Skip to content
Threat Feed
Subscribe

Tag

Sql-Injection

240 briefs RSS
high advisory

Joomla! Component Flip Wall SQL Injection (CVE-2017-20265)

An SQL injection vulnerability, CVE-2017-20265, in Joomla! Component Flip Wall 8.0 allows unauthenticated attackers to execute arbitrary SQL queries via malicious GET requests to the `wallid` parameter, enabling the extraction of sensitive database information.

Flip Wall 8.0 sql-injection web-vulnerability joomla cve data-exfiltration
2r 3t
high advisory

Joomla! Component Sponsor Wall 8.0 SQL Injection (CVE-2017-20264)

An unauthenticated SQL injection vulnerability (CVE-2017-20264) in Joomla! Component Sponsor Wall version 8.0 allows attackers to execute arbitrary SQL queries by injecting malicious code into the `wallid` parameter of GET requests to `index.php`, leading to the extraction of sensitive database information such as credentials and configuration data.

Joomla! Component Sponsor Wall 8.0 sql-injection joomla web-application vulnerability cve
1r 3t
high threat

CVE-2017-20262 — Joomla! Component Ajax Quiz SQL Injection

An unauthenticated SQL injection vulnerability, CVE-2017-20262, in Joomla! Component Ajax Quiz version 1.8 allows attackers to execute arbitrary SQL queries by injecting malicious code through the `cid` parameter in GET requests to `index.php` with `option=com_ajaxquiz` and `view=ajaxquiz`, leading to extraction of sensitive database information.

exploited Ajax Quiz 1.8 sql-injection web-vulnerability joomla cve
1r 3t
high advisory

CVE-2017-20261: Joomla! Bargain Product VM3 SQL Injection Vulnerability

An unauthenticated attacker can exploit CVE-2017-20261, a critical SQL injection vulnerability in Joomla! Component Bargain Product VM3 1.0, by injecting malicious code into the 'product_id' parameter within GET requests to the 'brainy' or 'alice' views, allowing them to execute arbitrary SQL queries and extract sensitive database information.

Bargain Product VM3 1.0 sql-injection joomla web-application cve data-exfiltration
2r 2t
high advisory

Joomla OSDownloads SQL Injection (CVE-2017-20259)

An unauthenticated SQL injection vulnerability (CVE-2017-20259) in Joomla OSDownloads version 1.7.4 allows attackers to execute arbitrary SQL queries via a crafted GET request to index.php, extracting sensitive database information like credentials and configuration data.

OSDownloads 1.7.4 sql-injection web-vulnerability joomla cve
2r 3t 1c
high advisory

Joomla! Component RPC Responsive Portfolio 1.6.1 SQL Injection (CVE-2017-20258)

Unauthenticated attackers can exploit an SQL injection vulnerability (CVE-2017-20258) in Joomla! Component RPC Responsive Portfolio 1.6.1 by injecting malicious code through the 'id' parameter in GET requests, allowing the execution of arbitrary SQL queries and extraction of sensitive database information.

RPC Responsive Portfolio 1.6.1 sql-injection web-vulnerability joomla cve data-exfiltration
1r 2t 1c
high advisory

CVE-2017-20257: Joomla! Component Quiz Deluxe SQL Injection

An unauthenticated SQL injection vulnerability (CVE-2017-20257) in Joomla! Component Quiz Deluxe 3.7.4 allows attackers to execute arbitrary SQL commands and extract sensitive information via the `ajaxaction.flag_question` task using `stu_quiz_id` or `flag_quest` parameters.

Quiz Deluxe 3.7.4 sql-injection web-application joomla cve data-exfiltration
2r 3t 1c
high advisory

CVE-2017-20256 - Joomla Survey Force Deluxe SQL Injection Vulnerability

CVE-2017-20256 describes an SQL injection vulnerability in Joomla Survey Force Deluxe 3.2.4 that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'invite' parameter in GET requests, enabling the extraction of sensitive database information.

Survey Force Deluxe 3.2.4 sql-injection joomla web-application vulnerability cve
2r 3t
high advisory

Joomla! Component JB Visa 1.0 SQL Injection (CVE-2017-20255)

An unauthenticated SQL injection vulnerability (CVE-2017-20255) in Joomla! Component JB Visa 1.0 allows attackers to execute arbitrary SQL queries by injecting malicious code via the 'visatype' parameter in GET requests to 'index.php?option=com_bookpro&view=popup', leading to the extraction of sensitive database information including credentials.

JB Visa 1.0 sql-injection joomla web-vulnerability cve
2r 2t
high advisory

CVE-2017-20253: Joomla! Component My Projects 2.0 SQL Injection Vulnerability

An unauthenticated SQL injection vulnerability (CVE-2017-20253) in Joomla! Component My Projects 2.0 allows attackers to execute arbitrary SQL queries via the 'VerAyari' parameter, leading to the extraction of sensitive database information including credentials and system data.

My Projects 2.0 sql-injection web-application joomla cve
2r 3t
high advisory

pgAdmin: Multiple Vulnerabilities Lead to RCE, SQLi, XSS

A remote, authenticated attacker can exploit multiple vulnerabilities in pgAdmin to achieve arbitrary code execution with user or administrator privileges, bypass security measures, perform SQL Injection and Cross-Site Scripting attacks, redirect users to malicious websites, disclose sensitive information, and manipulate data. This comprehensive set of capabilities allows for significant compromise of system integrity, confidentiality, and potentially availability, posing a high risk to affected environments.

pgAdmin vulnerability web-application rce sql-injection xss
3r 6t
high advisory

Pixa Bank 2.0 Unauthenticated SQL Injection Vulnerability

Pixa Bank 2.0 is vulnerable to SQL injection, allowing unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter via POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads, potentially leading to the retrieval of user information such as names, email addresses, and phone numbers from the database.

Pixa Bank 2.0 sql-injection vulnerability web-application
2r 1t 1c
high advisory

CVE-2026-10290: Hotel and Tourism Reservation System SQL Injection Vulnerability

A SQL injection vulnerability exists in code-projects Hotel and Tourism Reservation System version 1.0 due to improper sanitization of the 'tour' GET parameter in the tour.php file, potentially allowing remote attackers to execute arbitrary SQL queries.

Hotel and Tourism Reservation System 1.0 cve sql-injection web-application
2r 1t 1c
high threat

WP AutoSuggest 0.24 SQL Injection Vulnerability (CVE-2018-25434)

WP AutoSuggest version 0.24 contains an SQL injection vulnerability that allows an unauthenticated attacker to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter via GET requests to autosuggest.php, potentially extracting sensitive database information.

WP AutoSuggest sql-injection wordpress cve-2018-25434
2r 1t 1c
high advisory

No-CMS 1.0 SQL Injection Vulnerability (CVE-2018-25431)

No-Cms 1.0 is vulnerable to SQL injection (CVE-2018-25431) in the order_by parameter of the manage_privilege export endpoint, allowing authenticated attackers to manipulate database queries and potentially extract sensitive information.

No-Cms 1.0 sql-injection cve-2018-25431 web-application
2r 1t 1c
high advisory

CVE-2018-25430: Paroiciel 11.20 SQL Injection Vulnerability

Paroiciel 11.20 contains an SQL injection vulnerability (CVE-2018-25430) that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter, potentially leading to sensitive data extraction.

Paroiciel 11.20 sql-injection cve-2018-25430 web-application
2r 1t 1c
high advisory

CVE-2018-25429: Paroiciel 11.20 SQL Injection Vulnerability

Paroiciel 11.20 is vulnerable to SQL injection, allowing authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter, potentially extracting sensitive database information.

Paroiciel 11.20 sql-injection cve-2018-25429 web-application
2r 1t 1c
high advisory

CVE-2018-25428: Paroiciel 11.20 SQL Injection Vulnerability

Paroiciel 11.20 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter via GET requests to the trec.php endpoint, enabling attackers to extract sensitive database information.

Paroiciel 11.20 sql-injection cve-2018-25428 web-application attack.initial_access
1r 1t 1c
high advisory

SQL Injection Vulnerability in student_management_system_by_php (CVE-2026-10226)

A SQL injection vulnerability (CVE-2026-10226) exists in student_management_system_by_php up to version 310d950e09013d5133c6b9210aff9444382d16d1, allowing remote attackers to execute arbitrary SQL commands by manipulating specific parameters in the delete.php file.

student_management_system_by_php sql-injection web-application cve-2026-10226
2r 1t 1c
high threat

SQL Injection Vulnerability in student_management_system_by_php (CVE-2026-10225)

A SQL injection vulnerability exists in raisulislamg4's student_management_system_by_php up to commit 310d950e09013d5133c6b9210aff9444382d16d1, allowing remote attackers to execute arbitrary SQL commands by manipulating the Username argument in login_check.php.

exploited student_management_system_by_php sql-injection vulnerability web-application
2r 1t 1c
high threat

code-projects Online Music Site 1.0 SQL Injection Vulnerability (CVE-2026-10178)

CVE-2026-10178 is a remote SQL injection vulnerability in code-projects Online Music Site 1.0, affecting the /Administrator/PHP/AdminEditAlbum.php file due to manipulation of the ID argument.

exploited Online Music Site 1.0 sql-injection web-application cve
2r 1t 1c
high threat

Yot CMS 3.3.1 SQL Injection Vulnerability (CVE-2018-25425)

Yot CMS 3.3.1 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters in GET requests, potentially leading to database information disclosure.

Yot CMS 3.3.1 sql-injection cve web-application
2r 1t 1c
high threat

CVE-2018-25424 - Gate Pass Management System 2.1 Unauthenticated SQL Injection

Gate Pass Management System 2.1 is vulnerable to SQL injection via the login-exec.php endpoint, allowing unauthenticated attackers to bypass authentication and gain unauthorized access to the application by injecting SQL code in the login and password parameters.

Gate Pass Management System 2.1 cve sql-injection web-application
2r 1t 1c
high advisory

MOGG web simulator Script SQL Injection Vulnerability (CVE-2018-25422)

MOGG web simulator Script is vulnerable to SQL injection (CVE-2018-25422), allowing unauthenticated attackers to execute arbitrary SQL commands via the id parameter in play.php, potentially leading to sensitive data extraction.

MOGG web simulator Script sql-injection web-application cve
2r 1t 1c
high advisory

AiOPMSD Final 1.0.0 SQL Injection Vulnerability (CVE-2018-25420)

AiOPMSD Final 1.0.0 is vulnerable to SQL injection via the 'id' parameter in the watch.php script, allowing unauthenticated attackers to send crafted GET requests with SQL payloads to extract sensitive database information.

AiOPMSD Final sql-injection cve network
2r 1t 1c
high advisory

CVE-2018-25416 - AiOPMSD Final 1.0.0 Unauthenticated SQL Injection

AiOPMSD Final 1.0.0 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter via GET requests to country.php, enabling extraction of sensitive database information including usernames, database names, and version details.

AiOPMSD Final sql-injection cve-2018-25416 web-application
2r 1t 1c
high advisory

AiOPMSD Final 1.0.0 SQL Injection Vulnerability (CVE-2018-25413)

AiOPMSD Final 1.0.0 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries via the 'q' parameter in search.php, potentially leading to sensitive data extraction.

