Description
A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-15
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A flaw was identified in JawherKl node-api-postgres versions up to 2.5 that allows an attacker to manipulate the sort parameter in the User.getAll function, resulting in arbitrary SQL code execution. The vulnerability is classified as a classic SQL injection (CWE-74 and CWE-89) and can be used to read, modify, or delete data stored in the database. This weakness directly affects the integrity and confidentiality of the data processed by the application.

Affected Systems

JawherKl:node-api-postgres, all releases and sub‑versions up to and including 2.5. The vulnerability is found in the models/user.js file, specifically within the User.getAll functionality that accepts a sort argument without proper validation.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate to high severity, while an EPSS score of less than 1 % suggests a low likelihood of automated exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the flaw remotely via the exposed API endpoint by supplying a crafted sort parameter that injects malicious SQL commands.

Generated by OpenCVE AI on March 17, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a release newer than 2.5 of JawherKl node-api-postgres
  • If a patch is not yet available, validate or whitelist the sort parameter and use parameterized queries in the User.getAll function
  • Restrict the database user’s permissions to the minimum set required for application operation
  • Monitor application logs for anomalous SQL activity and investigate any suspicious queries

Generated by OpenCVE AI on March 17, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jawherkl
Jawherkl node-api-postgres
Vendors & Products Jawherkl
Jawherkl node-api-postgres

Sun, 15 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title JawherKl node-api-postgres user.js User.getAll sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jawherkl Node-api-postgres
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T20:12:17.864Z

Reserved: 2026-03-14T22:40:35.164Z

Link: CVE-2026-4190

cve-icon Vulnrichment

Updated: 2026-03-16T20:12:11.891Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T14:20:02.193

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-4190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:13Z

Weaknesses