CVE-2025-14674 MEDIUM

CVE-2025-14674: aizuda snail-job QLExpressEngine.java QLExpressEngine.doEval injection

Vendor Aizuda

Product snail-job

Weakness CWE-74

Published December 14, 2025

Last update February 24, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

What the vulnerability does

Description

A vulnerability was found in aizuda snail-job up to 1.6.0. Affected by this vulnerability is the function QLExpressEngine.doEval of the file snail-job-common/snail-job-common-core/src/main/java/com/aizuda/snailjob/common/core/expression/strategy/QLExpressEngine.java. The manipulation results in injection. The attack can be launched remotely. Upgrading to version 1.7.0-beta1 addresses this issue. The patch is identified as 978f316c38b3d68bb74d2489b5e5f721f6675e86. The affected component should be upgraded.

Key dates

Disclosure timeline

December 14, 2025 CVE published

February 24, 2026 Record updated

Identifiers

CVE CVE-2025-14674

CWE CWE-74

CVSS 5.3 / MEDIUM

Affected versions

Vendor Aizuda

Product snail-job

Affected 1.0

Vendor Aizuda

Product snail-job

Affected 1.1

Vendor Aizuda

Product snail-job

Affected 1.2

Vendor Aizuda

Product snail-job

Affected 1.3

Vendor Aizuda

Product snail-job

Affected 1.4

Vendor Aizuda

Product snail-job

Affected 1.5

Vendor Aizuda

Product snail-job

Affected 1.6.0