AiOPMSD Final 1.0.0 sql-injection web-application cve-2018-25413
2r 1t 1c
high advisory

MGB OpenSource Guestbook Unauthenticated SQL Injection (CVE-2018-25411)

MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability (CVE-2018-25411) that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter in GET requests to email.php, potentially leading to sensitive database information disclosure.

Guestbook 0.7.0.2 sql-injection cve-2018-25411 web-application
2r 1t 1c
high threat

SIM-PKH 2.4.1 SQL Injection Vulnerability (CVE-2018-25410)

SIM-PKH version 2.4.1 is vulnerable to SQL injection (CVE-2018-25410), allowing an authenticated attacker to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter via a crafted GET request, potentially leading to database information disclosure.

SIM-PKH 2.4.1 sql-injection cve web-application
1r 1t 1c
critical threat

eNdonesia Portal 8.7 SQL Injection Vulnerabilities

eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities allowing unauthenticated attackers to execute arbitrary SQL queries via crafted parameters in mod.php.

Portal sql-injection web-application
2r 1t 1c
critical threat

eNdonesia Portal 8.7 SQL Injection Vulnerability (CVE-2018-25406)

eNdonesia Portal 8.7 is vulnerable to SQL injection (CVE-2018-25406), allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through specific parameters, potentially leading to data exfiltration.

Portal sql-injection cve-2018-25406 web-application
2r 1t 1c
high threat

eNdonesia Portal 8.7 SQL Injection Vulnerability (CVE-2018-25405)

eNdonesia Portal version 8.7 is vulnerable to SQL injection (CVE-2018-25405), allowing unauthenticated attackers to execute arbitrary SQL queries through the artid, cid, did, contid, and aboutid parameters in mod.php, potentially leading to the extraction of sensitive database information.

eNdonesia Portal 8.7 sql-injection web-application cve-2018-25405
2r 1t 1c
high advisory

STUDENT-MANAGEMENT-SYSTEM SQL Injection Vulnerability (CVE-2026-10111)

A flaw in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 allows a remote attacker to perform SQL injection by manipulating the email argument on the Login Page, potentially leading to unauthorized data access.

STUDENT-MANAGEMENT-SYSTEM 1.0 sql injection cve-2026-10111 web application
2r 1t 1c
high advisory

CVE-2026-10110: SQL Injection Vulnerability in Student Details Management System

CVE-2026-10110 is a SQL injection vulnerability in code-projects Student Details Management System 1.0, allowing a remote attacker to execute arbitrary SQL commands by manipulating the 'roll' argument in the /index.php file, potentially leading to data breaches and unauthorized access.

Student Details Management System 1.0 sql-injection web-application
2r 1t 1c
high advisory

Agno 2.6.5 ClickHouse Backend SQL Injection (CVE-2026-10105)

Agno 2.6.5 is vulnerable to SQL injection in the ClickHouse vector database backend (CVE-2026-10105), enabling attackers to inject arbitrary SQL expressions via malicious metadata in the delete_by_metadata() method, potentially leading to data deletion or information extraction.

agno 2.6.5 sql-injection cve-2026-10105 database
2r 1t 1c
medium advisory

Mautic SQL Injection Vulnerability

A remote, authenticated attacker can exploit a vulnerability in Mautic to perform a SQL injection attack, potentially leading to unauthorized data access or modification.

Mautic sql-injection vulnerability
2r 1t
high threat

Multiple Vulnerabilities in Check Point Security Gateway

Multiple vulnerabilities exist in Check Point Security Gateway that could be exploited by an attacker to perform a denial of service attack, disclose information, and perform a SQL injection attack.

Security Gateway vulnerability denial-of-service sql-injection information-disclosure checkpoint
2r 3t
high threat

CVE-2026-46837 - Oracle Flow Manufacturing SQL Injection Vulnerability

CVE-2026-46837 is a SQL injection vulnerability in Oracle Flow Manufacturing within Oracle E-Business Suite versions 12.2.9 through 12.2.15, allowing a low-privileged attacker with network access to potentially take over the application.

Flow Manufacturing +1 cve sql-injection oracle ebusiness-suite
2r 1t 1c
high advisory

Pimcore Platform SQL Injection in DataObject Composite Index Handling

A SQL injection vulnerability exists in Pimcore Platform when handling DataObject composite indices during class definition import/save, allowing an authenticated administrative user to inject attacker-controlled composite index metadata, leading to unintended SQL execution in the backend, specifically via the `index_columns` element.

pimcore/pimcore sql-injection web-application pimcore
2r 1t 1c
high advisory

Multiple Vulnerabilities in Check Point Products

Multiple vulnerabilities in Check Point Security Gateways and Spark Firewalls allow for remote denial of service, data confidentiality breaches, and data integrity compromise.

Security Gateways R81.20 +4 vulnerability denial-of-service data-breach sql-injection
2r 3t 4c
high advisory

CVE-2025-30028: Synology Active Backup for Business Arbitrary File Read

CVE-2025-30028 is a vulnerability in Synology Active Backup for Business that allows unauthorized remote attackers to read arbitrary files due to improper neutralization of special elements used in an SQL Command ('SQL Injection').

Active Backup for Business cve-2025-30028 sql-injection synology
2r 1t 1c
high threat

code-projects Project Management System SQL Injection Vulnerability (CVE-2026-9584)

A SQL injection vulnerability (CVE-2026-9584) exists in code-projects Project Management System 1.0 within the chk.php file of the Login component, allowing a remote attacker to execute arbitrary SQL commands.

Project Management System 1.0 sql-injection cve-2026-9584 web-application injection
2r 1t 1c
high advisory

itsourcecode Student Transcript Processing System 1.0 SQL Injection Vulnerability (CVE-2026-9575)

A SQL injection vulnerability exists in itsourcecode Student Transcript Processing System 1.0 in the `/admin/modules/class/index.php?view=view` component; the vulnerability is triggered by manipulating the `ID` argument, potentially enabling remote attackers to execute arbitrary SQL commands.

Student Transcript Processing System 1.0 sql-injection cve web-application
2r 1t 1c
high threat

itsourcecode Student Transcript Processing System SQL Injection Vulnerability (CVE-2026-9574)

itsourcecode Student Transcript Processing System 1.0 is vulnerable to SQL injection via the studentId/cid parameter in the /admin/modules/student/trans.php file, allowing remote attackers to manipulate database queries.

exploited Student Transcript Processing System 1.0 sql-injection cve-2026-9574 itsourcecode web-application
2r 1t 1c
high advisory

itsourcecode Student Transcript Processing System SQL Injection Vulnerability (CVE-2026-9573)

CVE-2026-9573 is a SQL injection vulnerability in itsourcecode Student Transcript Processing System 1.0, allowing a remote attacker to execute arbitrary SQL commands by manipulating the studentId parameter in the /admin/modules/student/index.php?view=view file.

Student Transcript Processing System 1.0 sql injection cve-2026-9573 web application
2r 1t 1c
high threat

Das Parking Management System 6.2.0 SQL Injection Vulnerability (CVE-2026-9552)

A SQL injection vulnerability (CVE-2026-9552) exists in Das Parking Management System 6.2.0 within the Search API Endpoint, allowing a remote attacker to execute arbitrary SQL commands by manipulating the 'Value' argument.

exploited Parking Management System 停车场管理系统 6.2.0 sql-injection cve-2026-9552 web-application
2r 1t 1c
high advisory

Das Parking Management System 停车场管理系统 SQL Injection Vulnerability (CVE-2026-9551)

A SQL injection vulnerability exists in Das Parking Management System 停车场管理系统 version 6.2.0 allowing a remote attacker to execute arbitrary SQL commands by manipulating the Value argument in the xp_cmdshell function of the ParkingRecord/ExportParkingRecords API endpoint.

Parking Management System 停车场管理系统 6.2.0 cve-2026-9551 sql-injection web-application
2r 2t 1c
high advisory

SQL Injection Vulnerability in Sixun Shanghui Group Business Management System

A SQL injection vulnerability exists in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 10 in the /api/Dinner/PayConfig endpoint, where a remote attacker can manipulate the 'tableno' argument to inject arbitrary SQL commands.

Sixun Shanghui Group Business Management System 10 sql-injection cve-2026-9544 web-application
2r 1t 1c
high advisory

CVE-2026-9526: SQL Injection Vulnerability in itsourcecode Electronic Judging System

A SQL injection vulnerability exists in itsourcecode Electronic Judging System version 1.0, specifically affecting the /admin/edit_team.php file, where an attacker can remotely manipulate the 'num_id' argument to execute arbitrary SQL commands.

Electronic Judging System 1.0 sql-injection cve-2026-9526 web-application
2r 1t 1c
high threat

itsourcecode Electronic Judging System 1.0 SQL Injection Vulnerability (CVE-2026-9525)

A SQL Injection vulnerability exists in itsourcecode Electronic Judging System version 1.0 in the /admin/edit_judge.php file. By manipulating the judge_id argument, an attacker could execute arbitrary SQL commands on the system. The vulnerability can be triggered remotely and has a public exploit available.

Electronic Judging System 1.0 cve sql-injection web-application
2r 1t 1c
high threat

Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform SQL Injection Vulnerability (CVE-2026-9523)

A SQL injection vulnerability (CVE-2026-9523) exists in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2, where manipulating the 'sort' argument in the '/SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree' file leads to remote code execution, and is publicly known and actively exploited.

exploited EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2 sql-injection cve-2026-9523 web-application
1r 1t 1c
high advisory

SQL Injection Vulnerability in StudentManagementSystem (CVE-2026-9474)

A SQL injection vulnerability (CVE-2026-9474) exists in the StudentManagementSystem application, specifically affecting the confirm_logged_in function within the /studentdel.php file, allowing remote attackers to execute arbitrary SQL commands by manipulating the ID parameter.

StudentManagementSystem cve sql injection web application
2r 1t 1c
high threat

SQL Injection Vulnerability in StudentManagementSystem

A SQL injection vulnerability exists in the /success.php file of yashpokharna2555 StudentManagementSystem, allowing remote attackers to execute arbitrary SQL commands by manipulating the User argument.

StudentManagementSystem sql-injection web-application vulnerability
2r 1t 1c
high advisory

Tiandy Easy7 Integrated Management Platform SQL Injection Vulnerability (CVE-2026-9465)

Tiandy Easy7 Integrated Management Platform 7.17.0 is vulnerable to SQL injection (CVE-2026-9465) via manipulation of the strTBName argument in /Easy7/apps/WebService/GetDBDataEx.jsp, allowing a remote attacker to execute arbitrary SQL commands.

Easy7 Integrated Management Platform 7.17.0 sql-injection cve-2026-9465 web-application
2r 1t 1c
high advisory

Joomla Responsive Portfolio SQL Injection Vulnerability (CVE-2018-25381)

Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability, allowing authenticated attackers to execute arbitrary SQL commands through crafted POST requests.

Responsive Portfolio 1.6.1 sql-injection cve-2018-25381 joomla
1r 1t 1c
high advisory

Collectric CMU 1.0 Boolean-Based Blind SQL Injection Vulnerability (CVE-2018-25379)

Collectric CMU 1.0 is vulnerable to CVE-2018-25379, a boolean-based blind SQL injection, allowing unauthenticated attackers to manipulate database queries via the 'lang' parameter, potentially extracting sensitive information using time-based techniques.

