Skip to content
Threat Feed
Subscribe

Tag

Sqli

93 briefs RSS
high advisory

Joomla! Calendar Planner 1.0.1 SQL Injection (CVE-2017-20267)

An unauthenticated attacker can exploit CVE-2017-20267, an SQL injection vulnerability in Joomla! Component Calendar Planner 1.0.1, by sending malicious GET requests to the 'events' view via the 'category_id' parameter, allowing for sensitive database information extraction.

Calendar Planner 1.0.1 sqli web-vulnerability joomla cve
1r 1t
high advisory

Joomla SP Movie Database Unauthenticated SQL Injection (CVE-2017-20266)

An SQL injection vulnerability, CVE-2017-20266, in Joomla SP Movie Database version 1.3 allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the `searchword` parameter in GET requests to the `searchresults` view, enabling extraction of sensitive database information.

SP Movie Database 1.3 sqli web-application joomla cve
2r 3t 1c
high advisory

Joomla! FocalPoint Pro/Free SQL Injection (CVE-2017-20263)

An unauthenticated SQL injection vulnerability (CVE-2017-20263) in Joomla! Component FocalPoint Pro/Free version 1.2.3 allows attackers to execute arbitrary SQL queries via a crafted 'id' parameter in GET requests, leading to sensitive database information disclosure.

FocalPoint Pro/Free sqli web-vulnerability joomla data-exfiltration
1r 3t 1c
high advisory

Joomla! User Bench Component SQL Injection (CVE-2017-20254)

An unauthenticated attacker can exploit CVE-2017-20254, an SQL injection vulnerability in the Joomla! Component User Bench 1.0, by sending crafted HTTP GET requests to extract sensitive database information including credentials and configuration data.

User Bench 1.0 sqli joomla web-vulnerability cve
1r 3t
high advisory

CVE-2017-20252: Joomla NextGen Editor SQL Injection

Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability (CVE-2017-20252) that allows unauthenticated attackers to execute arbitrary SQL commands through the `plname` parameter in crafted GET requests to `index.php?option=com_nge&view=config`, leading to the extraction of sensitive database information.

NextGen Editor 2.1.0 sqli web-vulnerability joomla cve data-exfiltration
2r 4t
high advisory

Multiple Vulnerabilities Discovered in SAP Products Including SQLi, XSS, and Policy Bypass

Multiple high-severity vulnerabilities discovered in various SAP products, including SQL injection (SQLi), remote indirect code injection (XSS), and security policy bypasses, could allow unauthenticated attackers to compromise sensitive enterprise systems by June 2026.

Business Objects Business Intelligence Platform +78 sap vulnerability sqli xss web-application
2r 5t 5c
high advisory

CVE-2018-25433 - Joomla JE Photo Gallery SQL Injection

Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability, tracked as CVE-2018-25433, allowing unauthenticated attackers to extract database information by injecting malicious SQL code through the categoryid parameter.

JE Photo Gallery 1.1 cve-2018-25433 sqli joomla
1r 1t 1c
high advisory

GEO my WP WordPress Plugin SQL Injection Vulnerability (CVE-2026-9757)

The GEO my WP plugin for WordPress is vulnerable to SQL Injection (CVE-2026-9757) via the 'swlatlng' and 'nelatlng' parameters, allowing unauthenticated attackers to extract sensitive information from the database by injecting SQL queries into a BETWEEN clause.

GEO my WP plugin <= 4.5.5 cve sqli wordpress plugin geomywp
2r 1t 1c
high advisory

SQL Injection Vulnerability in ezsystems ezpublish-legacy dfscleanup

A SQL injection vulnerability exists in ezpublish-legacy, specifically in the dfscleanup.php script and the `_getFileList` function of the `eZDFSFileHandlerMySQLiBackend` class, allowing an attacker with local shell access to potentially expose sensitive data such as user credentials.

ezpublish-legacy sqli vulnerability
1r 1t
high advisory

CVE-2026-7797: WordPress Simply Schedule Appointments Plugin Time-Based Blind SQL Injection

The Appointment Booking Calendar WordPress plugin is vulnerable to time-based blind SQL Injection (CVE-2026-7797) via the 'append_where_sql' parameter, allowing unauthenticated attackers to extract sensitive information from the database by injecting SQL queries through the /appointments/bulk REST endpoint with a specific request format.

Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin wordpress sqli cve-2026-7797 attack.initial_access
2r 1t 1c
high threat

WP Contact Form 7 DB Handler Plugin CSRF leading to Arbitrary File Deletion (CVE-2026-6455)

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), leading to arbitrary file deletion via SQL injection and PHP object injection due to missing nonce verification and unsafe deserialization, allowing attackers to delete arbitrary files on the server.

WP Contact Form 7 DB Handler plugin cve csrf sqli php object injection wordpress
2r 3t 1c
high advisory

OpenCATS 0.9.7.4 SQL Injection Vulnerability

A SQL Injection vulnerability exists in OpenCATS 0.9.7.4, with a published exploit that allows for database version and user extraction on unpatched systems.

OpenCATS 0.9.7.4 sqli webapps opencats
2r 1t
high advisory

itsourcecode Courier Management System SQL Injection Vulnerability (CVE-2026-9606)

itsourcecode Courier Management System 1.0 is vulnerable to SQL injection (CVE-2026-9606) via the /manage_user.php file, allowing remote attackers to manipulate the ID argument and potentially execute arbitrary SQL commands.

Courier Management System 1.0 sqli cve-2026-9606 web-application
2r 1t 1c
high advisory

itsourcecode Electronic Judging System 1.0 SQL Injection Vulnerability (CVE-2026-9528)

itsourcecode Electronic Judging System 1.0 is vulnerable to SQL injection via the judge_id parameter in /admin/delete_judge.php, allowing remote attackers to execute arbitrary SQL queries.

Electronic Judging System 1.0 sqli cve-2026-9528 itsourcecode
2r 1t 1c
high advisory

Joomla eXtroForms SQL Injection Vulnerability (CVE-2018-25380)

Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability (CVE-2018-25380) that allows authenticated attackers to execute arbitrary SQL commands via crafted POST requests, potentially leading to sensitive data exposure.

eXtroForms 2.1.5 sqli joomla cve-2018-25380
2r 1t 1c
high advisory

MooSocial Store Plugin 2.6 Blind SQL Injection Vulnerability (CVE-2018-25371)

MooSocial Store Plugin 2.6 contains a blind SQL injection vulnerability, identified as CVE-2018-25371, allowing unauthenticated attackers to manipulate database queries via the 'product' parameter, potentially leading to sensitive data extraction.

Store Plugin 2.6 sqli web-application cve-2018-25371
2r 1t 1c
high advisory

WordPress Ultimate Form Builder Lite Plugin SQL Injection Vulnerability

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability (CVE-2018-25352) that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter, potentially leading to privilege escalation.

Ultimate Form Builder Lite plugin <= 1.3.7 sqli wordpress plugin CVE-2018-25352
2r 1t 1c
high advisory

WordPress Contact Form Maker Plugin SQL Injection Vulnerability (CVE-2018-25347)

WordPress Contact Form Maker Plugin version 1.12.20 is vulnerable to SQL injection, enabling authenticated attackers to manipulate database queries via AJAX actions (FormMakerSQLMapping and generete_csv_fmc) by injecting malicious SQL code through the 'name' and 'search_labels' parameters, potentially extracting sensitive database information or escalating privileges.

Contact Form Maker Plugin 1.12.20 sqli wordpress plugin
2r 1t 1c
high threat

WordPress Form Maker Plugin SQL Injection Vulnerability (CVE-2018-25346)

WordPress Form Maker Plugin version 1.12.24 and below is vulnerable to SQL injection, allowing authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv actions via crafted POST requests, potentially leading to data extraction, modification, or privilege escalation.

Form Maker Plugin <= 1.12.24 sqli wordpress plugin
2r 1t 1c
high advisory

Multiple Vulnerabilities in Roundcube Webmail

Multiple vulnerabilities in Roundcube Webmail versions 1.6.x before 1.6.16 and 1.7.x before 1.7.1 could lead to remote code execution, data confidentiality breaches, data integrity breaches, SSRF, and SQL Injection.

Roundcube Webmail < 1.6.16 +1 roundcube webmail vulnerability rce ssrf sqli
2r 3t
critical advisory

Multiple Vulnerabilities in Roundcube Webmail

Multiple vulnerabilities in Roundcube Webmail allow an attacker to perform SQL injection attacks, bypass security measures, manipulate data, disclose confidential information, obtain extended privileges, execute arbitrary code, or perform cross-site scripting attacks.

Roundcube Webmail roundcube webmail vulnerability sqli xss code execution
2r 3t
critical advisory

YesWiki Unauthenticated SQL Injection Vulnerability

YesWiki versions prior to 4.6.4 are vulnerable to an unauthenticated SQL injection in the Bazar form-import path (`FormManager::create()`), allowing an unauthenticated attacker to inject arbitrary SQL into an `INSERT` statement and read the full database, including `yeswiki_users.password` hashes (CVE-2026-46670).

yeswiki/yeswiki sqli web-application yeswiki
2r 1t
critical threat

Actively Exploited Vulnerabilities in Sparx Pro Cloud Server and Enterprise Architect

Multiple vulnerabilities, including a critical authentication bypass (CVE-2026-42097), affect Sparx Systems Pro Cloud Server and Enterprise Architect, potentially leading to remote code execution and data compromise; active exploitation is likely given available PoCs.

exploited Pro Cloud Server +1 vulnerability rce authentication-bypass sqli
2r 3t 5c
high advisory

CVE-2026-9010 - WordPress Boost Plugin Time-Based SQL Injection

The Boost plugin for WordPress is vulnerable to time-based SQL Injection (CVE-2026-9010) via the 'current_url' and 'user_name' parameters in versions up to 2.0.3, allowing unauthenticated attackers to extract sensitive information from the database due to insufficient input sanitization.

Boost plugin for WordPress <= 2.0.3 cve sqli wordpress
1r 1t 1c
high advisory

Creative Mail WordPress Plugin Vulnerable to SQL Injection (CVE-2026-3985)

The Creative Mail plugin for WordPress is vulnerable to SQL Injection due to insufficient escaping of the 'checkout_uuid' parameter and lack of sufficient preparation on the SQL query in the `has_checkout_consent()` method, allowing unauthenticated attackers to extract sensitive information from the database.

Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin <= 1.6.9 sqli wordpress plugin cve-2026-3985 cloud
2r 1t 1c
medium advisory

LiteLLM SQL Injection Vulnerability (CVE-2025-45809)

A SQL Injection vulnerability (CVE-2025-45809) in LiteLLM versions prior to 1.81.0 allows unauthenticated attackers to potentially steal database contents and read server files via time-based blind SQL injection in the `/key/block` and `/key/unblock` endpoints.

LiteLLM sqli sql-injection CVE-2025-45809
2r 1t 1i
high advisory

Redaxo CMS MyEvents Addon SQL Injection Vulnerability (CVE-2018-25319)

Redaxo CMS Addon MyEvents version 2.2.1 contains an SQL injection vulnerability (CVE-2018-25319) that allows authenticated attackers to manipulate database queries by injecting SQL code through the myevents_id parameter, enabling the extraction or modification of sensitive database information.

MyEvents Addon 2.2.1 sqli cve-2018-25319 redaxo
2r 1t 1c
high advisory

CVE-2020-37244: Supsystic Membership 1.4.7 Unauthenticated SQL Injection Vulnerability

Supsystic Membership version 1.4.7 is vulnerable to SQL injection (CVE-2020-37244), allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters, potentially extracting sensitive database information.

Membership 1.4.7 sqli cve-2020-37244 wordpress unauthenticated
2r 1t 1c
high advisory

PHP Timeclock 1.04 Unauthenticated SQL Injection Vulnerability

PHP Timeclock 1.04 is vulnerable to time-based and boolean-based blind SQL injection in the login_userid parameter of login.php, allowing unauthenticated attackers to extract sensitive database information by sending crafted POST requests with SQL payloads.

PHP Timeclock sqli web-application php
2r 1t 1c
critical threat

Multiple Vulnerabilities in PostgreSQL Allow for Remote Code Execution and Data Breach

Multiple vulnerabilities in PostgreSQL versions 14.x, 15.x, 16.x, 17.x and 18.x could allow for arbitrary code execution, remote denial of service, and data breach, potentially leading to complete system compromise.

PostgreSQL 14.x +4 postgresql vulnerability rce dos sqli
2r 6t 4c
critical advisory

CVE-2025-11024: Akilli Commerce E-Commerce Website Blind SQL Injection Vulnerability

CVE-2025-11024 is a critical SQL injection vulnerability affecting Akilli Commerce Software Technologies Ltd. Co.'s E-Commerce Website before version 4.5.001, allowing for blind SQL injection.

E-Commerce Website sqli cve web-application
2r 1t 1c
high threat

JoomSport WordPress Plugin Vulnerable to Time-Based Blind SQL Injection (CVE-2026-6929)

The JoomSport plugin for WordPress is vulnerable to time-based blind SQL Injection (CVE-2026-6929) via the 'sortf' parameter in versions up to 5.7.7, allowing unauthenticated attackers to extract sensitive information from the database.

JoomSport – for Sports: Team & League, Football, Hockey & more plugin <= 5.7.7 sqli wordpress cve-2026-6929 joomsport injection
2r 1t 1c
high advisory

Multiple Vulnerabilities in n8n Allow for Remote Code Execution and Data Manipulation

An authenticated, remote attacker can exploit multiple vulnerabilities in n8n to execute arbitrary code, bypass security measures, conduct SQL injection attacks, manipulate data, or disclose sensitive information.

n8n vulnerability rce sqli
2r 7t
high threat

Multiple Vulnerabilities in Centreon Products

Multiple vulnerabilities in Centreon products allow for remote code execution, SQL injection, and cross-site scripting.

Anomaly Detection +8 centreon vulnerability rce sqli xss
2r 1t 1i
high threat

AIWU WordPress Plugin Vulnerable to SQL Injection (CVE-2026-2993)

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection (CVE-2026-2993) in versions up to 1.4.17, allowing unauthenticated attackers to extract sensitive information from the database.

AI Chatbot & Workflow Automation by AIWU plugin for WordPress cve sqli wordpress injection
2r 1t 1c
high advisory

SourceCodester SUP Online Shopping 1.0 SQL Injection Vulnerability

SourceCodester SUP Online Shopping 1.0 is vulnerable to SQL injection via the msgid parameter in /admin/replymsg.php, allowing remote attackers to execute arbitrary SQL commands.

SUP Online Shopping 1.0 sqli cve-2026-8131 web-application
2r 1t 1c
high advisory

BetterDocs Pro Plugin SQL Injection Vulnerability

The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions, allowing unauthenticated attackers to extract sensitive information from the database.

BetterDocs Pro plugin sqli wordpress plugin cve-2026-4348
2r 1t 1c
high advisory

Ghost CMS 6.19.0 SQL Injection Vulnerability

A SQL injection vulnerability exists in Ghost CMS 6.19.0, and a public exploit (EDB-52555) is available, increasing the risk to unpatched systems.

Ghost CMS 6.19.0 sqli webapps ghostcms
2r 1t
critical advisory

Daptin SQL Injection Vulnerability via Fuzzy Search

Daptin versions up to 0.11.4 are vulnerable to SQL injection, where an authenticated user can inject unvalidated column names into raw SQL via the `processFuzzySearch` function, allowing them to read the entire database.

daptin/daptin sqli daptin github fuzzy-search
2r 4t
high advisory

Gravity Bookings Premium Plugin SQL Injection Vulnerability

The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in versions up to 2.5.9, allowing unauthenticated attackers to extract sensitive information from the database.

Gravity Bookings Premium plugin sqli wordpress plugin
2r 1t 1c
critical advisory

WeePie Cookie Allow Plugin SQL Injection Vulnerability

The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in versions up to 3.4.11, allowing unauthenticated attackers to extract sensitive information from the database.

WeePie Cookie Allow plugin for WordPress <= 3.4.11 sqli wordpress plugin cve-2026-4304
2r 1t 1c
high advisory

Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4062)

The Geo Mashup WordPress plugin is vulnerable to Time-Based SQL Injection due to insufficient input sanitization, allowing unauthenticated attackers to extract sensitive database information.

Geo Mashup plugin <= 1.13.18 sqli wordpress plugin
2r 1t 1c
high advisory

Sunnet CTMS SQL Injection Vulnerability (CVE-2026-7489)

Sunnet CTMS is vulnerable to SQL injection (CVE-2026-7489), allowing authenticated remote attackers to execute arbitrary SQL commands and compromise the database.

CTMS sqli cve-2026-7489 web-application
2r 1t 1c
high advisory

SourceCodester Advanced School Management System SQL Injection Vulnerability

A SQL injection vulnerability (CVE-2026-7545) exists in SourceCodester Advanced School Management System 1.0 within the checkEmail endpoint of commonController.php, allowing remote attackers to potentially execute arbitrary SQL commands.

Advanced School Management System 1.0 sqli vulnerability web-application
2r 1t 1c
critical advisory

SSCMS v7.4.0 SQL Injection Vulnerability in stl:sqlContent Tag

SSCMS v7.4.0 is vulnerable to SQL injection via the stl:sqlContent tag's queryString attribute, allowing attackers to execute arbitrary SQL statements through crafted payloads submitted to the /api/stl/actions/dynamic endpoint.

SSCMS 7.4.0 sqli cve-2026-7435 web-application
2r 1t 1c
high advisory

Multiple Vulnerabilities in MISP Threat Intelligence Platform

Multiple vulnerabilities in MISP versions prior to 2.5.37 allow attackers to perform privilege escalation, SQL injection (SQLi), and security policy bypass.

MISP < 2.5.37 misp vulnerability sqli privilege-escalation security-policy-bypass
2r 1t
high advisory

ProFTPD SQL Injection Vulnerability

An anonymous remote attacker can exploit a SQL injection vulnerability in ProFTPD.

ProFTPD sqli linux
2r 1t
high advisory

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

A remote SQL injection vulnerability exists in SourceCodester Pharmacy Sales and Inventory System 1.0 via manipulation of the ID parameter in the /ajax.php?action=delete_category endpoint, potentially leading to unauthorized data access or modification.

Pharmacy Sales and Inventory System 1.0 sqli web-application cve-2026-7130
2r 1t 1c
high advisory

SourceCodester Pharmacy Sales and Inventory System SQL Injection Vulnerability

SourceCodester Pharmacy Sales and Inventory System 1.0 is vulnerable to SQL injection by manipulating the ID argument in the /ajax.php?action=save_receiving file, allowing remote attackers to execute arbitrary SQL commands.

Pharmacy Sales and Inventory System 1.0 sqli web-application cve-2026-7088
2r 1t 1c
high advisory

code-projects Employee Management System SQL Injection Vulnerability (CVE-2026-7063)

CVE-2026-7063 is a SQL Injection vulnerability in code-projects Employee Management System 1.0 via the 'pwd' parameter in /370project/process/eprocess.php, enabling remote attackers to execute arbitrary SQL commands.

Employee Management System 1.0 sqli cve-2026-7063 web-application
2r 1t 1c
critical advisory

Multiple Vulnerabilities in n8n Workflow Automation Tool

Multiple vulnerabilities in n8n can be exploited by an attacker to execute arbitrary code, bypass security measures, disclose sensitive information, conduct SQL injection attacks, cause denial-of-service, perform cross-site scripting, redirect users, or hijack sessions.

n8n vulnerability sqli xss rce session-hijacking
3r 5t 1c
high advisory

Dagster SQL Injection Vulnerability in Dynamic Partition Keys

A SQL injection vulnerability exists in Dagster's DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers, where a user with 'Add Dynamic Partitions' permission can inject arbitrary SQL due to improper escaping of dynamic partition key values, leading to unauthorized data access or modification.

sqli dagster injection
2r 6t
high advisory

ManageEngine PAM360 and Password Manager Pro Authenticated SQL Injection Vulnerability (CVE-2026-5785)

An authenticated SQL injection vulnerability (CVE-2026-5785) in the query report module of Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 allows attackers with low privileges to potentially read or modify sensitive database information.

cve-2026-5785 sqli manageengine pam360 passwordmanagerpro
2r 4t 1c
high advisory

Riaxe Product Customizer WordPress Plugin SQL Injection Vulnerability

The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter within 'product_data' of the `/wp-json/InkXEProductDesignerLite/add-item-to-cart` REST API endpoint, allowing unauthenticated attackers to extract sensitive information from the database.

wordpress sqli plugin
2r 1t 1c
critical advisory

manikandan580 School-management-system SQL Injection Vulnerability

A time-based blind SQL injection vulnerability in manikandan580 School-management-system 1.0 allows unauthenticated attackers to potentially execute arbitrary SQL queries and gain unauthorized access to sensitive information.

sqli cve-2025-65135 school-management-system web-application
2r 1t 1c
high advisory

Fortinet FortiDDoS-F SQL Injection Vulnerability (CVE-2026-39815)

An SQL injection vulnerability (CVE-2026-39815) in Fortinet FortiDDoS-F versions 7.2.1 through 7.2.2 may allow a low-privilege attacker to execute unauthorized code or commands.

sqli fortinet cve-2026-39815
2r 3t 1c
high advisory

PHPGurukul Daily Expense Tracking System SQL Injection Vulnerability

A remote SQL injection vulnerability exists in PHPGurukul Daily Expense Tracking System 1.1 within the /register.php file, where manipulation of the email argument allows for arbitrary SQL command execution, with a public exploit available.

sqli cve-2026-6193 php web-application
2r 1t 1c
high advisory

SQL Injection Vulnerability in Simple Content Management System 1.0

A remote SQL injection vulnerability exists in code-projects Simple Content Management System 1.0, specifically affecting the /web/admin/login.php file where manipulation of the 'User' argument allows unauthenticated attackers to execute arbitrary SQL queries.

sqli web-application cve-2026-6182
2r 1t 1c 1i
high advisory

SQL Injection Vulnerability in Vehicle Showroom Management System 1.0

A remote attacker can exploit an SQL injection vulnerability (CVE-2026-6165) in code-projects Vehicle Showroom Management System 1.0 by manipulating the ID parameter in /util/Login_check.php, potentially leading to unauthorized data access and modification.

sqli web-application cve-2026-6165
2r 1t 1c
high advisory

Dolibarr ERP-CRM 8.0.4 SQL Injection Vulnerability

Dolibarr ERP-CRM 8.0.4 is vulnerable to SQL injection via the rowid parameter in the admin dict.php endpoint, allowing attackers to execute arbitrary SQL queries and extract sensitive database information.

sqli cve-2019-25710 dolibarr web-application
2r 1t 1c
high advisory

ImpressCMS 1.3.11 Time-Based Blind SQL Injection Vulnerability

ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability allowing authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter via POST requests to the admin.php endpoint.

sqli impresscms cve-2019-25703
2r 1t 1c 1i
high advisory

CMSsite 1.0 SQL Injection Vulnerability (CVE-2019-25697)

CMSsite 1.0 is vulnerable to unauthenticated SQL injection (CVE-2019-25697) via the cat_id parameter in category.php, allowing attackers to extract sensitive database information.

sqli cve-2019-25697 webserver
2r 2t 1c
high advisory

SQL Injection Vulnerability in Vehicle Showroom Management System 1.0 (CVE-2026-6036)

A remote SQL injection vulnerability (CVE-2026-6036) exists in the Vehicle Showroom Management System 1.0 due to improper sanitization of the VEHICLE_ID parameter in /util/VehicleDetailsFunction.php, potentially allowing attackers to execute arbitrary SQL commands.

sqli cve-2026-6036 web-application
2r 2t 1c
high advisory

Simple IT Discussion Forum SQL Injection Vulnerability (CVE-2026-5827)

CVE-2026-5827 is a SQL injection vulnerability in code-projects Simple IT Discussion Forum 1.0, allowing remote attackers to execute arbitrary SQL commands by manipulating the 'content' argument in /question-function.php.

sqli web-application injection
2r 1t 1c
high advisory

WooCommerce Ajax Product Filter Plugin Vulnerable to SQL Injection (CVE-2026-3396)

The WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection (CVE-2026-3396) due to insufficient escaping and SQL query preparation, allowing unauthenticated attackers to extract sensitive information from the database in versions up to 4.2.3.

woocommerce sqli cve-2026-3396 wordpress plugin
2r 1t 1c
high advisory

code-projects Online FIR System SQL Injection Vulnerability

A SQL injection vulnerability in code-projects Online FIR System 1.0 allows remote attackers to execute arbitrary SQL commands by manipulating the email or password parameters in the /Login/checklogin.php file.

sqli cve-2026-5665 web-application
2r 1t 1c 1i
high advisory

GLPI SQL Injection Vulnerability (CVE-2026-29047)

GLPI versions 10.0.0 before 10.0.24 and 11.0.6 are vulnerable to SQL Injection (CVE-2026-29047) via the logs export feature, allowing authenticated users to potentially execute arbitrary SQL commands.

glpi sqli cve-2026-29047
2r 1t 1c
high advisory

SQL Injection Vulnerability in Car Rental Project 1.0 (CVE-2026-5634)

A remote SQL injection vulnerability (CVE-2026-5634) exists in projectworlds Car Rental Project 1.0 via the fname parameter in /book_car.php, allowing unauthenticated attackers to potentially read, modify, or delete database information.

sqli web-application cve-2026-5634
2r 1t 1c
high advisory

Kados R10 GreenBee SQL Injection Vulnerability (CVE-2019-25692)

Kados R10 GreenBee is vulnerable to SQL injection via the 'id_to_modify' parameter, enabling attackers to manipulate database queries and potentially extract or modify sensitive data.

sqli cve-2019-25692 web-application
2r 1t 1c
high advisory

OpenDocMan 1.3.4 SQL Injection Vulnerability

OpenDocMan version 1.3.4 is vulnerable to SQL injection, allowing unauthenticated attackers to manipulate database queries via the 'where' parameter in search.php to extract sensitive information.

sqli vulnerability opendocman
2r 1t 1c
critical advisory

Advance Gift Shop Pro Script 2.0.3 SQL Injection Vulnerability

Advance Gift Shop Pro Script 2.0.3 is vulnerable to SQL injection via the 's' search parameter, allowing unauthenticated attackers to execute arbitrary SQL queries and extract sensitive database information.

sqli vulnerability webapp
2r 1t 1c
critical advisory

eDirectory SQL Injection Vulnerability (CVE-2019-25675)

Unauthenticated attackers can exploit SQL injection vulnerabilities in eDirectory (CVE-2019-25675) to bypass administrator authentication and disclose sensitive files.

sqli edirectory cve-2019-25675
2r 2t 1c
high advisory

PilusCart 1.4.1 SQL Injection Vulnerability

PilusCart 1.4.1 is vulnerable to SQL injection, allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the 'send' parameter to extract sensitive database information.

sqli vulnerability web-application
2r 1t 1c
high advisory

News Website Script 2.0.5 SQL Injection Vulnerability

News Website Script 2.0.5 contains an SQL injection vulnerability (CVE-2019-25668) allowing unauthenticated attackers to extract sensitive information by injecting SQL code through the news ID parameter in GET requests.

sqli cve-2019-25668 webserver
2r 1t 1c
high advisory

ResourceSpace 8.6 SQL Injection Vulnerability

ResourceSpace 8.6 is vulnerable to SQL injection, allowing unauthenticated attackers to execute arbitrary SQL queries via the 'ref' parameter in GET requests to the watched_searches.php endpoint, leading to sensitive data extraction.

sqli cve-2019-25662 resourcespace
2r 1t 1c
critical advisory

OpenProject SQL Injection Vulnerability (CVE-2026-34717)

OpenProject versions before 17.2.3 are susceptible to SQL injection due to improper input sanitization in the '=n' operator, potentially allowing remote attackers to execute arbitrary SQL commands.

openproject sqli cve-2026-34717 web-application
2r 1t 1c
high advisory

OpenSTAManager Time-Based Blind SQL Injection Vulnerability

OpenSTAManager versions before 2.10.2 are susceptible to time-based blind SQL injection via the 'options[stato]' GET parameter, allowing authenticated attackers to extract sensitive database information.

openstamanager sqli cve-2026-28805
2r 1t
high advisory

code-projects Accounting System 1.0 SQL Injection Vulnerability (CVE-2026-5034)

A remote SQL injection vulnerability exists in code-projects Accounting System 1.0 via manipulation of the 'cos_id' parameter in '/edit_costumer.php', potentially allowing unauthorized database access.

sqli cve-2026-5034 web-application
2r 1t
critical advisory

Group-Office JMAP Contact/Query SQL Injection Vulnerability

An authenticated SQL Injection vulnerability in Group-Office's JMAP Contact/query endpoint allows data extraction, including session tokens, leading to account takeover if unpatched.

sqli cve-2026-33755 group-office jmap
2r 3t
critical advisory

Critical Vulnerabilities in n8n Workflow Automation Tool

Multiple critical vulnerabilities in n8n, including prototype pollution, code injection, and SQL injection, allow authenticated users to achieve remote code execution, read sensitive files, and perform unauthorized database operations.

n8n vulnerability rce sqli code-injection
3r 2t
high advisory

KomSeo Cart 1.3 SQL Injection Vulnerability

KomSeo Cart 1.3 is vulnerable to SQL injection via the 'my_item_search' parameter in edit.php, allowing attackers to inject SQL commands and extract sensitive database information.

