## Critical SQL Injection Vulnerability Discovered in ExpenseRepository: Unsafe Query Construction Opens Door to Arbitrary Database Commands
A critical SQL injection vulnerability has been flagged in the ExpenseRepository component of the expensetracker-1 project, with severity rated at the highest level. The flaw resides in the findByCategoryUnsafe query method at line 18 of ExpenseRepository.java, where the @Query annotation constructs a native SQL statement by directly concatenating the category parameter into the query string. This design pattern creates a direct pathway for attackers to inject arbitrary SQL commands if the method receives user-controlled input.

The vulnerability stems from improper query construction in the Java repository layer. Instead of using parameterized queries, the vulnerable code embeds the category string directly into the SQL statement at annotation load time. This means any caller passing untrusted input to findByCategoryUnsafe could manipulate the resulting SQL to access, modify, or delete data beyond intended boundaries. The issue was identified through an automated LLM-based security scan, which assigned it a CRITICAL severity rating and provided a specific remediation path: replace the string concatenation with a parameterized native query using @Param annotation.

The presence of an SQL injection flaw in a repository layer raises immediate concerns about data integrity and access control in the affected application. If the vulnerable method is exposed through any API endpoint or user-facing feature, attackers could potentially extract sensitive expense records, manipulate financial data, or escalate privileges within the database. Security teams and maintainers should treat this finding as a priority remediation target, as SQL injection remains one of the most exploited vulnerability classes in production systems. The recommended fix—switching to parameterized queries—represents a standard defensive practice that eliminates the injection vector without requiring architectural changes.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: SQL injection, ExpenseRepository, critical vulnerability, Java security, parameterized queries
- **Credibility**: unverified
- **Published**: 2026-05-10 12:01:44
- **ID**: 81522
- **URL**: https://whisperx.ai/en/intel/81522