CMU 1.0 sql-injection cve-2018-25379 web-application
2r 1t 1c
high advisory

CVE-2018-25372 - MedDream PACS Server Premium Unauthenticated SQL Injection

MedDream PACS Server Premium 6.7.1.1 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the email parameter via a crafted POST request to the userSignup.php endpoint.

PACS Server Premium sql-injection cve-2018-25372 web-application meddream
2r 1t 1c
high advisory

Twitter-Clone 1 SQL Injection Vulnerability (CVE-2018-25364)

Twitter-Clone 1 is vulnerable to SQL injection via the name parameter in the search.php endpoint, allowing unauthenticated attackers to execute arbitrary SQL queries and extract sensitive information (CVE-2018-25364).

Twitter-Clone 1 sql-injection cve-2018-25364 web-application
2r 1t 1c
high threat

SourceCodester Simple POS and Inventory System SQL Injection Vulnerability (CVE-2026-9447)

A SQL injection vulnerability (CVE-2026-9447) exists in SourceCodester Simple POS and Inventory System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'Name' argument in the /user/search.php file.

exploited Simple POS and Inventory System 1.0 sql-injection cve-2026-9447 web-application
2r 1t 1c
high advisory

itsourcecode Electronic Judging System SQL Injection Vulnerability (CVE-2026-9383)

CVE-2026-9383 is a SQL injection vulnerability in itsourcecode Electronic Judging System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the Username parameter in the /intrams/admin/login.php file.

Electronic Judging System 1.0 sql-injection vulnerability web-application
2r 1t 1c
high advisory

Online Art Gallery Shop 1.0 SQL Injection Vulnerability (CVE-2026-9364)

A SQL injection vulnerability (CVE-2026-9364) exists in projectworlds Online Art Gallery Shop version 1.0, specifically in the /admin/adminHome.php file, which can be exploited remotely by manipulating the social_linked argument, potentially leading to unauthorized data access or modification.

Online Art Gallery Shop 1.0 sql-injection vulnerability web-application
2r 2t 1c
high advisory

CVE-2026-9356: SourceCodester Hospitals Patient Records Management System SQL Injection

A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System 1.0 within the /admin/patients/manage_history.php file, where manipulation of the ID argument can lead to remote exploitation.

Hospitals Patient Records Management System 1.0 sql-injection cve-2026-9356 web-application
2r 1t
high advisory

SourceCodester Hospitals Patient Records Management System SQL Injection Vulnerability (CVE-2026-9355)

SourceCodester Hospitals Patient Records Management System version 1.0 is vulnerable to SQL injection (CVE-2026-9355) via the ID parameter in the /classes/Master.php?f=save_patient_history endpoint, allowing a remote attacker to execute arbitrary SQL queries.

Hospitals Patient Records Management System 1.0 sql-injection cve-2026-9355 web-application
2r 1t 1c
high advisory

Joomla! Ek Rishta Component 2.10 SQL Injection Vulnerability

Joomla! Component Ek Rishta version 2.10 is vulnerable to SQL injection allowing unauthenticated attackers to manipulate database queries by injecting SQL code via the cid parameter through GET requests to the user_detail view, potentially extracting sensitive database information.

Ek Rishta 2.10 sql-injection joomla vulnerability
2r 1t 1c
high advisory

Smartshop 1 Time-Based Blind SQL Injection Vulnerability (CVE-2018-25342)

Smartshop 1 is vulnerable to time-based blind SQL injection via the 'searched' parameter in search.php, allowing unauthenticated attackers to inject SQL code to extract sensitive information.

Smartshop 1 sql-injection web-application cve-2018-25342
2r 1t 1c
high advisory

CVE-2018-25340 Smartshop 1 SQL Injection Vulnerability

Smartshop version 1 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries via the id parameter in category.php GET requests, potentially leading to sensitive data extraction.

Smartshop 1 cve-2018-25340 sql-injection web-application
2r 1t 1c
high advisory

Exim Vulnerability Allows SQL Injection

A vulnerability in Exim allows an attacker to perform a SQL injection attack, potentially leading to unauthorized data access or modification.

Exim sql-injection vulnerability
2r 1t
high advisory

Open ISES Tickets SQL Injection Vulnerability (CVE-2026-48240)

Open ISES Tickets before version 3.44.2 is vulnerable to SQL injection in ajax/statistics.php via the tick_id and f_tick_id POST parameters, allowing authenticated attackers to manipulate SQL queries and potentially read, modify, or destroy database contents.

Tickets sql-injection cve-2026-48240 web-application
2r 1t 1c
high advisory

Open ISES Tickets SQL Injection Vulnerability (CVE-2026-48238)

Open ISES Tickets before version 3.44.2 is vulnerable to SQL injection (CVE-2026-48238) because the id GET parameter in ajax/mobile_main.php is concatenated into the WHERE clause of a SELECT statement without sanitization, allowing authenticated attackers to craft requests that can read, modify, or destroy database contents.

Tickets < 3.44.2 cve sql-injection web-application
2r 1t 1c
critical threat

Drupal Core PostgreSQL SQL Injection Vulnerability (CVE-2026-9082) Exploit Available

A public exploit is available for CVE-2026-9082, a SQL injection vulnerability in Drupal Core affecting PostgreSQL-backed sites running versions 8.0 through 11.3.9, allowing unauthenticated users to potentially achieve data exfiltration, privilege escalation, and remote code execution.

Drupal Core cve sql injection drupal web application
2r 1t 1c 2i
high advisory

TONNET E-LAN Hybrid Recording System SQL Injection Vulnerability (CVE-2026-9003)

TONNET's E-LAN Hybrid Recording System is vulnerable to SQL Injection (CVE-2026-9003), allowing unauthenticated remote attackers to inject arbitrary SQL commands and read database contents.

E-LAN Hybrid Recording System cve-2026-9003 sql-injection web-application
2r 1t
high advisory

Contest Gallery WordPress Plugin SQL Injection Vulnerability (CVE-2026-8912)

The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'form_input' parameter in versions up to 28.1.6, allowing unauthenticated attackers to extract sensitive information from the database.

Contest Gallery plugin for WordPress sql injection cve-2026-8912 wordpress plugin vulnerability
2r 1t 1c
medium advisory

LiteLLM SQL Injection Vulnerability (CVE-2025-45809)

A SQL Injection vulnerability (CVE-2025-45809) in LiteLLM versions prior to 1.81.0 allows unauthenticated attackers to potentially steal database contents and read server files via time-based blind SQL injection in the `/key/block` and `/key/unblock` endpoints.

LiteLLM sqli sql-injection CVE-2025-45809
2r 1t 1i
high threat

CVE-2026-8851: SOGo SQL Injection Vulnerability in ACL Management

SOGo 5.12.7 is vulnerable to SQL injection in the Access Control List management functionality, allowing authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint, which can be exfiltrated via the /acls API.

SOGo 5.12.7 sql-injection cve-2026-8851 data-exfiltration
2r 3t 1c
high threat

Postgrex SQL Injection Vulnerability in Notifications.listen/3 (CVE-2026-32687)

A SQL injection vulnerability exists in Postgrex versions 0.16.0 to before 0.22.2 within the `Postgrex.Notifications.listen/3` function allowing attackers to execute arbitrary SQL commands on the notifications connection by manipulating the channel name.

postgrex sql-injection vulnerability
2r 1t 1c
high advisory

SQL Injection Vulnerability in projectworlds hospital-management-system-in-php 1.0 (CVE-2026-8785)

A SQL injection vulnerability (CVE-2026-8785) exists in the getAllPatientDetail function of the update_info.php file in projectworlds hospital-management-system-in-php version 1.0, allowing remote attackers to execute arbitrary SQL commands via the 'appointment_no' GET parameter.

hospital-management-system-in-php 1.0 cve sql-injection webapp
2r 1t 1c
high advisory

SQL Injection Vulnerability in linlinjava litemall (CVE-2026-8771)

A SQL injection vulnerability (CVE-2026-8771) exists in linlinjava litemall up to version 1.8.0, affecting the list function of the WxGoodsController.java file within the Front-end WeChat API component, enabling remote exploitation with a publicly available exploit.

litemall cve-2026-8771 sql-injection web-application
2r 2t 1c
high advisory

Zechat 1.5 SQL Injection Vulnerability (CVE-2018-25339)

Zechat 1.5 is vulnerable to SQL injection in the v parameter (CVE-2018-25339), allowing unauthenticated attackers to extract database information using time-based blind techniques.

Zechat 1.5 sql-injection cve web-application
2r 1t 1c
high advisory

Nordex N149/4.0-4.5 Wind Turbine Web Server SQL Injection Vulnerability (CVE-2018-25333)

Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 is vulnerable to SQL injection (CVE-2018-25333), allowing unauthenticated attackers to execute arbitrary SQL queries and extract sensitive information via crafted POST requests to login.php.

N149/4.0-4.5 Wind Turbine Web Server 4.0 sql-injection cve-2018-25333 webserver industrial-control-system
2r 1t 1c
high advisory

CVE-2018-25330: Joomla! EkRishta Extension Vulnerabilities

Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities, allowing attackers to inject malicious code through profile fields and POST parameters, potentially leading to information disclosure or arbitrary code execution.

EkRishta 2.10 cve joomla ekrishta xss sql injection web application vulnerability
2r 1t 1c
high advisory

Oinone Pamirs SQL Injection Vulnerability (CVE-2026-8734)

Oinone Pamirs up to version 7.2.0 is vulnerable to SQL injection in the RSQLToSQLNodeConnector.makeVariable function of the queryListByWrapper Interface, allowing remote attackers to execute arbitrary SQL commands.

Pamirs sql injection cve-2026-8734 web application
2r 2t 1c
medium advisory

Fuel CMS 1.4.13 Blind SQL Injection Vulnerability (CVE-2021-47980)

Fuel CMS 1.4.13 is vulnerable to blind SQL injection via the 'col' parameter in the Activity Log interface, allowing authenticated attackers to manipulate database queries and extract information through time-based delays (CVE-2021-47980).

Fuel CMS 1.4.13 cve cve-2021-47980 sql-injection web-application
2r 1t 1c
high advisory

EgavilanMedia PHPCRUD 1.0 SQL Injection Vulnerability (CVE-2021-47956)

EgavilanMedia PHPCRUD 1.0 is vulnerable to SQL injection (CVE-2021-47956), allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter in a POST request to insert.php, potentially extracting sensitive database information.

PHPCRUD sql-injection web-application cve-2021-47956
2r 1t 1c
high advisory

LayerBB 1.1.4 SQL Injection Vulnerability (CVE-2021-47954)

LayerBB version 1.1.4 is vulnerable to SQL injection via the search_query parameter, allowing unauthenticated attackers to inject SQL code and extract sensitive database information.

LayerBB 1.1.4 sql-injection cve-2021-47954 web-application
2r 1t 1c
critical threat

Supsystic Pricing Table Plugin <= 1.8.7 SQL Injection Vulnerability (CVE-2020-37243)

Supsystic Pricing Table plugin version 1.8.7 contains an SQL injection vulnerability via the 'sidx' GET parameter, enabling unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action, as well as stored XSS vulnerabilities.

