration/modification, ingestion-mapping tampering, or changes to streaming/retention policies on the target Azure Data Explorer database. This is a tampering vulnerability. Exploitation requires privileged access to the connector configuration; no end-user interaction or Kafka record payload is involved. This vulnerability is fixed in 5.2.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T16:41:07.091Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Azure/kafka-sink-azure-kusto/security/advisories/GHSA-c9mr-mqvh-6wgj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Azure/kafka-sink-azure-kusto/security/advisories/GHSA-c9mr-mqvh-6wgj"
        },
        {
          "name": "https://github.com/Azure/kafka-sink-azure-kusto/pull/155",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Azure/kafka-sink-azure-kusto/pull/155"
        },
        {
          "name": "https://github.com/Azure/kafka-sink-azure-kusto/releases/tag/v5.2.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Azure/kafka-sink-azure-kusto/releases/tag/v5.2.3"
        }
      ],
      "source": {
        "advisory": "GHSA-c9mr-mqvh-6wgj",
        "discovery": "UNKNOWN"
      },
      "title": "KQL injection via kusto.tables.topics.mapping in kafka-sink-azure-kusto"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42316",
    "datePublished": "2026-05-11T16:41:07.091Z",
    "dateReserved": "2026-04-26T12:37:18.170Z",
    "dateUpdated": "2026-05-11T17:27:23.704Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44425 (GCVE-0-2026-44425)

Vulnerability from cvelistv5 – Published: 2026-05-13 21:05 – Updated: 2026-05-14 19:52
VLAI
Title
ShellHub: Crash-DoS via field injection in filter and sort-by parameters
Summary
ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-20 - Improper Input Validation
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
Vendor Product Version
shellhub-io shellhub Affected: < 0.24.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44425",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T16:04:10.929560Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T19:52:09.294Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "shellhub",
          "vendor": "shellhub-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.24.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-943",
              "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T21:05:07.925Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-47r2-v3x6-wff9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-47r2-v3x6-wff9"
        }
      ],
      "source": {
        "advisory": "GHSA-47r2-v3x6-wff9",
        "discovery": "UNKNOWN"
      },
      "title": "ShellHub: Crash-DoS via field injection in filter and sort-by parameters"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44425",
    "datePublished": "2026-05-13T21:05:07.925Z",
    "dateReserved": "2026-05-06T14:40:00.953Z",
    "dateUpdated": "2026-05-14T19:52:09.294Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

No mitigation information available for this CWE.

CAPEC-676: NoSQL Injection

An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.

Back to CWE stats page