{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/powerjob/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5739"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["code-injection","powerjob","cve-2026-5739"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical code injection vulnerability, identified as CVE-2026-5739, has been discovered in PowerJob, an open-source distributed job scheduling and management platform. This vulnerability affects versions 5.1.0, 5.1.1, and 5.1.2. The vulnerability resides in the \u003ccode\u003eGroovyEvaluator.evaluate\u003c/code\u003e function of the \u003ccode\u003e/openApi/addWorkflowNode\u003c/code\u003e endpoint within the OpenAPI component. By manipulating the \u003ccode\u003enodeParams\u003c/code\u003e argument, a remote attacker can inject and execute arbitrary code on the server. This vulnerability can be exploited without authentication, posing a significant threat to systems running vulnerable PowerJob instances. The vendor has been notified, but has not yet responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable PowerJob instance running versions 5.1.0, 5.1.1, or 5.1.2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/openApi/addWorkflowNode\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker injects malicious code into the \u003ccode\u003enodeParams\u003c/code\u003e argument, leveraging the \u003ccode\u003eGroovyEvaluator.evaluate\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe PowerJob server receives the request and passes the attacker-controlled \u003ccode\u003enodeParams\u003c/code\u003e argument to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eGroovyEvaluator.evaluate\u003c/code\u003e function processes the malicious code, leading to arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the PowerJob server with the privileges of the PowerJob process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this access to move laterally within the network, exfiltrate sensitive data, or cause a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5739 allows unauthenticated remote attackers to execute arbitrary code on the PowerJob server. This could lead to complete system compromise, data breaches, or disruption of critical job scheduling processes. Given the nature of job scheduling platforms, compromised servers could be used to compromise other systems in the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PowerJob instances to a patched version that addresses CVE-2026-5739 as soon as a patch is released by the vendor.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a potential compromise of the PowerJob server.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/openApi/addWorkflowNode\u003c/code\u003e endpoint, looking for unusual characters or patterns in the \u003ccode\u003enodeParams\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PowerJob Groovy Code Injection Attempt\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T20:16:34Z","date_published":"2026-04-07T20:16:34Z","id":"/briefs/2026-04-powerjob-code-injection/","summary":"A code injection vulnerability exists in PowerJob versions 5.1.0, 5.1.1, and 5.1.2, allowing remote attackers to execute arbitrary code via the GroovyEvaluator.evaluate function in the OpenAPI Endpoint component by manipulating the nodeParams argument.","title":"PowerJob OpenAPI Endpoint Code Injection Vulnerability (CVE-2026-5739)","url":"https://feed.craftedsignal.io/briefs/2026-04-powerjob-code-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5736"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","vulnerability","powerjob"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5736 is a SQL injection vulnerability affecting PowerJob, an open-source distributed job scheduling and management platform. The vulnerability resides in the \u003ccode\u003eInstanceController.java\u003c/code\u003e file within the \u003ccode\u003epowerjob-server\u003c/code\u003e component, specifically in versions 5.1.0, 5.1.1, and 5.1.2. An attacker can remotely exploit this vulnerability by manipulating the \u003ccode\u003ecustomQuery\u003c/code\u003e argument of the \u003ccode\u003edetailPlus\u003c/code\u003e endpoint, injecting malicious SQL code that is then executed by the application\u0026rsquo;s database. This could lead to unauthorized data access, modification, or deletion. Despite being reported through an issue report, the project has not yet provided a patch or mitigation. This vulnerability poses a significant risk to organizations using vulnerable versions of PowerJob, potentially enabling attackers to compromise sensitive data and disrupt critical job scheduling processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable PowerJob instance running versions 5.1.0, 5.1.1, or 5.1.2.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL injection payload, targeting the \u003ccode\u003ecustomQuery\u003c/code\u003e parameter of the \u003ccode\u003e/detailPlus\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker sends a crafted HTTP request to the vulnerable \u003ccode\u003e/detailPlus\u003c/code\u003e endpoint, embedding the SQL injection payload within the \u003ccode\u003ecustomQuery\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe PowerJob server receives the request and processes the \u003ccode\u003ecustomQuery\u003c/code\u003e parameter without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe unsanitized \u003ccode\u003ecustomQuery\u003c/code\u003e value is incorporated into an SQL query executed against the PowerJob database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed, allowing the attacker to bypass intended security restrictions and perform unauthorized database operations.\u003c/li\u003e\n\u003cli\u003eThe attacker may extract sensitive data, modify existing records, or even gain control over the underlying database server.\u003c/li\u003e\n\u003cli\u003eDepending on the attacker\u0026rsquo;s objectives, they may leverage the compromised database to pivot to other systems or disrupt critical job scheduling processes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5736 can lead to a complete compromise of the PowerJob server and its associated database. An attacker could potentially gain access to sensitive data related to job schedules, configurations, and execution history. They could also modify existing jobs, create new malicious jobs, or even disrupt the entire job scheduling system. The exact impact depends on the scope of data stored in the PowerJob database and the attacker\u0026rsquo;s objectives, but could include data theft, service disruption, and potentially lateral movement within the compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PowerJob to a patched version that addresses CVE-2026-5736 as soon as it becomes available from the vendor.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003ecustomQuery\u003c/code\u003e parameter in the \u003ccode\u003edetailPlus\u003c/code\u003e endpoint to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Suspicious PowerJob customQuery Parameter\u003c/code\u003e to detect potential exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/detailPlus\u003c/code\u003e endpoint containing potentially malicious SQL injection payloads, as covered in the logsource for the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T19:16:48Z","date_published":"2026-04-07T19:16:48Z","id":"/briefs/2026-04-powerjob-sqli/","summary":"A remote SQL injection vulnerability, CVE-2026-5736, exists in PowerJob versions 5.1.0 through 5.1.2 within the detailPlus Endpoint, potentially allowing unauthenticated attackers to execute arbitrary SQL queries.","title":"PowerJob SQL Injection Vulnerability (CVE-2026-5736)","url":"https://feed.craftedsignal.io/briefs/2026-04-powerjob-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Powerjob","version":"https://jsonfeed.org/version/1.1"}