Pricing Table sql-injection xss wordpress plugin
2r 1t 1c
high advisory

Supsystic Ultimate Maps SQL Injection Vulnerability (CVE-2020-37242)

Supsystic Ultimate Maps 1.1.12 is vulnerable to SQL injection via the 'sidx' GET parameter, allowing unauthenticated attackers to execute arbitrary SQL queries and extract sensitive database information.

Ultimate Maps cve-2020-37242 sql-injection wordpress
1r 1t 1c
high advisory

phpMyFAQ SQL Injection Vulnerability in CurrentUser::setTokenData (CVE-2026-46359)

phpMyFAQ before version 4.1.2 contains a SQL injection vulnerability in CurrentUser::setTokenData, allowing authenticated attackers with crafted Azure AD accounts to execute arbitrary SQL queries by injecting malicious OAuth token claims.

phpMyFAQ sql-injection vulnerability
2r 1t 1c
high threat

Multiple Vulnerabilities in cPanel/WHM Allow Privilege Escalation and Data Manipulation

Multiple vulnerabilities in cPanel/WHM allow an attacker to escalate privileges, perform SQL injection with root privileges, manipulate data, or disclose sensitive information.

cPanel/WHM cpanel privilege-escalation sql-injection data manipulation
2r 3t
high advisory

SAP Patchday April 2026: Multiple Vulnerabilities

Multiple vulnerabilities in SAP software could allow an attacker to perform SQL injection, gain elevated privileges, execute arbitrary code, bypass security measures, perform cross-site scripting attacks, manipulate data, disclose sensitive information, or cause other unspecified impacts.

sap vulnerability sql-injection privilege-escalation xss
2r 4t
critical advisory

Marten Full-Text Search SQL Injection Vulnerability (CVE-2026-45288)

Marten versions up to 8.36 are vulnerable to SQL injection due to the `regConfig` parameter in full-text search APIs not being properly validated or parameterized, allowing attackers to inject arbitrary SQL commands by manipulating the `regConfig` parameter, potentially leading to information disclosure, data manipulation, or denial-of-service; version 8.36.1 addresses this vulnerability.

Marten sql-injection cve ghsa web-application
2r 1t
high advisory

n8n Source Control Pull SQL Injection Vulnerability (CVE-2026-44792)

A SQL injection vulnerability (CVE-2026-44792) exists in n8n when using PostgreSQL and the Source Control feature, allowing an attacker with write access to the connected Git repository to inject malicious SQL via a crafted column name in a Data Table JSON file during a Source Control Pull.

n8n sql-injection cve-2026-44792 source-control
2r 1t
critical advisory

Strapi Content-Type Builder SQL Injection Vulnerability (CVE-2026-22599)

A SQL injection vulnerability, identified as CVE-2026-22599, affects Strapi's Content-Type Builder, where an authenticated administrator could inject arbitrary database statements through the `column.defaultTo` attribute, potentially leading to arbitrary file read, denial of service, or remote code execution on the database server.

@strapi/content-type-builder +1 sql-injection vulnerability strapi
2r 1t
high advisory

Joomla J2 JOBS 1.3.0 Authenticated SQL Injection Vulnerability (CVE-2020-37226)

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability (CVE-2020-37226) that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter via POST requests, potentially leading to sensitive data extraction.

J2 JOBS 1.3.0 +1 sql-injection joomla j2-jobs cve-2020-37226
2r 1t 1c
high advisory

Joomla J2 JOBS 1.3.0 Authenticated SQL Injection Vulnerability (CVE-2020-37224)

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability (CVE-2020-37224) that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter, potentially leading to sensitive information disclosure.

J2 JOBS 1.3.0 sql-injection joomla cve-2020-37224 web-application
2r 1t 1c
high advisory

Joomla com_hdwplayer 4.2 SQL Injection Vulnerability

Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter.

com_hdwplayer 4.2 sql-injection joomla cve-2020-37218 web-application
2r 1t 1c
medium threat

CVE-2026-0242: Trust Protection Foundation SQL Injection Vulnerability

A SQL injection vulnerability in Trust Protection Foundation allows an authenticated attacker to execute arbitrary SQL commands against the product database, potentially leading to sensitive data exposure, data modification, and privilege escalation.

exploited Trust Protection Foundation cve sql-injection palo alto networks
2r 1t
high advisory

CVE-2026-4798 - Avada Builder Plugin SQL Injection Vulnerability

The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection (CVE-2026-4798) via the ‘product_order’ parameter in versions up to 3.15.1, potentially allowing unauthenticated attackers to extract sensitive database information if WooCommerce was previously used and deactivated.

Avada Builder plugin +1 sql-injection wordpress avada-builder cve-2026-4798
2r 1t 1c
critical advisory

Multiple Vulnerabilities in Aruba ArubaOS

Multiple vulnerabilities in Aruba ArubaOS could allow an attacker to perform a denial of service attack, disclose information, perform a SQL injection attack, bypass security measures, and execute arbitrary code.

ArubaOS vulnerability denial-of-service sql-injection code-execution
2r 3t
high advisory

OX Dovecot Pro Multiple Vulnerabilities

Multiple vulnerabilities in OX Dovecot Pro could allow an attacker to perform SQL injection attacks, bypass security measures, manipulate or disclose data, or cause a denial-of-service condition.

Dovecot Pro vulnerability sql-injection dos
2r 4t
high advisory

WordPress Court Reservation Plugin SQL Injection Vulnerability (CVE-2026-1250)

The Court Reservation – Manage Your Court Bookings Online plugin for WordPress versions 1.10.11 and earlier are vulnerable to SQL injection via the 'id' parameter, enabling unauthenticated attackers to extract sensitive database information.

The Court Reservation – Manage Your Court Bookings Online plugin for WordPress <= 1.10.11 sql-injection wordpress plugin CVE-2026-1250 web-application
2r 1t 1c
critical advisory

CVE-2025-6577: Akilli Commerce E-Commerce Website SQL Injection Vulnerability

CVE-2025-6577 is a critical SQL injection vulnerability affecting Akilli Commerce E-Commerce Website versions before 4.5.001, potentially allowing unauthenticated attackers to execute arbitrary SQL commands.

E-Commerce Website sql-injection cve-2025-6577 web-application
2r 1t 1c
high advisory

Multiple Vulnerabilities in pgAdmin

Multiple vulnerabilities in pgAdmin could allow an attacker to escalate privileges, execute arbitrary code, bypass security measures, perform SQL injection and cross-site scripting attacks, manipulate data, or disclose sensitive information.

pgAdmin vulnerability sql-injection xss privilege-escalation
2r 9t
high advisory

SAP S/4HANA SQL Injection Vulnerability (CVE-2026-34260)

SAP S/4HANA (SAP Enterprise Search for ABAP) is vulnerable to SQL injection (CVE-2026-34260) via user-controlled input, allowing an authenticated attacker to inject malicious SQL statements, leading to unauthorized data access and potential application crashes.

S/4HANA sql-injection vulnerability sap
2r 2t 1c
high advisory

elFinder MySQL Volume Driver SQL Injection (CVE-2026-44521)

An authenticated SQL injection vulnerability (CVE-2026-44521) exists in the elFinder MySQL volume driver (`elFinderVolumeMySQL`) allowing any logged-in user, including read-only users, to inject SQL through a crafted `target` file hash leading to unauthorized data disclosure and denial of service.

elfinder sql-injection web-application
2r 1t
high advisory

CVE-2025-14179 SQL Injection Vulnerability in pdo_firebird

CVE-2025-14179 is a SQL injection vulnerability in pdo_firebird due to improper handling of NUL bytes in quoted strings, potentially leading to unauthorized data access or modification.

sql-injection cve web-application
2r 1t 1c
high threat

CVE-2021-47941: WordPress Survey & Poll Plugin SQL Injection Vulnerability

WordPress Plugin Survey & Poll version 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter, potentially leading to sensitive data extraction.

Survey & Poll plugin cve cve-2021-47941 wordpress sql injection web application
2r 1t 1c
high advisory

CVE-2021-47930: Balbooa Joomla Forms Builder Unauthenticated SQL Injection

Balbooa Joomla Forms Builder version 2.0.6 is vulnerable to unauthenticated SQL injection via POST requests to the com_baforms component, allowing remote attackers to execute arbitrary SQL queries and extract sensitive database information by manipulating the 'id' parameter in a JSON payload.

Forms Builder 2.0.6 +1 sql-injection joomla cve-2021-47930 web-application
2r 1t 1c
high threat

Opencart TMD Vendor System Blind SQL Injection Vulnerability (CVE-2021-47928)

Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability (CVE-2021-47928) that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter, potentially leading to account takeover and data exfiltration.

TMD Vendor System 3.x sql-injection cve-2021-47928 opencart web-application
2r 2t 1c
critical advisory

CVE-2026-41889 pgx: SQL Injection via Placeholder Confusion

CVE-2026-41889 is a critical SQL Injection vulnerability involving placeholder confusion with dollar-quoted string literals in the pgx library, potentially allowing attackers to execute arbitrary SQL queries.

sql-injection cve vulnerability
2r 1t 1c
high advisory

MikroORM SQL Injection Vulnerability

MikroORM is vulnerable to SQL injection due to improper escaping in identifier-quoting and JSON-path emitters, enabling attackers to inject arbitrary SQL via manipulated strings passed to public ORM APIs, potentially leading to data leaks, modification, and privilege escalation.

@mikro-orm/sql +1 sql-injection orm mikroorm
2r 1t
critical threat

LiteLLM Multiple Vulnerabilities

Multiple vulnerabilities in LiteLLM could allow an attacker to perform a SQL injection attack and gain unauthorized access or execute arbitrary code with the privileges of the service.

LiteLLM sql-injection vulnerability privilege-escalation
2r 2t
high threat

CodeAstro Leave Management System SQL Injection Vulnerability

A SQL injection vulnerability (CVE-2026-8132) exists in CodeAstro Leave Management System 1.0 via manipulation of the txt_username parameter in /login.php, enabling remote exploitation and potential database compromise.

exploited Leave Management System 1.0 sql-injection vulnerability web-application
2r 1t 1c
high advisory

SourceCodester SUP Online Shopping SQL Injection Vulnerability (CVE-2026-8130)

SourceCodester SUP Online Shopping 1.0 is vulnerable to SQL injection via the 'seenid' parameter in /admin/message.php, allowing remote attackers to execute arbitrary SQL commands; exploit code is publicly available.

SUP Online Shopping 1.0 sql-injection vulnerability web-application
2r 1t 1c
high advisory

SourceCodester Comment System 1.0 SQL Injection Vulnerability (CVE-2026-8126)

A SQL injection vulnerability exists in SourceCodester Comment System 1.0, specifically affecting the post_comment.php file; by manipulating the 'Name' argument, remote attackers can inject SQL code, potentially leading to unauthorized access or data modification.

Comment System 1.0 sql-injection web-application cve-2026-8126
2r 1t 1c
high threat

code-projects Feedback System 1.0 SQL Injection Vulnerability (CVE-2026-8098)

A SQL injection vulnerability exists in code-projects Feedback System 1.0 via manipulation of the email parameter in /admin/checklogin.php, potentially allowing remote attackers to execute arbitrary SQL commands.

Feedback System 1.0 cve sql-injection web-application
2r 1t 1c
high advisory

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

A remote SQL injection vulnerability exists in SourceCodester Pharmacy Sales and Inventory System 1.0 via manipulation of the ID argument in the /ajax.php?action=save_user file, potentially allowing attackers to execute arbitrary SQL queries.

