CVE-2025-50983HIGH 8.3EPSS p23.8%

CVE-2025-50983CVE-2025-50983

Description

SQL Injection vulnerability exists in the sortKey parameter of the GET /api/v1/wanted/cutoff API endpoint in readarr 0.4.15.2787. The endpoint fails to properly sanitize user-supplied input, allowing attackers to inject and execute arbitrary SQL commands against the backend SQLite database. Sqlmap confirmed exploitation via stacked queries, demonstrating that the parameter can be abused to run arbitrary SQL statements. A heavy query was executed using SQLite's RANDOMBLOB() and HEX() functions to simulate a time-based payload, indicating deep control over database interactions.

Scoring

CVSS 3.18.3 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
EPSS0.32% probability of exploitation · percentile 23.8% · 2026-06-19T12:03:05Z
Published2025-08-27
Last modified2025-09-09

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/4rdr/proofs/blob/main/info/readarr-0.4.15.2787-sql-injection-via-sortkey-parameter.md

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-7458
CVE
CVE-2025-66944
CVE
CVE-2026-21630
CVE
CVE-2025-3856
CVE
CVE-2025-3676
CVE
CVE-2025-23176
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.