Home / Vulnerability Intelligence / CVE-2026-41167

CVE-2026-41167 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 22, 2026

Jellystat - SQL Injection

Published: April 22, 2026Updated: April 22, 2026Remote Exploitable

Overview

Jellystat < 1.1.10 contains a SQL injection caused by unsanitized request-body fields in multiple API endpoints, letting authenticated users execute arbitrary SQL and commands on the PostgreSQL host, exploit requires authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Authenticated attackers can execute arbitrary SQL and commands on the database host, leading to full data disclosure and remote code execution.

Mitigation

Update to version 1.1.10 or later.

References

https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m
https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914d76693665

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41167
Severity: Critical
CVSS Score: 9.1
Type: sql_injection
Status: unconfirmed

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H