Pharmacy Sales and Inventory System 1.0 sql-injection web-application cve-2026-8083
2r 1t 1c
critical advisory

AxonFlow Platform Multi-Tenant Isolation and Access Control Vulnerabilities

Multiple vulnerabilities in AxonFlow platform versions prior to 7.5.0, including multi-tenant isolation issues and SQL injection, could lead to unauthorized access, information disclosure, denial of service, and other security impacts; AxonFlow v7.5.0 resolves these issues.

axonflow platform +2 multi-tenancy access-control SQL injection denial of service vulnerability
2r 5t
critical advisory

Rucio SQL Injection Vulnerability in DID Search API

A SQL injection vulnerability exists in the Oracle path of `FilterEngine.create_sqla_query` in Rucio, allowing any authenticated user to execute arbitrary SQL against the backend database via the DID search endpoint, potentially leading to full database compromise and data exfiltration.

rucio sql-injection cve-2026-29080 web-application
2r 8t
high threat

phpMyFAQ SQL Injection via Unescaped OAuth Token

phpMyFAQ is vulnerable to SQL injection due to the `setTokenData` function failing to sanitize OAuth token fields from Azure AD JWT claims, potentially allowing attackers to execute arbitrary SQL commands via crafted Azure AD display names or custom claims.

phpMyFAQ <= 4.1.1 +1 sql-injection oauth phpmyfaq
2r 1t
high advisory

ProFTPD Vulnerability Allows SQL Injection

A remote, anonymous attacker can exploit a SQL injection vulnerability in ProFTPD, potentially leading to unauthorized data access or modification.

ProFTPD sql-injection vulnerability linux
2r 1t
high advisory

AWP Classifieds WordPress Plugin SQL Injection Vulnerability

The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5, potentially allowing unauthenticated attackers to extract sensitive information from the database.

AWP Classifieds plugin for WordPress sql-injection wordpress plugin
2r 1t 1c
high advisory

Shandong Hoteam PDM Product Data Management System SQL Injection Vulnerability

Shandong Hoteam Software PDM Product Data Management System up to version 8.3.9 is vulnerable to SQL injection via manipulation of the SortOrder argument in the GetQueryMachineGridOnePageData function of the /Base/BaseService.asmx/DataService file, allowing remote attackers to potentially execute arbitrary SQL commands.

PDM Product Data Management System sql-injection cve-2026-7727 webserver
2r 1t 1c
high threat

Jinher OA 1.0 SQL Injection Vulnerability (CVE-2026-7670)

Jinher OA 1.0 is vulnerable to remote SQL injection via the DeptIDList parameter in the /C6/JHSoft.Web.PlanSummarize/UserSel.aspx file, potentially allowing attackers to execute arbitrary SQL queries.

OA 1.0 sql-injection cve-2026-7670 web-application
2r 1t 1c
high advisory

code-projects Online Hospital Management System SQL Injection Vulnerability

CVE-2026-7632 is a SQL injection vulnerability in code-projects Online Hospital Management System 1.0, allowing a remote attacker to execute arbitrary SQL commands by manipulating the 'delid' argument in the '/viewappointment.php' file.

Online Hospital Management System 1.0 sql-injection web-application vulnerability
2r 1t 1c
high advisory

Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4061)

A time-based SQL injection vulnerability (CVE-2026-4061) exists in the Geo Mashup WordPress plugin (<= 1.13.18) due to insufficient sanitization of the 'map_post_type' parameter, enabling unauthenticated attackers to extract sensitive information via time-based blind SQL injection if the Geo Search feature is enabled.

Geo Mashup plugin sql-injection wordpress plugin
2r 1t 1c
high advisory

SQL Injection Vulnerability in itsourcecode Courier Management System

itsourcecode Courier Management System 1.0 is vulnerable to SQL Injection via the ID parameter in /edit_staff.php, potentially allowing remote attackers to execute arbitrary SQL commands.

Courier Management System sql-injection web-application cve
2r 1t 1c
high advisory

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

CVE-2026-7550 is an SQL injection vulnerability in SourceCodester Pharmacy Sales and Inventory System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the ID argument in the /ajax.php?action=save_customer endpoint.

Pharmacy Sales and Inventory System 1.0 sql-injection web-application cve-2026-7550
2r 1t 1c
high advisory

XATABoost CMS 1.0.0 SQL Injection Vulnerability

XATABoost CMS 1.0.0 is vulnerable to union-based SQL injection, allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter via GET requests to news.php, enabling extraction of sensitive database information.

xataboost cms 1.0.0 sql-injection web-application cve
2r 1t 1c
high advisory

EyouCMS SQL Injection Vulnerability (CVE-2026-7389)

A remote SQL injection vulnerability (CVE-2026-7389) exists in EyouCMS versions up to 1.7.9 due to improper handling of the 'sort_asc' argument in the GetSortData function, potentially allowing attackers to execute arbitrary SQL commands.

EyouCMS sql-injection cve-2026-7389 web-application
2r 1t 1c
high advisory

Spring AI Vulnerabilities CVE-2026-40967 and CVE-2026-40978

Spring released security advisories on April 27, 2026, to address a VectorStore FilterExpression Converter injection vulnerability (CVE-2026-40967) and a SQL Injection vulnerability (CVE-2026-40978) in Spring AI versions prior to 1.0.6 and 1.1.5.

Spring AI +1 vulnerability sql-injection code-injection spring-ai
2r 1t 2c
high threat

dubydu sqlite-mcp SQL Injection Vulnerability (CVE-2026-7206)

A SQL injection vulnerability exists in dubydu sqlite-mcp version 0.1.0 and earlier within the extract_to_json function allowing remote exploitation through manipulation of the output_filename argument.

exploited sqlite-mcp sql-injection cve-2026-7206 web-application
2r 1c
high advisory

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability (CVE-2026-7199)

A SQL injection vulnerability (CVE-2026-7199) exists in SourceCodester Pharmacy Sales and Inventory System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'ID' parameter in the `/ajax.php?action=delete_product` endpoint, potentially leading to data breach or system compromise.

Pharmacy Sales and Inventory System 1.0 sql-injection cve-2026-7199 web-application
2r 1t 1c
high advisory

Online Lot Reservation System SQL Injection Vulnerability

CVE-2026-7131 is a SQL injection vulnerability in code-projects Online Lot Reservation System up to version 1.0, affecting the /loginuser.php component via manipulation of the email/password arguments, which could allow remote attackers to execute arbitrary SQL queries.

Online Lot Reservation System sql-injection web-application cve
2r 1t 1c
high advisory

itsourcecode Construction Management System SQL Injection Vulnerability

A SQL injection vulnerability exists in itsourcecode Construction Management System version 1.0, affecting the processing of the /locations.php file, allowing a remote attacker to inject SQL commands by manipulating the 'address' argument, with a publicly available exploit.

Construction Management System 1.0 sql-injection web-application cve-2026-7075
2r 1t 1c
high advisory

CodePanda Source canteen_management_system SQL Injection Vulnerability

A SQL injection vulnerability exists in CodePanda Source canteen_management_system version 1.0 within the /api/login.php file by manipulating the Username argument, allowing remote attackers to execute arbitrary SQL commands.

canteen_management_system 1.0 sql-injection cve-2026-7072 web-application
1r 1t 1c
high advisory

SQL Injection Vulnerability in code-projects Inventory Management System 1.0

A SQL injection vulnerability exists in code-projects Inventory Management System 1.0 within the Login component, specifically affecting the Username argument, where a remote attacker can manipulate the Username parameter, leading to unauthorized data access or modification.

Inventory Management System 1.0 sql-injection web-application vulnerability
2r 1t 1c
high advisory

KLiK SocialMediaWebsite SQL Injection Vulnerability (CVE-2026-7002)

KLiK SocialMediaWebsite up to version 1.0.1 is vulnerable to SQL injection via manipulation of the c_id argument in the /includes/get_message_ajax.php file, specifically affecting the Private Message Handler component, which can be exploited remotely.

SocialMediaWebsite sql-injection vulnerability web-application
2r 1t 1c
critical advisory

OpenC3 COSMOS SQL Injection Vulnerability in QuestDB Time-Series Database

A SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS, allowing an authenticated remote user to execute arbitrary SQL commands, including telemetry data disclosure and deletion.

OpenC3 sql-injection cosmos questdb telemetry
2r 3t
high advisory

Daptin SQL Injection Vulnerability in Aggregate API

A SQL injection vulnerability exists in Daptin versions prior to 0.11.4 within the `/aggregate/:typename` endpoint, where the `column` and `group` query parameters are passed to `goqu.L()` without validation, allowing authenticated users to inject arbitrary SQL expressions and exfiltrate sensitive data.

Daptin sql-injection web-application
2r 1t
critical advisory

ElectricSQL /v1/shape API SQL Injection Vulnerability

The ElectricSQL sync engine is vulnerable to SQL injection, potentially allowing authenticated users to read, write, and destroy the underlying PostgreSQL database.

sql-injection electricsql postgresql
2r 1t 1c
high advisory

Multiple Vulnerabilities in OpenBao Allow for Security Bypass, DoS, and SQL Injection

Multiple vulnerabilities in OpenBao can be exploited by an attacker to bypass security measures, conduct a denial of service attack, and conduct a SQL injection attack.

openbao vulnerability sql-injection dos
3r 3t
high advisory

Metasoft MetaCRM SQL Injection Vulnerability (CVE-2026-6629)

A SQL injection vulnerability (CVE-2026-6629) exists in Metasoft MetaCRM up to version 6.4.0, allowing remote attackers to execute arbitrary SQL commands via manipulation of the sql argument in the Statement.executeUpdate function of the sql.jsp file.

cve-2026-6629 sql-injection web-application metasoft
2r 1t
critical advisory

Digiwin EasyFlow .NET SQL Injection Vulnerability (CVE-2026-5964)

Digiwin's EasyFlow .NET is susceptible to a SQL Injection vulnerability, enabling unauthenticated remote attackers to inject arbitrary SQL commands for unauthorized database access, modification, and deletion.

sql-injection vulnerability web-application
2r 1t 1c
critical advisory

Digiwin EasyFlow .NET SQL Injection Vulnerability (CVE-2026-5963)

Digiwin EasyFlow .NET is vulnerable to SQL Injection, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

sql-injection cve-2026-5963 easyflow digiwin
2r 1t
high advisory

WeGIA SQL Injection Vulnerability (CVE-2026-40285)

WeGIA versions prior to 3.6.10 are vulnerable to SQL injection via the cpf_usuario POST parameter, allowing authenticated users to query the database under an arbitrary identity.

wegia sql-injection cve-2026-40285 web-application
2r 1t 1c
high advisory

PraisonAI Multiple Backends Vulnerable to SQL Injection via Unvalidated Table Prefix

PraisonAI is vulnerable to SQL injection across nine database backends due to unsanitized `table_prefix` parameters, and in PostgreSQL due to an unsanitized `schema` parameter, enabling arbitrary SQL execution.

sql-injection praisonai web-application
2r 1t 1c
high advisory

YesWiki Authenticated SQL Injection Vulnerability

YesWiki is vulnerable to authenticated SQL Injection via the id_fiche parameter in the EntryManager::formatDataBeforeSave() function, allowing attackers to inject arbitrary SQL commands and potentially extract sensitive data.

