Ghostwire

CVE-2026-38428: Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a...

UNKNOWN CVSS 0.0

Published: May 5, 2026 | Last Modified: May 5, 2026

Description

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (2 articles)

References

github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x
www.link.com