An authenticated attacker can perform SQL injection in Jellystat, enabling full database access and arbitrary command execution on the PostgreSQL server.

The application fails to sanitize inputs in multiple API endpoints, allowing an authenticated user to inject SQL commands. Because the database role often has superuser privileges, this can be escalated to RCE via the COPY ... TO PROGRAM command.

This vulnerability allows for the total compromise of the database and the underlying server. Attackers can steal sensitive configuration data, including API keys and credentials, and gain complete control of the host system. The CVSS score of 9.1 reflects the extreme risk of total system takeover.

Immediate Action: Update Jellystat to version 1.1.10 or later immediately.

Proactive Monitoring: Review PostgreSQL logs for suspicious COPY commands or unexpected shell execution attempts originating from the application user.

Compensating Controls: Implement strict database role permissions (Principle of Least Privilege) to ensure the application user cannot execute system commands like COPY ... TO PROGRAM.

Public Exploit Available: false

The combination of SQL injection and RCE makes this a critical priority. Administrators must update the application immediately and re-evaluate the database permissions used by the service to minimize the impact of potential future vulnerabilities.