yeswiki sql-injection web-application
2r 1t 2i
high advisory

WC Lovers WCFM Marketplace SQL Injection Vulnerability (CVE-2025-63029)

An SQL Injection vulnerability, identified as CVE-2025-63029, exists in the WC Lovers WCFM Marketplace WordPress plugin up to version 3.7.1, potentially allowing attackers to execute arbitrary SQL queries.

sql-injection wordpress wcfm-marketplace
2r 1t 1c 1i
high advisory

Krayin CRM v2.2.x SQL Injection Vulnerability

Krayin CRM v2.2.x is vulnerable to SQL injection via the rotten_lead parameter in /Lead/LeadDataGrid.php, potentially allowing attackers to read sensitive data.

sql-injection cve-2026-38528 krayin-crm
2r 1t 1c
critical advisory

SQL Injection Vulnerability in anirudhkannan Grocery Store Management System 1.0 (CVE-2025-63939)

A critical SQL injection vulnerability (CVE-2025-63939) exists in the anirudhkannan Grocery Store Management System 1.0, allowing unauthenticated attackers to execute arbitrary SQL queries via the sitem_name POST parameter in /Grocery/search_products_itname.php.

sql-injection web-application cve-2025-63939
2r 1t 1c 1i
critical advisory

SAP Business Planning and Consolidation and Business Warehouse SQL Injection Vulnerability

CVE-2026-27681 describes an insufficient authorization check vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse that allows authenticated users to execute crafted SQL statements, leading to unauthorized data access, modification, and deletion.

cve-2026-27681 sql-injection sap
2r 1t 1c
high advisory

SQL Injection Vulnerability in Faculty Management System

A remote attacker can exploit an SQL injection vulnerability (CVE-2026-6167) in the code-projects Faculty Management System 1.0 by manipulating the ID argument in the /subject-print.php file, potentially leading to data exfiltration or modification.

sql-injection web-application vulnerability
2r 1t 1c
high advisory

SQL Injection Vulnerability in Lost and Found Thing Management 1.0

A remote SQL injection vulnerability (CVE-2026-6163) exists in code-projects Lost and Found Thing Management 1.0 via manipulation of the 'cat' parameter in /catageory.php, potentially allowing attackers to read, modify, or delete database information.

sql-injection web-application vulnerability
2r 1t 1c
high advisory

Simple ChatBox Unauthenticated SQL Injection Vulnerability (CVE-2026-6161)

CVE-2026-6161 is an unauthenticated SQL injection vulnerability in the Simple ChatBox application (<= 1.0) that can be exploited by sending a crafted HTTP request to `/chatbox/insert.php`.

sql-injection web-application cve-2026-6161
2r 1t 1c
high advisory

MyT-PM 1.5.1 SQL Injection Vulnerability

MyT-PM 1.5.1 is vulnerable to SQL injection, allowing authenticated attackers to execute arbitrary SQL queries via the Charge[group_total] parameter.

sql-injection web-application cve-2019-25713
2r 1t 1c 1i
high advisory

eBrigade ERP 4.5 SQL Injection Vulnerability (CVE-2019-25707)

eBrigade ERP 4.5 is vulnerable to SQL injection via the 'id' parameter in pdf.php, allowing authenticated attackers to execute arbitrary SQL queries and extract sensitive database information.

sql-injection web-application cve-2019-25707
2r 1t 1c 1i
high advisory

Vehicle Showroom Management System SQL Injection Vulnerability (CVE-2026-6038)

A remote SQL injection vulnerability (CVE-2026-6038) exists in the code-projects Vehicle Showroom Management System 1.0, specifically affecting the /util/RegisterCustomerFunction.php file by manipulating the BRANCH_ID argument.

cve-2026-6038 sql-injection web-application
2r 3t 1c
high threat

WordPress adivaha Travel Plugin SQL Injection Vulnerability (CVE-2023-54359)

The WordPress adivaha Travel Plugin version 2.3 is vulnerable to time-based blind SQL injection via the 'pid' GET parameter, allowing unauthenticated attackers to inject SQL code through the /mobile-app/v3/ endpoint for potential data extraction or denial of service.

exploited wordpress sql-injection cve-2023-54359
2r 1t 1c
high threat

PHPGurukul News Portal Project SQL Injection Vulnerability (CVE-2026-5837)

PHPGurukul News Portal Project version 4.1 is vulnerable to SQL injection via the Comment parameter in /news-details.php, potentially allowing remote attackers to execute arbitrary SQL queries.

exploited sql-injection web-application php CVE-2026-5837
2r 1t 1c
high advisory

code-projects Simple IT Discussion Forum SQL Injection Vulnerability (CVE-2026-5829)

A remote SQL injection vulnerability (CVE-2026-5829) exists in code-projects Simple IT Discussion Forum 1.0 due to improper handling of the 'post_id' argument in the '/pages/content.php' file, allowing attackers to execute arbitrary SQL queries.

sql-injection web-application cve-2026-5829
2r 1t 1c
high advisory

Drizzle ORM SQL Injection Vulnerability (CVE-2026-39356)

Drizzle ORM versions before 0.45.2 and 1.0.0-beta.20 are vulnerable to SQL injection due to improper escaping of SQL identifiers, allowing attackers to inject malicious SQL code through manipulated input leading to potential data breaches.

sql-injection drizzle-orm cve-2026-39356 typescript orm
2r 5t 1c
high advisory

PowerJob SQL Injection Vulnerability (CVE-2026-5736)

A remote SQL injection vulnerability, CVE-2026-5736, exists in PowerJob versions 5.1.0 through 5.1.2 within the detailPlus Endpoint, potentially allowing unauthenticated attackers to execute arbitrary SQL queries.

sql-injection vulnerability powerjob
2r 1t 1c
critical advisory

Windmill CE/EE SQL Injection Vulnerability

Windmill CE/EE versions 1.276.0 through 1.603.2 are vulnerable to SQL injection in the folder ownership management, allowing authenticated attackers to inject SQL through the owner parameter, leading to sensitive data access, token forgery, and arbitrary code execution.

sql-injection rce windmill
2r 3t 1c
high advisory

ChurchCRM SQL Injection Vulnerability (CVE-2026-35567)

ChurchCRM versions prior to 7.1.0 are vulnerable to SQL injection via the NewRole POST parameter, allowing authenticated users with the ManageGroups role to execute arbitrary SQL commands.

cve-2026-35567 sql-injection churchcrm
2r 1t 1c
critical advisory

WeGIA Web Manager SQL Injection Vulnerability (CVE-2026-35395)

WeGIA web manager versions prior to 3.6.9 are vulnerable to SQL injection, allowing authenticated users to execute arbitrary SQL commands by directly interpolating the id_memorando parameter from $_REQUEST into SQL queries without validation, as identified by CVE-2026-35395.

cve-2026-35395 sql-injection web-application
2r 1t 1c
high advisory

Media Library Assistant WordPress Plugin SQL Injection Vulnerability

The Media Library Assistant WordPress plugin through version 3.34 is vulnerable to SQL injection, allowing attackers to manipulate database queries.

sql-injection wordpress plugin-vulnerability
2r 1t 1c
high advisory

GLPI Unauthenticated Time-Based Blind SQL Injection Vulnerability (CVE-2026-26263)

GLPI versions 11.0.0 to before 11.0.6 are susceptible to an unauthenticated time-based blind SQL injection vulnerability in the search engine, allowing remote attackers to potentially extract sensitive information.

sql-injection glpi cve-2026-26263 web-application
2r 1t 1c
high advisory

SQL Injection Vulnerability in projectworlds Car Rental System 1.0

A SQL injection vulnerability (CVE-2026-5637) exists in projectworlds Car Rental System 1.0's /message_admin.php, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'Message' argument.

sql-injection web-application cve-2026-5637
2r 1t 1c
high advisory

Kados R10 GreenBee SQL Injection Vulnerability (CVE-2019-25704)

Kados R10 GreenBee is vulnerable to SQL injection (CVE-2019-25704), allowing attackers to manipulate database queries via the filter_user_mail parameter, potentially leading to data extraction or modification.

sql-injection cve-2019-25704 web-application
2r 1t 1c
high advisory

Kados R10 GreenBee SQL Injection Vulnerability (CVE-2019-25702)

Kados R10 GreenBee is vulnerable to SQL injection via the id_project parameter, allowing attackers to manipulate database queries to extract sensitive information or modify data.

sql-injection web-application cve-2019-25702
2r 1t 1c
critical advisory

C4G Basic Laboratory Information System 3.4 SQL Injection Vulnerability

C4G Basic Laboratory Information System 3.4 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL commands via the 'site' parameter in GET requests to the users_select.php endpoint, potentially leading to sensitive data extraction.

sql-injection web-application cve-2019-25678
2r 1t 1c
high advisory

SuiteCRM 7.10.7 Time-Based SQL Injection Vulnerability

SuiteCRM 7.10.7 is vulnerable to time-based SQL injection in the record parameter of the Users module DetailView action, allowing authenticated attackers to manipulate database queries and potentially extract sensitive information.

sql-injection cve-2019-25664 suitecrm
2r 1t 1c
high advisory

SQL Injection Vulnerability in jkev Record Management System 1.0 (CVE-2026-5575)

A SQL injection vulnerability (CVE-2026-5575) exists in the Login component of SourceCodester/jkev Record Management System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the Username parameter in index.php.

sql-injection cve-2026-5575 web-application
2r 1t 1c
high advisory

code-projects Simple Laundry System 1.0 SQL Injection Vulnerability

A remote SQL Injection vulnerability exists in code-projects Simple Laundry System 1.0 within the /delmemberinfo.php file's userid parameter, potentially allowing attackers to execute arbitrary SQL commands.

sql-injection web-application vulnerability
2r 1t 1c
high threat

SQL Injection Vulnerability in Concert Ticket Reservation System

A remote attacker can exploit CVE-2026-5554 in code-projects Concert Ticket Reservation System 1.0 to perform SQL injection by manipulating the searching argument in the process_search.php file.

exploited sql-injection web-application vulnerability
2r 1t 1c
high advisory

SQL Injection Vulnerability in Free Hotel Reservation System 1.0 (CVE-2026-5551)

A SQL injection vulnerability (CVE-2026-5551) exists in itsourcecode Free Hotel Reservation System 1.0, specifically affecting the `email` parameter within the `/hotel/admin/login.php` file, allowing remote attackers to execute arbitrary SQL queries.

sql-injection web-application vulnerability
2r 1t 1c
high advisory

Piwigo SQL Injection Vulnerability (CVE-2026-27885)

CVE-2026-27885 is a SQL Injection vulnerability in Piwigo before version 16.3.0, affecting the Activity List API endpoint, allowing an authenticated administrator to extract sensitive data.

sql-injection web-application piwigo
2r 1t 1c
high advisory

Piwigo SQL Injection Vulnerability (CVE-2026-27834)

A SQL Injection vulnerability (CVE-2026-27834) exists in Piwigo versions prior to 16.3.0, allowing authenticated administrators to execute arbitrary SQL commands via the pwg.users.getList Web Service API method.

