CVE Catalog

CVE-2026-38428

Critical
Published: Translated: NVD NIST

Summary

Kestra v1.3.3 and earlier is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization.

Risk Assessment

Attackers can inject arbitrary SQL expressions into the database query, potentially leading to unauthorized access to or modification of data.

Recommendation

It is recommended to update Kestra to the latest version and implement proper input sanitization and parameterization mechanisms.

Original NVD description (English source)

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS