CVE-2026-38428
CriticalSummary
Kestra v1.3.3 and earlier is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization.
Risk Assessment
Attackers can inject arbitrary SQL expressions into the database query, potentially leading to unauthorized access to or modification of data.
Recommendation
It is recommended to update Kestra to the latest version and implement proper input sanitization and parameterization mechanisms.
Original NVD description (English source)
Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.

