Thingstad

**Name of the Vulnerable Software and Affected Versions** provectus kafka-ui versions 0.4.0 through 0.7.1 **Description** The issue is related to incorrect code generation management in the web interface for managing Apache Kafka clusters, kafka-ui. Exploitation of this issue may allow a remote attacker to execute arbitrary code by sending a specially crafted request to the "/api/clusters/local/topics/{topic}/messages" endpoint, specifically via the `q` parameter. **Recommendations** For provectus kafka-ui versions 0.4.0 through 0.7.1, consider disabling access to the "/api/clusters/local/topics/{topic}/messages" endpoint until a patch is available. Restrict the use of the `q` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.