CVE-2026-5736: PowerJob vulnerable to SQL injection

April 7, 2026 (updated April 8, 2026)

A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument customQuery leads to sql injection. Remote exploitation of the attack is possible. The project was informed of the problem early through an issue report but has not responded yet.

References

github.com/PowerJob/PowerJob
github.com/PowerJob/PowerJob/issues/1167
github.com/PowerJob/PowerJob/pull/1166
github.com/advisories/GHSA-4fp2-3xgg-jg4w
nvd.nist.gov/vuln/detail/CVE-2026-5736
vuldb.com/submit/786727
vuldb.com/vuln/355746
vuldb.com/vuln/355746/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-5736 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →