Sqli

The Geo Mashup WordPress plugin is vulnerable to Time-Based SQL Injection due to insufficient input sanitization, allowing unauthenticated attackers to extract sensitive database information.

Sunnet CTMS is vulnerable to SQL injection (CVE-2026-7489), allowing authenticated remote attackers to execute arbitrary SQL commands and compromise the database.

A SQL injection vulnerability (CVE-2026-7545) exists in SourceCodester Advanced School Management System 1.0 within the checkEmail endpoint of commonController.php, allowing remote attackers to potentially execute arbitrary SQL commands.

SSCMS v7.4.0 is vulnerable to SQL injection via the stl:sqlContent tag's queryString attribute, allowing attackers to execute arbitrary SQL statements through crafted payloads submitted to the /api/stl/actions/dynamic endpoint.

Multiple vulnerabilities in MISP versions prior to 2.5.37 allow attackers to perform privilege escalation, SQL injection (SQLi), and security policy bypass.

An anonymous remote attacker can exploit a SQL injection vulnerability in ProFTPD.

A remote SQL injection vulnerability exists in SourceCodester Pharmacy Sales and Inventory System 1.0 via manipulation of the ID parameter in the /ajax.php?action=delete_category endpoint, potentially leading to unauthorized data access or modification.

SourceCodester Pharmacy Sales and Inventory System 1.0 is vulnerable to SQL injection by manipulating the ID argument in the /ajax.php?action=save_receiving file, allowing remote attackers to execute arbitrary SQL commands.

CVE-2026-7063 is a SQL Injection vulnerability in code-projects Employee Management System 1.0 via the 'pwd' parameter in /370project/process/eprocess.php, enabling remote attackers to execute arbitrary SQL commands.

Multiple vulnerabilities in n8n can be exploited by an attacker to execute arbitrary code, bypass security measures, disclose sensitive information, conduct SQL injection attacks, cause denial-of-service, perform cross-site scripting, redirect users, or hijack sessions.

A SQL injection vulnerability exists in Dagster's DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers, where a user with 'Add Dynamic Partitions' permission can inject arbitrary SQL due to improper escaping of dynamic partition key values, leading to unauthorized data access or modification.

An authenticated SQL injection vulnerability (CVE-2026-5785) in the query report module of Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 allows attackers with low privileges to potentially read or modify sensitive database information.

The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter within 'product_data' of the `/wp-json/InkXEProductDesignerLite/add-item-to-cart` REST API endpoint, allowing unauthenticated attackers to extract sensitive information from the database.

A time-based blind SQL injection vulnerability in manikandan580 School-management-system 1.0 allows unauthenticated attackers to potentially execute arbitrary SQL queries and gain unauthorized access to sensitive information.

An SQL injection vulnerability (CVE-2026-39815) in Fortinet FortiDDoS-F versions 7.2.1 through 7.2.2 may allow a low-privilege attacker to execute unauthorized code or commands.

A remote SQL injection vulnerability exists in PHPGurukul Daily Expense Tracking System 1.1 within the /register.php file, where manipulation of the email argument allows for arbitrary SQL command execution, with a public exploit available.

A remote SQL injection vulnerability exists in code-projects Simple Content Management System 1.0, specifically affecting the /web/admin/login.php file where manipulation of the 'User' argument allows unauthenticated attackers to execute arbitrary SQL queries.

A remote attacker can exploit an SQL injection vulnerability (CVE-2026-6165) in code-projects Vehicle Showroom Management System 1.0 by manipulating the ID parameter in /util/Login_check.php, potentially leading to unauthorized data access and modification.

Dolibarr ERP-CRM 8.0.4 is vulnerable to SQL injection via the rowid parameter in the admin dict.php endpoint, allowing attackers to execute arbitrary SQL queries and extract sensitive database information.

ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability allowing authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter via POST requests to the admin.php endpoint.

CMSsite 1.0 is vulnerable to unauthenticated SQL injection (CVE-2019-25697) via the cat_id parameter in category.php, allowing attackers to extract sensitive database information.

A remote SQL injection vulnerability (CVE-2026-6036) exists in the Vehicle Showroom Management System 1.0 due to improper sanitization of the VEHICLE_ID parameter in /util/VehicleDetailsFunction.php, potentially allowing attackers to execute arbitrary SQL commands.

CVE-2026-5827 is a SQL injection vulnerability in code-projects Simple IT Discussion Forum 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'content' argument in /question-function.php.

The WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection (CVE-2026-3396) due to insufficient escaping and SQL query preparation, allowing unauthenticated attackers to extract sensitive information from the database in versions up to 4.2.3.

A SQL injection vulnerability in code-projects Online FIR System 1.0 allows remote attackers to execute arbitrary SQL commands by manipulating the email or password parameters in the /Login/checklogin.php file.

GLPI versions 10.0.0 before 10.0.24 and 11.0.6 are vulnerable to SQL Injection (CVE-2026-29047) via the logs export feature, allowing authenticated users to potentially execute arbitrary SQL commands.

A remote SQL injection vulnerability (CVE-2026-5634) exists in projectworlds Car Rental Project 1.0 via the fname parameter in /book_car.php, allowing unauthenticated attackers to potentially read, modify, or delete database information.

Kados R10 GreenBee is vulnerable to SQL injection via the 'id_to_modify' parameter, enabling attackers to manipulate database queries and potentially extract or modify sensitive data.

OpenDocMan version 1.3.4 is vulnerable to SQL injection, allowing unauthenticated attackers to manipulate database queries via the 'where' parameter in search.php to extract sensitive information.

Advance Gift Shop Pro Script 2.0.3 is vulnerable to SQL injection via the 's' search parameter, allowing unauthenticated attackers to execute arbitrary SQL queries and extract sensitive database information.

Unauthenticated attackers can exploit SQL injection vulnerabilities in eDirectory (CVE-2019-25675) to bypass administrator authentication and disclose sensitive files.

PilusCart 1.4.1 is vulnerable to SQL injection, allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the 'send' parameter to extract sensitive database information.

News Website Script 2.0.5 contains an SQL injection vulnerability (CVE-2019-25668) allowing unauthenticated attackers to extract sensitive information by injecting SQL code through the news ID parameter in GET requests.

ResourceSpace 8.6 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries via the 'ref' parameter in GET requests to the watched_searches.php endpoint, leading to sensitive data extraction.

OpenProject versions before 17.2.3 are susceptible to SQL injection due to improper input sanitization in the '=n' operator, potentially allowing remote attackers to execute arbitrary SQL commands.

OpenSTAManager versions before 2.10.2 are susceptible to time-based blind SQL injection via the 'options[stato]' GET parameter, allowing authenticated attackers to extract sensitive database information.

A remote SQL injection vulnerability exists in code-projects Accounting System 1.0 via manipulation of the 'cos_id' parameter in '/edit_costumer.php', potentially allowing unauthorized database access.

An authenticated SQL Injection vulnerability in Group-Office's JMAP Contact/query endpoint allows data extraction, including session tokens, leading to account takeover if unpatched.

Multiple critical vulnerabilities in n8n, including prototype pollution, code injection, and SQL injection, allow authenticated users to achieve remote code execution, read sensitive files, and perform unauthorized database operations.

KomSeo Cart 1.3 is vulnerable to SQL injection via the 'my_item_search' parameter in edit.php, allowing attackers to inject SQL commands and extract sensitive database information.

Wecodex Hotel CMS 1.0 is vulnerable to SQL injection in the admin login functionality, allowing unauthenticated attackers to bypass authentication and potentially extract sensitive database information or gain administrative access by injecting SQL code through the username parameter in POST requests to index.php with action=processlogin.

A remote SQL Injection vulnerability exists in code-projects Simple Laundry System 1.0 within the Parameter Handler component's /checkregisitem.php file, where manipulating the Long-arm-shirtVol argument can trigger the injection, with a publicly available exploit.

A remote SQL injection vulnerability exists in itsourcecode Online Enrollment System 1.0 within the Parameter Handler component affecting the `/sms/grades/index.php` file, allowing unauthorized database access and has been publicly disclosed.

A remote SQL injection vulnerability (CVE-2026-4838) exists in the /display.php file of SourceCodester Malawi Online Market 1.0 due to improper input sanitization of the ID parameter, potentially allowing attackers to execute arbitrary SQL queries.

OpenEMR versions prior to 8.0.0.3 are susceptible to a blind SQL injection vulnerability in the Patient Search functionality, allowing authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys.

Netartmedia Vlog System is vulnerable to SQL injection, allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter in the forgotten_password module.

WWBN AVideo platform versions up to 26.0 are vulnerable to SQL injection (CVE-2026-33723), allowing authenticated attackers to inject arbitrary SQL commands via the 'user_id' POST parameter and extract sensitive data such as password hashes, API keys, and encryption salts.

The WP Maps WordPress plugin before version 4.9.2 is vulnerable to time-based SQL Injection via the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive information from the database.

A SQL injection vulnerability exists in LiteLLM versions 1.81.16 to prior to 1.83.7 allowing an unauthenticated attacker to inject SQL queries via a crafted 'Authorization' header, potentially leading to unauthorized data access or modification.

A SQL injection vulnerability exists in SourceCodester Hotel Management System 1.0 in the /index.php/reservation/check component due to improper sanitization of the room_type parameter, allowing a remote attacker to execute arbitrary SQL commands.

NocoBase versions 2.0.32 and earlier are vulnerable to SQL injection due to string concatenation in the `queryParentSQL()` function, allowing attackers with record creation permissions to inject arbitrary SQL and potentially extract sensitive information or execute commands.