NodeBB SQL Injection vulnerability

NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind and PostgreSQL error-based payloads.

References

Published by the National Vulnerability Database Aug 27, 2025

Published to the GitHub Advisory Database Aug 27, 2025

Reviewed Aug 27, 2025

Last updated Aug 27, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

GHSA ID

Source code

Uh oh!