{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5739/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5739"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["code-injection","powerjob","cve-2026-5739"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical code injection vulnerability, identified as CVE-2026-5739, has been discovered in PowerJob, an open-source distributed job scheduling and management platform. This vulnerability affects versions 5.1.0, 5.1.1, and 5.1.2. The vulnerability resides in the \u003ccode\u003eGroovyEvaluator.evaluate\u003c/code\u003e function of the \u003ccode\u003e/openApi/addWorkflowNode\u003c/code\u003e endpoint within the OpenAPI component. By manipulating the \u003ccode\u003enodeParams\u003c/code\u003e argument, a remote attacker can inject and execute arbitrary code on the server. This vulnerability can be exploited without authentication, posing a significant threat to systems running vulnerable PowerJob instances. The vendor has been notified, but has not yet responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable PowerJob instance running versions 5.1.0, 5.1.1, or 5.1.2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/openApi/addWorkflowNode\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker injects malicious code into the \u003ccode\u003enodeParams\u003c/code\u003e argument, leveraging the \u003ccode\u003eGroovyEvaluator.evaluate\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe PowerJob server receives the request and passes the attacker-controlled \u003ccode\u003enodeParams\u003c/code\u003e argument to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eGroovyEvaluator.evaluate\u003c/code\u003e function processes the malicious code, leading to arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the PowerJob server with the privileges of the PowerJob process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this access to move laterally within the network, exfiltrate sensitive data, or cause a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5739 allows unauthenticated remote attackers to execute arbitrary code on the PowerJob server. This could lead to complete system compromise, data breaches, or disruption of critical job scheduling processes. Given the nature of job scheduling platforms, compromised servers could be used to compromise other systems in the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PowerJob instances to a patched version that addresses CVE-2026-5739 as soon as a patch is released by the vendor.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a potential compromise of the PowerJob server.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/openApi/addWorkflowNode\u003c/code\u003e endpoint, looking for unusual characters or patterns in the \u003ccode\u003enodeParams\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PowerJob Groovy Code Injection Attempt\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T20:16:34Z","date_published":"2026-04-07T20:16:34Z","id":"/briefs/2026-04-powerjob-code-injection/","summary":"A code injection vulnerability exists in PowerJob versions 5.1.0, 5.1.1, and 5.1.2, allowing remote attackers to execute arbitrary code via the GroovyEvaluator.evaluate function in the OpenAPI Endpoint component by manipulating the nodeParams argument.","title":"PowerJob OpenAPI Endpoint Code Injection Vulnerability (CVE-2026-5739)","url":"https://feed.craftedsignal.io/briefs/2026-04-powerjob-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5739","version":"https://jsonfeed.org/version/1.1"}