piwigo sql-injection cve-2026-27834
2r 1t 1c
high threat

SQL Injection Vulnerability in itsourcecode Online Enrollment System 1.0

A SQL injection vulnerability exists in itsourcecode Online Enrollment System 1.0 within the Parameter Handler component at /enrollment/index.php, where manipulating the deptid argument can lead to remote code execution, with public exploits available.

exploited sql-injection web-application cve-2026-5334
2r 1t 1c
critical advisory

Unauthenticated SQL Injection Vulnerability in mb24api Endpoint (CVE-2026-33616)

CVE-2026-33616 describes an unauthenticated blind SQL Injection vulnerability affecting an mb24api endpoint, which a remote attacker can exploit by injecting special elements into a SQL SELECT command, potentially leading to a total loss of confidentiality due to improper neutralization of special elements.

sql-injection cve-2026-33616 web-application
2r 1t 1c
critical advisory

Unauthenticated SQL Injection Vulnerability in setinfo Endpoint

An unauthenticated remote attacker can exploit a SQL Injection vulnerability (CVE-2026-33615) in the setinfo endpoint by injecting malicious code into a SQL UPDATE command, leading to a total loss of integrity and availability.

sql-injection vulnerability web-application
2r 1t 1c 2i
critical advisory

Unauthenticated SQL Injection Vulnerability in getinfo Endpoint (CVE-2026-33614)

An unauthenticated SQL Injection vulnerability (CVE-2026-33614) in the getinfo endpoint allows a remote attacker to execute arbitrary SQL commands due to improper neutralization of special elements, potentially leading to a total loss of confidentiality.

sql-injection vulnerability web-application
2r 1t 1c
high advisory

AlejandroArciniegas mcp-data-vis SQL Injection Vulnerability

A SQL injection vulnerability exists in the MCP Handler component of AlejandroArciniegas mcp-data-vis, specifically in the Request function of src/servers/database/server.js, allowing remote attackers to execute arbitrary SQL commands.

sql-injection web-application cve-2026-5322
2r 1t 1c
high advisory

pandas-ai SQL Injection Vulnerability (CVE-2026-30273)

pandas-ai v3.0.0 is vulnerable to SQL injection via the pandasai.agent.base._execute_sql_query component, potentially allowing unauthorized database access and modification.

sql-injection vulnerability pandas-ai
2r 1t 1c
high advisory

Django Multiple Vulnerabilities Leading to SQL Injection, Information Disclosure, and DoS

A remote, authenticated attacker can exploit multiple vulnerabilities in Django to perform SQL injections, disclose confidential information, or cause a denial-of-service condition.

django sql-injection information-disclosure denial-of-service web-application webserver
2r 2t
high advisory

itsourcecode Payroll Management System 1.0 SQL Injection Vulnerability

itsourcecode Payroll Management System 1.0 is vulnerable to SQL injection via the ID parameter in /view_employee.php, allowing remote attackers to execute arbitrary SQL commands.

sql-injection web-application payroll-system
2r 1t 1c 1i
high advisory

SQL Injection Vulnerability in itsourcecode Payroll Management System 1.0 (CVE-2026-5237)

A SQL injection vulnerability (CVE-2026-5237) exists in itsourcecode Payroll Management System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the ID parameter in the /manage_user.php file.

sql-injection web-application payroll-system
2r 1t 1c
high advisory

SQL Injection Vulnerability in Student Membership System 1.0

CVE-2026-5198 is a SQL injection vulnerability in the Admin Login component of code-projects Student Membership System 1.0, affecting the /admin/index.php file, enabling remote exploitation through manipulation of username/password parameters.

sql-injection vulnerability web-application
2r 1t 1c
high advisory

code-projects Student Membership System SQL Injection Vulnerability (CVE-2026-5195)

A remote SQL injection vulnerability exists in the User Registration Handler component of code-projects Student Membership System 1.0, exploitable through manipulation of input.

sql-injection web-application cve-2026-5195
2r 1t 1c
high advisory

SQL Injection Vulnerability in SourceCodester Simple Doctors Appointment System 1.0 (CVE-2026-5180)

A SQL Injection vulnerability (CVE-2026-5180) exists in SourceCodester Simple Doctors Appointment System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'email' parameter in the /admin/ajax.php?action=login2 endpoint.

sql-injection vulnerability web-application
2r 1t 1c
high advisory

SQL Injection Vulnerability in SourceCodester Simple Doctors Appointment System 1.0 (CVE-2026-5179)

A SQL injection vulnerability (CVE-2026-5179) exists in SourceCodester Simple Doctors Appointment System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the Username argument in the /admin/login.php file, with a public exploit available.

sql-injection web-application vulnerability
2r 1t 1c
critical advisory

SciTokens KeyCache SQL Injection Vulnerability (CVE-2026-32714)

A SQL injection vulnerability exists in SciTokens versions before 1.9.6, allowing attackers to execute arbitrary SQL commands via the KeyCache class by manipulating user-supplied data used in SQL query construction.

sql-injection scitokens cve-2026-32714 web-application
2r 3t 1c
high advisory

SQL Injection Vulnerability in code-projects Accounting System 1.0 (CVE-2026-5150)

A remote SQL injection vulnerability (CVE-2026-5150) exists in code-projects Accounting System 1.0 via manipulation of the 'cos_id' argument in /viewin_costumer.php, potentially allowing attackers to execute arbitrary SQL commands.

sql-injection web-application cve-2026-5150
2r 1t
high advisory

YunaiV yudao-cloud SQL Injection Vulnerability

A remote SQL injection vulnerability (CVE-2026-5147) exists in YunaiV yudao-cloud up to version 2026.01 via the Website argument in the /admin-api/system/tenant/get-by-website endpoint, allowing unauthenticated attackers to potentially execute arbitrary SQL queries.

cve-2026-5147 sql-injection web-application
2r 1t
critical advisory

Multiple Vulnerabilities in Fleet

Multiple vulnerabilities in Fleet allow an attacker to perform SQL injection, denial of service, bypass security measures, disclose information, and execute arbitrary program code with administrator privileges.

fleet vulnerability sql-injection denial-of-service
2r 8t
high advisory

Multiple Vulnerabilities in Dovecot Mail Server

Multiple vulnerabilities in Dovecot can be exploited by an attacker to perform SQL injection attacks, bypass authentication, disclose sensitive information, or cause a denial-of-service condition.

dovecot vulnerability sql-injection authentication-bypass dos
2r 2t
high advisory

SQL Injection Vulnerability in Simple Food Order System 1.0

A SQL injection vulnerability exists in code-projects Simple Food Order System 1.0 within the register-router.php file, where manipulation of the Name argument can lead to remote code execution.

sql-injection web-application vulnerability
2r 1t
high advisory

code-projects Simple Food Order System SQL Injection Vulnerability (CVE-2026-5017)

CVE-2026-5017 is a SQL injection vulnerability in code-projects Simple Food Order System 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'Status' parameter in the `/all-tickets.php` file.

sql-injection web-application vulnerability
2r 1t
high advisory

SQL Injection Vulnerability in Sinaptik AI PandasAI lancedb Extension

A SQL injection vulnerability exists in Sinaptik AI PandasAI up to version 0.1.4 within the pandasai-lancedb Extension, allowing remote exploitation through manipulation of multiple functions in the lancedb.py file.

sql-injection vulnerability pandasai
2r 1t
high advisory

WeGIA Web Manager SQL Injection Vulnerability (CVE-2026-33991)

WeGIA web manager prior to version 3.6.7 is vulnerable to SQL injection via the `id_tag` parameter in the `deletar_tag.php` script due to unsanitized input and direct concatenation into SQL queries, potentially allowing attackers to read, modify, or delete data.

cve-2026-33991 sql-injection web-application
2r 1t
high advisory

Shenzhen Ruiming Technology Streamax Crocus bis SQL Injection Vulnerability

A SQL injection vulnerability (CVE-2026-4910) exists in Shenzhen Ruiming Technology Streamax Crocus bis 1.3.44 via the /RemoteFormat.do endpoint, allowing remote attackers to execute arbitrary SQL commands by manipulating the State argument.

cve-2026-4910 sql-injection streamax webserver
2r 1t
high advisory

Ory Kratos SQL Injection Vulnerability in ListCourierMessages API

A SQL injection vulnerability exists in the ListCourierMessages Admin API of Ory Kratos versions prior to 26.2.0 due to flaws in its pagination implementation, allowing attackers to craft malicious tokens if the pagination secret is known or the default secret is used.

ory-kratos sql-injection cve-2026-33503 cloud
2r 1t
high advisory

Kysely SQL Injection Vulnerability (CVE-2026-33468)

A SQL injection vulnerability exists in Kysely versions prior to 0.28.14 due to insufficient backslash escaping in the `DefaultQueryCompiler.sanitizeStringLiteral()` function, potentially allowing attackers to inject arbitrary SQL when using the MySQL dialect, specifically affecting `CreateIndexBuilder.where()` and `CreateViewBuilder.as()` methods.

kysely sql-injection cve-2026-33468
2r 1t
high advisory

SQL Injection Vulnerability in Kysely TypeScript Library (CVE-2026-33442)

Kysely versions 0.28.12 and 0.28.13 are vulnerable to SQL injection due to insufficient escaping of backslashes in the `sanitizeStringLiteral` method, potentially leading to arbitrary SQL execution on MySQL servers.

sql-injection kysely cve-2026-33442
2r 1t
high advisory

HCL Aftermarket DPC SQL Injection Vulnerability (CVE-2025-55262)

CVE-2025-55262 is a SQL Injection vulnerability affecting HCL Aftermarket DPC, allowing an attacker to retrieve sensitive information from the database and potentially gain unauthorized access.

cve-2025-55262 sql-injection web-application
2r 1t
high advisory

Online Quiz Maker 1.0 SQL Injection Vulnerability (CVE-2018-25207)

Online Quiz Maker 1.0 is vulnerable to SQL injection via the catid and usern parameters, allowing authenticated attackers to execute arbitrary SQL commands by submitting malicious POST requests to quiz-system.php or add-category.php.

sql-injection cve-2018-25207 web-application
2r 1t
high advisory

ASP.NET jVideo Kit 1.0 SQL Injection Vulnerability

ASP.NET jVideo Kit 1.0 is vulnerable to SQL injection via the 'query' parameter in the search functionality, allowing unauthenticated attackers to inject malicious SQL payloads to extract sensitive database information.

sql-injection vulnerability asp.net
2r 1t
critical advisory

School Management System CMS 1.0 SQL Injection Vulnerability

School Management System CMS 1.0 is vulnerable to SQL injection in the admin login functionality, allowing attackers to bypass authentication by injecting SQL code through the username parameter.

sql-injection web-application vulnerability
2r 1t
high advisory

code-projects Online Food Ordering System SQL Injection Vulnerability (CVE-2026-4844)

CVE-2026-4844 describes a SQL injection vulnerability in the Admin Login Module of code-projects Online Food Ordering System 1.0, which can be exploited remotely by manipulating the Username argument in the /admin.php file.

sql-injection web-application cve-2026-4844
2r 1t
high advisory

OpenCart Core SQL Injection Vulnerability (CVE-2024-58341)

OpenCart Core 4.0.2.3 is vulnerable to SQL injection via the 'search' parameter, enabling unauthenticated attackers to manipulate database queries and extract sensitive information through boolean-based or time-based blind SQL injection.

