CVE-2025-14674

EPSS 0.3%
Veröffentlicht 14.12.2025 18:15:43
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

aizuda snail-job QLExpressEngine.java QLExpressEngine.doEval injection

A vulnerability was found in aizuda snail-job up to 1.6.0. Affected by this vulnerability is the function QLExpressEngine.doEval of the file snail-job-common/snail-job-common-core/src/main/java/com/aizuda/snailjob/common/core/expression/strategy/QLExpressEngine.java. The manipulation results in injection. The attack can be launched remotely. Upgrading to version 1.7.0-beta1 addresses this issue. The patch is identified as 978f316c38b3d68bb74d2489b5e5f721f6675e86. The affected component should be upgraded.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 10

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstelleraizuda

≫

Produkt snail-job

Version 1.0

Status affected

Version 1.1

Status affected

Version 1.2

Status affected

Version 1.3

Status affected

Version 1.4

Status affected

Version 1.5

Status affected

Version 1.6.0

Status affected

Version 1.7.0-beta1

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.217

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@vuldb.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-707 Improper Neutralization

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://gitee.com/aizuda/snail-job/commit/978f316c38b3d68bb74d2489b5e5f721f6675e86

https://gitee.com/aizuda/snail-job/issues/ICNUG0

https://gitee.com/aizuda/snail-job/issues/ICNUG0#note_44321424_link

https://gitee.com/aizuda/snail-job/releases/tag/vsj1.7.0-beta1

https://vuldb.com/?ctiid.336403

https://vuldb.com/?id.336403

https://gitee.com/aizuda/snail-job/

https://nvd.nist.gov/vuln/detail/CVE-2025-14674

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-14674

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-14674

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-14674