CVE 9.8 CRITICAL

CVE-2026-38428_CVE-2026-38428

May 6, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.

AI Analysis

SQL Injection vulnerability in Kestra v1.3.3 and before due to unsanitized user input in SQL queries

Basic Information

ID CVE-2026-38428

Source mitre

Published May 5, 2026 at 00:00

Modified May 6, 2026 at 15:26

Affected Product

Vendor Kestra.io

Product Kestra

Version 1.3.3

Affected Versions n/a n/a n/a

CWE Classification

CWE-89

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Kestra.io

Product Kestra

Version 1.3.3

References

{
    "lastseen": "",
    "description": "Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.",
    "published": "2026-05-05T00:00:00.000Z",
    "modified": "2026-05-06T15:26:08.310Z",
    "type": "cve",
    "title": "CVE-2026-38428",
    "source": "mitre",
    "references": "https://www.link.com\nhttps://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x",
    "id": "CVE-2026-38428",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Kestra",
    "version": "1.3.3",
    "vendor": "Kestra.io",
    "ai_description": "SQL Injection vulnerability in Kestra v1.3.3 and before due to unsanitized user input in SQL queries",
    "ai_severity": "Critical",
    "ai_vendor": "Kestra.io",
    "ai_product": "Kestra",
    "ai_version": "1.3.3",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply