## CodeQL Flags High-Severity SQL Injection in updateProductReviews.ts — CVSS 8.8
A CodeQL security scan has identified a SQL injection vulnerability in `routes/updateProductReviews.ts` at line 18, scoring 8.8 on the CVSS scale. The automated analysis detected that database query objects depend on user-provided values without adequate sanitization, creating a direct path for injection attacks. The finding was surfaced by a scheduled GitHub Actions security scan targeting the repository at github.com/taiqi121/juice-shop, which ran on March 8, 2026.

The vulnerability falls under the `js/sql-injection` rule and specifically warns that query construction relies on untrusted input. CodeQL flagged two instances where user-controlled sources feed into database operations at the identified location. This pattern is particularly dangerous in review-update endpoints, where an attacker could manipulate input to alter query logic, extract unauthorized data, or corrupt database records.

The CVSS score of 8.8 places this finding in the high severity range, signaling that exploitation could result in significant data exposure or system compromise. Security teams reviewing the repository are advised to audit the code at line 18 of `updateProductReviews.ts` and implement parameterized queries or proper input validation. The automated detection reflects an active monitoring posture, though the remediation timeline and any exposure window remain under internal assessment.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: sql-injection, codeql, security-scan, cvss-8.8, vulnerability
- **Credibility**: unverified
- **Published**: 2026-04-23 04:54:08
- **ID**: 76231
- **URL**: https://whisperx.ai/en/intel/76231