CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54379 – eKuiper API endpoints handling SQL queries with user-controlled table names.
https://notcve.org/view.php?id=CVE-2025-54379
24 Jul 2025 — LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. In versions before 2.2.1, there is a critical SQL Injection vulnerability in the getLast API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitation can lead to data theft, corruption, or deletion, and full database... • https://github.com/lf-edge/ekuiper/security/advisories/GHSA-526j-mv3p-f4vv • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52290 – Stored XSS in Configuration Key Functionality
https://notcve.org/view.php?id=CVE-2024-52290
14 May 2025 — LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim's browser. Version 2.1.0 fixes the issue. LF Edge eKuiper es un motor ligero de anális... • https://github.com/lf-edge/ekuiper/security/advisories/GHSA-9cwv-pxcr-hfjc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52812 – LF Edge eKuiper has Stored XSS in Rules Functionality
https://notcve.org/view.php?id=CVE-2024-52812
28 Feb 2025 — LF Edge eKuiper is an internet-of-things data analytics and stream processing engine. Prior to version 2.0.8, auser with rights to modify the service (e.g. kuiperUser role) can inject a cross-site scripting payload into the rule `id` parameter. Then, after any user with access to this service (e.g. admin) tries make any modifications with the rule (update, run, stop, delete), a payload acts in the victim's browser. Version 2.0.8 fixes the issue. These are all security issues fixed in the govulncheck-vulndb-... • https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43406 – LF Edge eKuiper has a SQL Injection in sqlKvStore
https://notcve.org/view.php?id=CVE-2024-43406
20 Aug 2024 — LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2. • https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •