CVE-2026-4190

Summary

A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
JawherKlnode-api-postgres2.0affected
JawherKlnode-api-postgres2.1affected
JawherKlnode-api-postgres2.2affected
JawherKlnode-api-postgres2.3affected
JawherKlnode-api-postgres2.4affected
JawherKlnode-api-postgres2.5affected

Weaknesses

  • CWE-89: SQL Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References