CVE-2025-50979HIGH 8.6EPSS p94.1%

CVE-2025-50979CVE-2025-50979

Description

NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind and PostgreSQL error-based payloads.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS8.12% probability of exploitation · percentile 94.1% · 2026-06-18T12:00:27Z
Published2025-08-27
Last modified2025-09-09

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/4rdr/proofs/blob/main/info/NodeBB-v4.3.0.-SQL-Injection-via-search-parameter.md

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-5249
CVE
CVE-2025-9697
CVE
CVE-2025-5250
CVE
CVE-2025-5251
CVE
CVE-2025-4060
CVE
CVE-2025-46109
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.