48 matches found
CVE-2026-48129
Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task inputFiles writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an inputFiles file name, ...
CVE-2026-48129
Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task inputFiles writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an inputFiles file name, ...
CVE-2026-48129
Kestra CVE-2026-48129 concerns a path traversal in the task inputFiles feature. Before versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, rendered file names could be prefixed with ../, allowing a caller handling untrusted data or webhook data to create or overwrite files outside the task working direc...
CVE-2026-48129 Kestra task inputFiles accepts traversal filenames for worker file writes
Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task inputFiles writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an inputFiles file name, ...
CVE-2026-38428
Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the...
EUVD-2026-27426
Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the...
CVE-2026-38428
Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the...
kestra 安全漏洞
Kestra is an open-source workflow automation platform developed by Kestra. Kestra versions 1.3.3 and earlier have security vulnerabilities. These vulnerabilities stem from the use of user-controlled GET parameters that are directly concatenated into SQL queries without proper cleaning or...
CVE-2026-38428
Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the...
CVE-2026-38428
Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the...
CVE-2026-38428
Kestra v1.3.3 and earlier are vulnerable to an SQL Injection flaw caused by user-supplied input from a GET parameter being directly concatenated into an SQL query without sanitization or parameterization. The root cause is unsafe string concatenation in the database query, enabling injection of a...
PT-2026-37210
Name of the Vulnerable Software and Affected Versions Kestra versions prior to 1.3.4 Description SQL Injection occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. This allows attackers to inject...
CVE-2026-34612
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra default docker-compose deployment contains a SQL Injection vulnerability that leads to Remote Code Execution RCE in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated,...
CVE-2026-34612
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra default docker-compose deployment contains a SQL Injection vulnerability that leads to Remote Code Execution RCE in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated,...
CVE-2026-34612 Kestra: Remote Code Execution via SQL Injection
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra default docker-compose deployment contains a SQL Injection vulnerability that leads to Remote Code Execution RCE in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated,...
CVE-2026-34612
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra default docker-compose deployment contains a SQL Injection vulnerability that leads to Remote Code Execution RCE in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated,...
EUVD-2026-18903
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra default docker-compose deployment contains a SQL Injection vulnerability that leads to Remote Code Execution RCE in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated,...
CVE-2026-34612
Kestra (open-source event-driven orchestration platform) prior to version 1.3.7 contains a SQL Injection that enables Remote Code Execution via the GET /api/v1/main/flows/search endpoint. After authentication, a crafted link can trigger payload execution by PostgreSQL using COPY ... TO PROGRAM .....
kestra 安全漏洞
Kestra is an open-source workflow automation platform developed by Kestra. Versions of Kestra prior to 1.3.7 contained security vulnerabilities. These vulnerabilities stemmed from SQL injection vulnerabilities in the/api/v1/main/flows/search endpoint, which could lead to remote code execution...
PT-2026-30266
Name of the Vulnerable Software and Affected Versions Kestra versions prior to 1.3.7 Description Kestra, an event-driven orchestration platform, has a SQL Injection issue in the ''GET /api/v1/main/flows/search'' endpoint. Successful exploitation allows Remote Code Execution RCE. An authenticated...