CVE-2025-50983

Name of the Vulnerable Software and Affected Versions: readarr version 0.4.15.2787

Description: A SQL Injection issue exists in readarr that allows attackers to inject and execute arbitrary SQL commands against the backend SQLite database. The /api/v1/wanted/cutoff API endpoint does not properly sanitize user-supplied input to the sortKey parameter. Exploitation was confirmed using sqlmap via stacked queries, demonstrating the ability to run arbitrary SQL statements. A query utilizing SQLite's RANDOMBLOB() and HEX() functions was executed to simulate a time-based payload, indicating extensive control over database interactions.

Recommendations: Update to a newer version that contains a fix for this issue.