CVE-2025-50979
published 2025-08-27CVE-2025-50979: NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly…
PriorityP268high8.6CVSS 3.1
AVNACLPRNUINSUCHILAL
EPSS
8.12%
94.1th percentile
NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind and PostgreSQL error-based payloads.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodebb | nodebb | — | — |
| nodebb | nodebb | 0 – 4.3.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
NodeBB SQL Injection vulnerability
ghsa·2025-08-27
CVE-2025-50979 [HIGH] CWE-89 NodeBB SQL Injection vulnerability
NodeBB SQL Injection vulnerability
NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind and PostgreSQL error-based payloads.
OSV
NodeBB SQL Injection vulnerability
osv·2025-08-27
CVE-2025-50979 [HIGH] NodeBB SQL Injection vulnerability
NodeBB SQL Injection vulnerability
NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind and PostgreSQL error-based payloads.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-27
Published