cve-2024-58341 sql-injection opencart
2r 1t
high advisory

SourceCodester Online Catering Reservation SQL Injection Vulnerability (CVE-2026-4615)

A SQL injection vulnerability exists in SourceCodester Online Catering Reservation 1.0's `/search.php` file, allowing remote attackers to execute arbitrary SQL commands by manipulating the `rcode` argument.

sql-injection cve-2026-4615 web-application
2r 1t
high advisory

SQL Injection Vulnerability in Free Hotel Reservation System 1.0

A SQL injection vulnerability (CVE-2026-4612) exists in itsourcecode Free Hotel Reservation System 1.0 within the Parameter Handler component, allowing remote attackers to execute arbitrary SQL commands via the account_id parameter in the /hotel/admin/mod_users/index.php script.

cve-2026-4612 sql-injection web-application
2r 1t
critical advisory

eNdonesia Portal v8.7 SQL Injection Vulnerability

eNdonesia Portal v8.7 is vulnerable to SQL injection allowing unauthenticated attackers to execute arbitrary SQL queries via the bid parameter in banners.php, potentially leading to sensitive data extraction.

sql-injection web-application cve-2019-25643
2r 1t
critical advisory

Bootstrapy CMS Unauthenticated SQL Injection Vulnerabilities

Bootstrapy CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters to extract sensitive database information or cause denial of service.

sql-injection bootstrapy-cms vulnerability
3r 1t
high advisory

Inout Article Base CMS SQL Injection Vulnerability (CVE-2019-25640)

Inout Article Base CMS is vulnerable to SQL injection, allowing unauthenticated attackers to manipulate database queries through the 'p' and 'u' parameters via XOR-based payloads in GET requests to portalLogin.php, potentially leading to sensitive information extraction or denial-of-service.

sql-injection cve-2019-25640 inout-article-base-cms
2r 1t
critical advisory

Zeeways Matrimony CMS Unauthenticated SQL Injection Vulnerability

Zeeways Matrimony CMS is vulnerable to SQL injection via the profile_list endpoint, where an unauthenticated attacker can inject SQL code via the up_cast, s_mother, and s_religion parameters, potentially allowing them to extract sensitive information.

sql-injection web-application matrimony-cms
2r 1t 1i
high advisory

Zeeways Jobsite CMS SQL Injection Vulnerability (CVE-2019-25636)

Zeeways Jobsite CMS is vulnerable to SQL injection, allowing unauthenticated attackers to inject SQL code through the 'id' GET parameter in crafted requests to news_details.php, jobs_details.php, or job_cmp_details.php to extract sensitive database information.

sql-injection cve-2019-25636 web-application
2r 1t
high advisory

Meeplace Business Review Script SQL Injection Vulnerability (CVE-2019-25638)

Meeplace Business Review Script is vulnerable to SQL injection via the 'id' parameter in the addclick.php endpoint, allowing unauthenticated attackers to execute arbitrary SQL queries and potentially extract sensitive database information or cause a denial of service.

sql-injection web-application cve-2019-25638
2r 1t
high advisory

WP Job Portal Plugin SQL Injection Vulnerability

The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter, allowing unauthenticated attackers to extract sensitive database information in versions up to 2.4.8.

sql-injection wordpress plugin
2r 1t
high advisory

SourceCodester Online Library Management System SQL Injection Vulnerability (CVE-2026-4624)

A remote SQL injection vulnerability (CVE-2026-4624) exists in SourceCodester Online Library Management System 1.0 by manipulating the 'searchField' parameter in the /home.php file, potentially allowing attackers to execute arbitrary SQL commands.

sql-injection cve-2026-4624 web-application
2r 1t
high advisory

PostgreSQL JDBC Driver SQL Injection Vulnerability

An anonymous, remote attacker can exploit a vulnerability in the PostgreSQL JDBC Driver to perform SQL injection attacks.

sql-injection postgresql jdbc
2r 1t
high advisory

SQL Injection Vulnerability in itsourcecode Online Enrollment System 1.0 (CVE-2026-4632)

CVE-2026-4632 is a SQL Injection vulnerability in itsourcecode Online Enrollment System 1.0, specifically affecting the Parameter Handler component at '/sms/user/index.php?view=add', allowing a remote attacker to inject malicious SQL code by manipulating the 'Name' argument, with a public exploit available.

sql-injection web-application cve-2026-4632
2r 1t
high advisory

SourceCodester Online Admission System 1.0 SQL Injection Vulnerability

A SQL injection vulnerability in SourceCodester Online Admission System 1.0 allows remote attackers to execute arbitrary SQL commands by manipulating the 'program' argument in the /programmes.php file.

sql-injection web-application vulnerability
2r 1t 1i
high advisory

SourceCodester E-Commerce Site SQL Injection Vulnerability (CVE-2026-4613)

A remote SQL injection vulnerability (CVE-2026-4613) exists in SourceCodester E-Commerce Site 1.0 within the /products.php file due to improper input sanitization of the 'Search' argument, potentially allowing attackers to read or modify sensitive database information.

sql-injection web-application ecommerce cve-2026-4613
2r 1t
high advisory

Erupt Framework SQL Injection Vulnerability (CVE-2026-4594)

A SQL injection vulnerability (CVE-2026-4594) exists in erupts erupt up to version 1.13.3, allowing remote attackers to execute arbitrary SQL commands by manipulating the sort.field argument in the geneEruptHqlOrderBy function.

sql-injection vulnerability erupt
2r 1t
critical advisory

Critical Vulnerabilities in n8n Workflow Automation Platform

Multiple critical vulnerabilities in n8n versions prior to 2.10.1, 2.9.3, and 1.123.22 enable authenticated users to execute arbitrary code and system commands, potentially leading to full system compromise.

n8n code-injection sql-injection vulnerability
3r 3t
high advisory

zyx0814 FilePress SQL Injection Vulnerability (CVE-2026-8133)

A remote SQL injection vulnerability (CVE-2026-8133) exists in zyx0814 FilePress up to version 2.2.0 via the Shares Filelist API by manipulating the argument order, potentially leading to unauthorized data access or modification.

FilePress sql-injection vulnerability web-application
2r 1t 1c
high advisory

Acrel EEMS Enterprise Power Operation and Maintenance Cloud Platform SQL Injection Vulnerability

A SQL injection vulnerability exists in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 when manipulating the 'fCircuitids' argument in the '/SubstationWEBV2/main/elecMaxMinAvgValue' file, potentially allowing for remote code execution or data exfiltration.

EEMS Enterprise Power Operation and Maintenance Cloud Platform sql-injection web-application vulnerability
2r 1t 1c
high advisory

NocoBase SQL Injection via Missing Validation on Update Endpoint

A SQL injection vulnerability exists in nocobase plugin-collection-sql versions 2.0.32 and earlier due to missing validation on the sqlCollection:update endpoint, allowing attackers with collection management permissions to execute arbitrary SQL queries and exfiltrate data.

plugin-collection-sql sql-injection web-application nocobase
2r 1t
critical advisory

Oracle MCP Server Helper Tool Unauthenticated SQL Injection Vulnerability (CVE-2026-35228)

CVE-2026-35228 is a critical vulnerability in Oracle MCP Server Helper Tool versions 1.0.1 through 1.0.156, allowing unauthenticated remote attackers to execute arbitrary SQL commands.

MCP Server Helper Tool 1.0.1-1.0.156 sql-injection cve web-application
2r 1t 1c
high advisory

SQL Injection Vulnerability in Form Maker by 10Web WordPress Plugin

The Form Maker by 10Web WordPress plugin is vulnerable to SQL Injection via the 'inputs' parameter in versions up to 1.15.42, allowing unauthenticated attackers to extract sensitive information from the database.

Form Maker by 10Web sql-injection wordpress plugin
2r 1t 1c
critical advisory

phpMyFAQ Unauthenticated SQL Injection via User-Agent Header

Unauthenticated SQL injection vulnerability exists in phpMyFAQ <= 4.1.1 due to improper handling of the User-Agent header in BuiltinCaptcha, allowing attackers to inject malicious SQL payloads and potentially gain complete control of the datastore.

phpMyFAQ sql-injection unauthenticated web-application
2r 1t
high advisory

liyupi yu-picture SQL Injection Vulnerability (CVE-2026-7060)

A SQL injection vulnerability (CVE-2026-7060) exists in liyupi yu-picture versions up to a053632c41340152bf75b66b3c543d129123d8ec, allowing a remote attacker to execute arbitrary SQL commands by manipulating the sortField argument in the PageRequest function of PictureServiceImpl.java.

yu-picture sql-injection cve-2026-7060 web-application
2r 1t 1c
critical advisory

YAFNET Pre-Handler Authorization Bypass Leads to SQL Injection

YAFNET's flawed authorization allows low-privileged users to execute arbitrary SQL commands via the `/Admin/RunSql` endpoint, potentially leading to data exfiltration, application modification, and denial-of-service.

YAFNET.Core sql-injection web-application vulnerability
2r 8t
high advisory

itsourcecode Electronic Judging System SQL Injection Vulnerability (CVE-2026-7555)

A remote SQL injection vulnerability (CVE-2026-7555) exists in itsourcecode Electronic Judging System 1.0 via manipulation of the Username argument in the /intrams/login.php file, potentially leading to unauthorized data access and modification.

Electronic Judging System 1.0 sql-injection vulnerability web-application
2r 1t 1c
critical advisory

Rucio SQL Injection Vulnerability in FilterEngine PostgreSQL Query Builder

A SQL injection vulnerability exists in Rucio's FilterEngine.create_postgres_query, affecting versions 1.30.0 to before 35.8.5, 36.0.0 to before 38.5.5, 39.0.0 to before 39.4.2, and 40.0.0 to before 40.1.1, allowing any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database via the DID search endpoint when the postgres_meta plugin is enabled, potentially leading to data modification, remote code execution, and credential theft.

rucio sql-injection cve-2026-29090
2r 1t
high advisory

Flight Framework SQL Injection Vulnerability

Flight framework is vulnerable to SQL Injection; an attacker can inject arbitrary SQL by crafting malicious array keys due to SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() building SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting or validation, leading to privilege escalation, arbitrary column writes, data destruction, and exfiltration.

flightphp/core sql-injection web-application vulnerability
2r 2t
high advisory

CKAN Unauthenticated SQL Injection in datastore_search_sql

An unauthenticated SQL injection vulnerability in CKAN's `datastore_search_sql` function allows attackers to access private resources and PostgreSQL system information, affecting versions prior to 2.10.10 and versions 2.11.0 through 2.11.4.

ckan sql-injection vulnerability
2r 1t
high advisory

ARMember WordPress Plugin Vulnerable to Time-Based Blind SQL Injection (CVE-2026-7649)

A time-based blind SQL Injection vulnerability exists in the ARMember WordPress plugin (<= 4.0.60) due to insufficient input sanitization of the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive database information.

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin <= 4.0.60 sql-injection wordpress armember cve-2026-7649
2r 1t 1c
high advisory

Appsmith SQL Injection Vulnerability in FilterDataService

A SQL injection vulnerability exists in Appsmith's FilterDataServiceCE.java in versions 1.98 and earlier where the dropTable method constructs a SQL DROP TABLE statement using string concatenation with the table name, allowing arbitrary SQL command execution, leading to potential data loss, exfiltration, or modification.

interfaces sql-injection data-loss appsmith
2r 1t