sqli vulnerability web-application
2r 1t
critical advisory

Wecodex Hotel CMS 1.0 SQL Injection Vulnerability

Wecodex Hotel CMS 1.0 is vulnerable to SQL injection in the admin login functionality, allowing unauthenticated attackers to bypass authentication and potentially extract sensitive database information or gain administrative access by injecting SQL code through the username parameter in POST requests to index.php with action=processlogin.

sqli web-application authentication-bypass
2r 1t
high advisory

SQL Injection Vulnerability in Simple Laundry System 1.0

A remote SQL Injection vulnerability exists in code-projects Simple Laundry System 1.0 within the Parameter Handler component's /checkregisitem.php file, where manipulating the Long-arm-shirtVol argument can trigger the injection, with a publicly available exploit.

sqli web-application vulnerability
2r 1t
high advisory

SQL Injection Vulnerability in itsourcecode Online Enrollment System 1.0

A remote SQL injection vulnerability exists in itsourcecode Online Enrollment System 1.0 within the Parameter Handler component affecting the `/sms/grades/index.php` file, allowing unauthorized database access and has been publicly disclosed.

sqli vulnerability web-application
2r 1t
high advisory

SourceCodester Malawi Online Market SQL Injection Vulnerability (CVE-2026-4838)

A remote SQL injection vulnerability (CVE-2026-4838) exists in the /display.php file of SourceCodester Malawi Online Market 1.0 due to improper input sanitization of the ID parameter, potentially allowing attackers to execute arbitrary SQL queries.

sqli web-application cve-2026-4838
2r 1t
high advisory

OpenEMR Blind SQL Injection Vulnerability in Patient Search (CVE-2026-29187)

OpenEMR versions prior to 8.0.0.3 are susceptible to a blind SQL injection vulnerability in the Patient Search functionality, allowing authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys.

sqli openemr vulnerability
2r 1t
critical advisory

Netartmedia Vlog System SQL Injection Vulnerability

Netartmedia Vlog System is vulnerable to SQL injection, allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter in the forgotten_password module.

sqli vulnerability web-application
2r 1t 1i
critical advisory

WWBN AVideo SQL Injection Vulnerability (CVE-2026-33723)

WWBN AVideo platform versions up to 26.0 are vulnerable to SQL injection (CVE-2026-33723), allowing authenticated attackers to inject arbitrary SQL commands via the 'user_id' POST parameter and extract sensitive data such as password hashes, API keys, and encryption salts.

avideo sqli cve-2026-33723 web-application
2r 1t
high advisory

WP Maps WordPress Plugin Time-Based SQL Injection Vulnerability (CVE-2026-2580)

The WP Maps WordPress plugin before version 4.9.2 is vulnerable to time-based SQL Injection via the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive information from the database.

wordpress sqli cve-2026-2580 web-application
2r 1t
critical advisory

LiteLLM Proxy API Key Verification SQL Injection

A SQL injection vulnerability exists in LiteLLM versions 1.81.16 to prior to 1.83.7 allowing an unauthenticated attacker to inject SQL queries via a crafted 'Authorization' header, potentially leading to unauthorized data access or modification.

litellm sqli web-application
2r 1t
high advisory

SourceCodester Hotel Management System SQL Injection Vulnerability

A SQL injection vulnerability exists in SourceCodester Hotel Management System 1.0 in the /index.php/reservation/check component due to improper sanitization of the room_type parameter, allowing a remote attacker to execute arbitrary SQL commands.

Hotel Management System 1.0 sqli vulnerability web application
2r 1t 1c
critical advisory

NocoBase SQL Injection via Recursive Eager Loading

NocoBase versions 2.0.32 and earlier are vulnerable to SQL injection due to string concatenation in the `queryParentSQL()` function, allowing attackers with record creation permissions to inject arbitrary SQL and potentially extract sensitive information or execute commands.

NocoBase sqli cve-2026-41640 injection
2r 4t
high advisory

GeekyBot WordPress Plugin Vulnerable to SQL Injection

The GeekyBot WordPress plugin is vulnerable to SQL Injection, allowing unauthenticated attackers to extract sensitive information from the database by manipulating the 'attributekey' parameter.

The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin <= 1.2.0 sqli wordpress plugin cve-2026-3456
2r 1t 1c