{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5562", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-04T14:04:02.364Z", "datePublished": "2026-04-05T11:00:17.843Z", "dateUpdated": "2026-04-06T14:50:47.812Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T11:00:17.843Z"}, "title": "provectus kafka-ui Endpoint testexecutions validateAccess code injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "provectus", "product": "kafka-ui", "versions": [{"version": "0.7.0", "status": "affected"}, {"version": "0.7.1", "status": "affected"}, {"version": "0.7.2", "status": "affected"}], "modules": ["Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in provectus kafka-ui up to 0.7.2. This impacts the function validateAccess of the file /api/smartfilters/testexecutions of the component Endpoint. The manipulation leads to code injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-04T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-04T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-04T16:12:19.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "0xNayel (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355332", "name": "VDB-355332 | provectus kafka-ui Endpoint testexecutions validateAccess code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355332/cti", "name": "VDB-355332 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782941", "name": "Submit #782941 | https://github.com/provectus/ kafka-ui 0.7.2 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/file/d/18-Q4tb19y_7dwchnTCgcwfbox0Uj6oQd/view", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T14:46:37.069971Z", "id": "CVE-2026-5562", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T14:50:47.812Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "provectus kafka-ui Endpoint testexecutions validateAccess code injection", "credits": [{"lang": "en", "type": "reporter", "value": "0xNayel (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "provectus", "modules": ["Endpoint"], "product": "kafka-ui", "versions": [{"status": "affected", "version": "0.7.0"}, {"status": "affected", "version": "0.7.1"}, {"status": "affected", "version": "0.7.2"}]}], "timeline": [{"lang": "en", "time": "2026-04-04T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-04T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-04T16:12:19.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355332", "name": "VDB-355332 | provectus kafka-ui Endpoint testexecutions validateAccess code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355332/cti", "name": "VDB-355332 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782941", "name": "Submit #782941 | https://github.com/provectus/ kafka-ui 0.7.2 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://drive.google.com/file/d/18-Q4tb19y_7dwchnTCgcwfbox0Uj6oQd/view", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in provectus kafka-ui up to 0.7.2. This impacts the function validateAccess of the file /api/smartfilters/testexecutions of the component Endpoint. The manipulation leads to code injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T11:00:17.843Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5562", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T14:46:37.069971Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-06T14:46:38.105Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-5562", "state": "PUBLISHED", "dateUpdated": "2026-04-05T11:00:17.843Z", "dateReserved": "2026-04-04T14:04:02.364Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-05T11:00:17.843Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in provectus kafka-ui up to 0.7.2. This impacts the function validateAccess of the file /api/smartfilters/testexecutions of the component Endpoint. The manipulation leads to code injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5562", "lastModified": "2026-04-07T13:20:35.010", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-05T11:16:56.993", "references": [{"source": "cna@vuldb.com", "url": "https://drive.google.com/file/d/18-Q4tb19y_7dwchnTCgcwfbox0Uj6oQd/view"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/782941"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355332"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355332/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.7.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.7.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.7.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "kafka-ui", "source": "cna", "vendor": "provectus"}, "product": "kafka-ui", "vendor": "provectus"}], "analysis": {"en": {"generated_at": "2026-04-05T14:20:56.055109+00:00", "value": {"mitigation_remediation": ["Upgrade provectus kafka\u2011ui to a release newer than 0.7.2 when available."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects provectus kafka\u2011ui versions up to and including 0.7.2. Any deployment of these or earlier releases that exposes the /api/smartfilters/testexecutions API to external clients is vulnerable.", "description_and_impact": "A code injection vulnerability exists in the validateAccess function of provectus kafka\u2011ui\u2019s /api/smartfilters/testexecutions endpoint. Because user input is not properly validated, an attacker can execute arbitrary code on the server hosting the service, compromising confidentiality, integrity, and availability of the system. The vulnerability is exploitable remotely via crafted requests to the affected endpoint.", "risk_and_exploitability": "The CVSS score for this issue is 6.9, indicating a moderate to high severity. EPSS data is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but published exploit code is publicly accessible. The attack vector is remote, as an attacker only needs to send malicious requests to the exposed API endpoint, making exploitation straightforward for an adversary with network access to the service."}}}}, "created": "2026-04-06T20:26:17.170269+00:00", "updated": "2026-04-06T21:56:51.157012+00:00", "vendors": ["provectus", "provectus$PRODUCT$kafka-ui"]}