{"id":"CVE-2026-34400","summary":"alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API","details":"Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version 9.1.0.","aliases":["GHSA-8prr-286p-4w7j"],"modified":"2026-04-10T05:43:22.328681Z","published":"2026-03-31T21:00:59.824Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34400.json","cwe_ids":["CWE-89"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34400.json"},{"type":"FIX","url":"https://github.com/alerta/alerta/commit/aeba85a37a09e5769a7a2da56481aa979ff99a00"},{"type":"FIX","url":"https://github.com/alerta/alerta/commit/fdd52cd1abad8d02d1dfb8ecdcdbb43b6af3b883"},{"type":"FIX","url":"https://github.com/alerta/alerta/pull/2040"},{"type":"FIX","url":"https://github.com/alerta/alerta/pull/712"},{"type":"WEB","url":"https://github.com/alerta/alerta/releases/tag/v9.1.0"},{"type":"ADVISORY","url":"https://github.com/alerta/alerta/security/advisories/GHSA-8prr-286p-4w7j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34400"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/alerta/alerta","events":[{"introduced":"0"},{"fixed":"f4312727783dad64198b62ed778bbca98a5144a3"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"9.1.0"}]}}],"versions":["v4.10.2","v4.5.5","v5.0.0","v5.0.0-alpha1","v5.0.0-alpha2","v5.0.0-alpha3","v5.0.0-beta1","v5.0.0-rc1","v5.0.1","v5.0.2","v5.0.3","v5.0.4","v5.0.5","v5.0.6","v5.0.7","v5.0.8","v5.0.9","v5.1.0","v5.1.1","v5.2.0","v5.2.1","v5.2.2","v5.2.3","v5.2.4","v5.2.5","v5.2.6","v5.2.7","v5.2.8","v5.2.9","v6.0.0","v6.0.1","v6.1.0","v6.2.0","v6.2.1","v6.3.0","v6.3.1","v6.3.2","v6.5.0","v6.6.0","v6.6.1","v6.7.0","v6.7.1","v6.7.2","v6.7.3","v6.7.4","v6.7.5","v6.8.0","v6.8.1","v6.8.2","v6.8.3","v7.0.0","v7.0.1","v7.1.0","v7.1.1","v7.1.2","v7.2.0","v7.2.1","v7.2.10","v7.2.11","v7.2.2","v7.2.3","v7.2.4","v7.2.5","v7.2.6","v7.2.7","v7.2.8","v7.2.9","v7.3.0","v7.3.1","v7.3.2","v7.4.0","v7.4.1","v7.4.4","v7.4.5","v7.4.6","v7.5.0","v7.5.1","v7.5.2","v7.5.3","v7.5.4","v7.5.5","v8.0.0","v8.0.1","v8.0.2","v8.0.3","v8.1.0","v8.2.0","v8.3.0","v8.3.1","v8.3.2","v8.3.3","v8.4.0","v8.4.1","v8.5.0","v8.6.0","v8.6.1","v8.6.2","v8.6.3","v8.6.4","v8.6.5","v8.7.0","v9.0.0","v9.0.1","v9.0.2","v9.0.3","v9.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34400.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}