How exploitable is this vulnerability in a typical Jellystat deployment?

In many default-style deployments where Jellystat is reachable by multiple users and uses the superuser-like PostgreSQL role from the provided `docker-compose.yml`, this vulnerability can be highly exploitable. Any authenticated user capable of calling the affected endpoints could potentially run arbitrary SQL and escalate to command execution on the database host.

Does an attacker need direct database access or only HTTP access to Jellystat?

Only HTTP access to Jellystat is required. The attacker sends crafted POST requests to vulnerable API endpoints, and Jellystat forwards the injected SQL to PostgreSQL over its existing database connection. No separate database credentials or network access are required.

What is the safest general fix pattern for developers?

The safest approach is to adopt parameterized queries consistently and prohibit raw SQL concatenation from user input. All variables must be passed through node-postgres parameter arrays or a safe query builder/ORM, while the database role used by the app must be reduced to the minimal privileges necessary for normal operations.

Severity:

CRITICAL RISK

(9.1)

SQL Injection (CWE-89) in Jellystat API Endpoints Leading to PostgreSQL RCE

CVE-2026-41167

Published:

Apr 22, 2026

Status:

Awaiting Analysis

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-74;CWE-89

HIGH RISK

HIGH

(7.3)

SQL Injection via Unsanitized ID Parameter (CWE-89) in Pharmacy Sales and Inventory System /ajax.php

Database Compromise and Data Integrity Loss

April 27, 2026

CWE-863

HIGH RISK

HIGH

(8.5)

Incorrect Authorization (CWE-863) in OpenClaw chat.send Session Management

Privilege Escalation and Unauthorized Session Control

April 27, 2026

Vulnerability Type

Category:

SQL Injection

CWE:

CWE-89

Impact:

Remote Code Execution via Database (PostgreSQL Host Compromise)

Severity:

CRITICAL RISK

(9.1)

CVSS Version:

3.1

Vulnerability Type

Category:

SQL Injection

CWE:

CWE-89

Impact:

Remote Code Execution via Database (PostgreSQL Host Compromise)

Severity:

CRITICAL RISK

(9.1)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

START 14 DAYS FREE TRIAL

BOOK A DEMO

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

SQL Injection (CWE-89) in Jellystat API Endpoints Leading to PostgreSQL RCE

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

HIGH RISK

HIGH

(7.3)

SQL Injection via Unsanitized ID Parameter (CWE-89) in Pharmacy Sales and Inventory System /ajax.php

HIGH RISK

HIGH

(8.5)

Incorrect Authorization (CWE-863) in OpenClaw chat.send Session Management

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare