SQLi
Monthly
SQL injection in MantisBT 2.28.3 and earlier (fixed in 2.28.4) lets an administrator poison the history_order configuration value, which core/history_api.php concatenates unsanitized into an ORDER BY clause; the injected SQL then fires whenever any authenticated user views a bug that has history entries. This converts an administrator's config-write into database-wide data theft (password hashes, cookie_strings, API tokens, private issues) and, where the MySQL account holds the FILE privilege, remote code execution via INTO OUTFILE dropping a PHP webshell in the web root. No public exploit identified at time of analysis; reported by McCaulay Hudson of watchTowr and tracked as GitHub advisory GHSA-mw6p-33vw-46cc.
SQL injection in EDocman, the Joomla download/document manager extension by Joomdonation, allows remote unauthenticated attackers to inject arbitrary SQL through the extension's request handling (CWE-89). The CVSS 4.0 score of 8.7 reflects high confidentiality impact with no required privileges or user interaction, meaning database contents can be extracted directly over the network. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.
SQL injection in the DPCalendar extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a vulnerable parameter, per the CVSS:4.0 vector (PR:N/UI:N). With confidentiality-only impact rated High and no integrity or availability effect, the flaw primarily enables theft of Joomla database contents such as user records, session data, and configuration secrets. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal was provided.
SQL injection in MetaGuru's HCM (Human Capital Management) platform lets authenticated remote attackers inject malicious SQL through specific request parameters, yielding full read/write control over the backing database and its confidentiality, integrity, and availability. The flaw was reported by TWCERT (Taiwan CERT) and carries a CVSS 4.0 base score of 8.7; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because valid low-privilege credentials are required (PR:L), risk concentrates in environments where accounts are broadly provisioned or credentials can be phished/reused.
SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 lets an authenticated user who holds the office-view permission inject arbitrary SQL through the orderBy request parameter. Because it bypasses the ColumnValidator hardening added for CVE-2024-32838, an attacker can run time-based blind SQL injection to exfiltrate database contents and, by launching concurrent injections that hold connections open, exhaust the database connection pool to cause denial of service. No public exploit identified at time of analysis; the flaw is documented via an oss-security advisory and an upstream fix pull request (apache/fineract #6048).
Blind boolean-based SQL injection in Apache Fineract's Client Search API (GET /api/v1/clients) through version 1.14.0 lets an authenticated user who holds the view-clients permission concatenate unvalidated orderBy (and sortOrder) parameters directly into the backing SQL query. Attackers can extract arbitrary database contents one bit at a time and, on MySQL/MariaDB back ends, read arbitrary files accessible to the DB process via LOAD_FILE(). There is no public exploit identified at time of analysis, though the vendor's fix PR (#6020) ships an integration test containing a working injection payload; not listed in CISA KEV.
SQL injection in Apache Fineract's Report Execution API (the runreports endpoint) in all versions up to and including 1.14.0 lets an authenticated user holding report-run permission inject arbitrary SQL through crafted report parameter values, because those values are concatenated into the generated query without sufficient validation. This yields unauthorized read access to data well beyond what the report was scoped to expose, and by extension other database contents. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; the upstream fix landed in PR #5980, which introduces a configurable InputValidator/validation-profile framework.
UNION-based SQL injection in the Quotes Llama WordPress plugin (all versions before 3.1.6) lets unauthenticated remote attackers inject arbitrary SQL through an unsanitized request parameter and read any data from the WordPress database, including user password hashes. Publicly available exploit code exists and a vendor patch has been released; the flaw carries a high EPSS-relevant profile because it is remotely reachable with no authentication or user interaction. This is no public exploit identified as actively exploited (not in CISA KEV), but working PoC availability makes opportunistic mass-scanning likely.
SQL injection in the web management interface of multiple ASUS router models enables a remotely authenticated, high-privilege user to exfiltrate confidential information by sending crafted requests that bypass the router's existing input validation. The vulnerability is limited to read-only data disclosure (no integrity or availability impact) and requires prior administrative authentication, significantly constraining real-world exploitability. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 reflects the high complexity and authentication prerequisites.
SQL injection in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) allows an authenticated attacker to inject crafted SQL and achieve arbitrary code execution in the context of the current user without any user interaction. The flaw carries a critical 9.9 CVSS with a changed scope, meaning impact extends beyond the vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the total technical impact and low attack complexity make it a high-priority patch for internet-facing ColdFusion servers.
SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows a high-privileged authenticated attacker to inject malicious SQL that can escalate to arbitrary code execution in the context of the current user, enabling account/session takeover. The flaw (CWE-89) is network-reachable and requires no user interaction, but demands existing high privileges per the CVSS PR:H metric. No public exploit is identified at time of analysis and it is not listed in CISA KEV; EPSS was not provided.
Cross-resource SQL injection in the FacturaScripts REST API (all versions through 2026.1) lets a low-privileged, scoped ApiKey read or modify arbitrary database tables via the `filter` query parameter, enabling full admin account takeover. A single GET request with a parenthesized filter key leaks the admin's bcrypt password hash and `logkey` session token, which are then replayed as the `fsLogkey` cookie to reach admin-only endpoints like `/AdminPlugins`. A live end-to-end PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no public exploit identified as being used in active attacks (not in CISA KEV).
Privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated attacker to inject crafted SQL commands over the network and gain higher database privileges (CVSS 8.8). The flaw is a classic improper neutralization of special elements (CWE-89) reachable by any principal already holding low-level database access. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, though a vendor patch is available.
Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user to escalate their privileges by injecting crafted special elements into an SQL command. Microsoft has released a fix and reported the flaw; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation requires existing low-level access, the realistic threat is an insider or a compromised low-privilege account pivoting to higher database privileges.
A vulnerability was detected in SourceCodester Simple and Nice Shopping Cart Script 1.0. This vulnerability affects unknown code of the file /admin/userproductdeletequery.php. Performing a manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
SQL injection and local file disclosure in Snowflake SQLAlchemy before 1.11.0 lets an authenticated application user abuse three distinct weaknesses: unsanitized column identifiers in MERGE/upsert operations, improper literal rendering of bound parameters in Snowflake-specific table-creation queries, and unsafe forwarding of connection parameters that can be coerced into reading arbitrary local files. Any application built on this dialect that passes user-controlled keys, strings, or connection settings into the affected APIs can leak or modify data within the connection role's scope and, in some deployments, exfiltrate local files to an attacker endpoint. No public exploit identified at time of analysis; the issues are reported by the vendor (Snowflake) and fixed in 1.11.0.
SQL injection and input-validation weaknesses in the Snowflake Spark Connector (spark-snowflake) before version 3.2.1 let attackers exfiltrate OAuth client credentials, run arbitrary SQL under the connector's Snowflake role, and redirect COPY data-loading operations to attacker-controlled storage. Reported by Snowflake, the flaws are most dangerous in shared/multi-tenant Spark clusters where injected SQL executes with the cluster admin's JDBC credentials, enabling credential theft and privilege escalation. Rated CVSS 4.0 9.2 (Critical); no public exploit identified at time of analysis.
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/DeleteUser.php endpoint to unauthenticated remote database manipulation. An attacker can craft HTTP requests that inject arbitrary SQL, enabling data extraction, modification, or deletion from the underlying database. A public proof-of-concept exploit exists (GitHub: shihuizhang-dazhi/MY-CVE/issues/4), lowering the bar for exploitation; this vulnerability is not currently listed in CISA KEV.
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/EditUser.php endpoint to remote database manipulation via the unsanitized UserId parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) classifies this as remotely exploitable with no authentication or interaction required, though the Admin path location raises questions about actual auth gating in practice. A public exploit exists (E:P confirmed in CVSS 4.0 and via GitHub issue), lowering the skill bar for exploitation considerably; this CVE is not currently listed in CISA KEV.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin panel endpoint /intrams/admin/add_judges.php to database manipulation via the unsanitized `fname` parameter. Authenticated remote attackers can craft malicious input to read, alter, or potentially enumerate backend database contents. A publicly available proof-of-concept exploit exists on GitHub, though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of 2.1 (Low), reflecting the authenticated access prerequisite and limited-scope CIA impact.
SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API used to refresh the table catalog, where untrusted input is concatenated into a dynamically generated SQL statement. The upstream CVSS 3.1 vector rates this as unauthenticated (PR:N) with full confidentiality, integrity, and availability impact (9.8), enabling database read/write and potentially further compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in SAP S/4HANA Project Management (PPM-PRO) allows a high-privileged authenticated attacker to execute crafted database queries, exposing backend database contents. The vulnerability is reachable over the network but requires both high attack complexity and high privilege level, significantly constraining the realistic attacker pool. No public exploit or active exploitation has been identified at time of analysis, and the CVSS base score of 5.5 reflects these mitigating factors despite the potential for database exposure.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_exam2.php` endpoint to remote unauthenticated database manipulation via the unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions, making this trivially exploitable over the network. A public exploit has been released on GitHub (no public exploit identified at time of analysis for KEV, but publicly available exploit code exists per POC data), and while the vulnerability is not listed in the CISA KEV catalog, the zero-friction attack path elevates real-world risk above what the moderate 5.5 CVSS score might suggest.
Remote code execution in DIRAC (Distributed Infrastructure with Remote Agent Control) grid middleware lets any authenticated user run arbitrary commands on the server through the FileCatalog DatasetManager. A SQL injection (CWE-89) in the checkDataset code path lets the attacker control a value that is fed directly into a Python eval(), turning a data-layer flaw into full server compromise. Rated CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H); no public exploit identified at time of analysis, though the vendor advisory names the exact vulnerable source lines.
Blind SQL injection in decidim-admin's organization user search endpoint allows authenticated organization administrators to execute arbitrary PostgreSQL expressions inside an ORDER BY clause via the `term` query parameter. The flaw spans decidim-admin versions prior to 0.30.9, 0.31.5, and 0.32.0, and is exploitable using time-based payloads such as `pg_sleep` that return HTTP 200 while leaking data through measurable response-time deltas. No public exploit tool is identified at time of analysis and the vulnerability is not in CISA KEV, but the advisory provides working reproduction steps with a concrete payload, confirming practical exploitability.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the admin accept handler to database manipulation by low-privilege authenticated remote attackers via the `appid` POST parameter in `/SimpleOnlineLeave/admin/accept.php`. The CVSS 4.0 vector (PR:L, VC:L/VI:L/VA:L) indicates constrained but real impact against the vulnerable system's database, with confidentiality, integrity, and availability all partially compromised. A public exploit is available on GitHub and the E:P evidence tag in the CVSS 4.0 vector corroborates this - however, no CISA KEV listing exists, meaning active exploitation at scale is not confirmed at time of analysis.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the 'ID' parameter in /SimpleOnlineLeave/admin/deletemp.php. The CVSS 4.0 vector (PR:L) indicates low-privilege authenticated access is sufficient to trigger the flaw, and a public proof-of-concept exploit has been disclosed on GitHub. Impact is assessed as low across confidentiality, integrity, and availability, consistent with the CVSS 4.0 score of 2.1, though the underlying SQL injection primitive could theoretically be chained to extract or corrupt database content.
Blind SQL injection in the persian-gravity-forms WordPress plugin (گرویتی فرم فارسی) affects all versions up to and including 3.0.2, allowing a high-privilege authenticated attacker to inject arbitrary SQL through unsanitized input and blindly extract database contents. The flaw was reported by Patchstack and carries a CVSS 7.6 due to a changed scope and high confidentiality impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Blind SQL injection in the Sergey "AIWU" ai-copilot-content-generator WordPress plugin (all versions through 1.5.4) allows remote attackers to inject arbitrary SQL into backend database queries, per the CVSS:3.1 vector without requiring authentication or user interaction. Because the scope is changed and confidentiality impact is High, an attacker can exfiltrate sensitive database contents (WordPress user credentials, secrets, PII) via time- or boolean-based blind techniques. No public exploit identified at time of analysis and the issue is not on CISA KEV, but its high CVSS (9.3) and the fact that it was catalogued by Patchstack make it a credible risk for exposed WordPress sites.
Blind SQL injection in the APIExperts "Square for WooCommerce" (woosquare) WordPress plugin affects all versions up to and including 4.7.4, allowing an authenticated attacker to inject crafted SQL into a database query and infer or extract data via boolean/time-based blind techniques. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the CVSS vector specifies PR:L, exploitation requires an existing low-privileged authenticated session rather than fully anonymous access.
Authenticated blind SQL injection in the CreativeWS CWS SVGicons WordPress plugin (all versions up to and including 1.5.5) allows a low-privileged authenticated user to inject crafted SQL into a database query, per a Patchstack advisory. Because the CVSS vector reports a scope change with high confidentiality impact, a successful attack can read data beyond the plugin's own tables, exposing the broader WordPress database. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Blind SQL injection in the Zorem "Advanced Shipment Tracking for WooCommerce" WordPress plugin (all versions through 4.0) lets an authenticated high-privileged user inject SQL into a backend query and extract database contents inference by inference. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed via Patchstack. Because exploitation requires elevated WordPress privileges (CVSS PR:H), real-world risk is bounded to trusted-but-abusive or compromised admin/shop-manager accounts rather than anonymous internet attackers.
Blind SQL injection in the WP Inventory Manager WordPress plugin (versions up to and including 2.4.0) lets an authenticated attacker with low privileges inject crafted SQL into database queries, enabling extraction of arbitrary database contents such as user credentials and secrets. Reported by Patchstack, the flaw carries a CVSS 8.5 (scope-changed) rating; no public exploit has been identified at time of analysis and it is not listed in CISA KEV, so risk is currently theoretical but high-impact.
Blind SQL injection in the GD Rating System WordPress plugin (versions up to and including 3.7) allows authenticated attackers to inject arbitrary SQL into backend database queries. Because the CVSS vector shows PR:L, a low-privileged authenticated user can extract sensitive database contents (CVSS 8.5, scope-changed). No public exploit identified at time of analysis; the flaw was reported by Patchstack via its coordinated disclosure database.
Blind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) lets remote attackers inject arbitrary SQL through unsanitized input and extract database contents inference-by-inference. The CVSS 3.1 base score is 9.3, elevated by a changed scope and confidentiality impact against the underlying WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the finding originates from Patchstack.
Blind SQL injection in the Themeum Kirki WordPress customizer framework (all versions up to and including 6.0.12) lets remote attackers inject SQL through improperly neutralized special elements, per the CVSS PR:N vector without authentication, to infer and extract database contents. The scope-changed CVSS 3.1 score of 9.3 reflects impact reaching beyond the plugin's own security boundary into the wider WordPress database. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Blind SQL injection in the LatePoint WordPress appointment-booking plugin (versions up to and including 5.6.3) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input (CWE-89), enabling extraction of database contents via boolean/time-based inference. Reported by Patchstack and rated CVSS 9.3 with a network vector requiring no privileges or user interaction; the changed scope reflects access to the shared WordPress/MySQL database beyond the plugin's own boundary. No public exploit is identified at time of analysis and it is not listed in CISA KEV.
SQL injection in QuantumCloud's Simple Business Directory Pro WordPress plugin (all versions through 15.9.4) allows remote attackers to inject crafted SQL into backend database queries, enabling extraction of sensitive data such as user credentials and stored directory records. Patchstack rates it critical (CVSS 9.3) with a network attack vector and no authentication indicated in the supplied vector; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high score and scope-change flag make it a priority for any site running this plugin.
Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unknown initial release through 2.4.2, allowing remote attackers to inject crafted SQL into database queries and extract sensitive data via boolean/time-based inference. The CVSS 9.3 vector (AV:N/PR:N) indicates network-reachable exploitation without authentication, though this is a Patchstack-reported issue with no public exploit and no CISA KEV listing at time of analysis. Because the injection is blind, exploitation typically requires automated tooling to reconstruct data one condition at a time.
Blind SQL injection in the appsbd Vitepos (vitepos-lite) WordPress point-of-sale plugin affects all versions up to and including 3.4.2, allowing an authenticated attacker with low privileges to inject crafted SQL into backend database queries and infer data via boolean/time-based responses. The CVSS 3.1 base score of 8.5 reflects a scope change (S:C) with high confidentiality impact, meaning the plugin's SQL context can reach database contents beyond its own security boundary. No public exploit was identified at time of analysis, and the CVE is not listed in CISA KEV.
The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.
SQL injection in SourceCodester Online Book Store System 1.0 exposes the admin authentication panel to remote, unauthenticated exploitation via the Username parameter in admin/login.php. A publicly available proof-of-concept - explicitly titled 'SQL Injection Leading to Authentication Bypass' - demonstrates that an attacker can bypass admin login entirely without valid credentials. No active exploitation is confirmed by CISA KEV, but the combination of a publicly released exploit and a trivially low attack complexity significantly elevates real-world risk above what the base CVSS 4.0 score of 6.9 suggests.
SQL injection in itsourcecode Hospital Management System 1.0 exposes patient prescription data to remote authenticated attackers via the `delid` parameter in `/patviewprescription.php`. Low-privilege access is sufficient to exploit this CWE-89 flaw, enabling database read, write, and partial disruption. No public KEV listing exists, but a proof-of-concept exploit is publicly available on GitHub, materially lowering the barrier to exploitation beyond what the CVSS 4.0 score of 5.3 alone implies.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter within /SimpleOnlineLeave/admin/dashboard.php to inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit is confirmed via a GitHub issue reference, elevating real-world risk above the moderate CVSS 4.0 base score of 5.3. The CVE is not currently listed in the CISA KEV catalog, indicating no confirmed widespread active exploitation, but the low attack complexity combined with an available POC makes this a credible near-term threat for any internet-exposed deployment.
SQL injection in Jinher OA 1.0 exposes the PlanGiveOut.aspx endpoint to remote unauthenticated exploitation via the unsanitized `httpOID` parameter, enabling database enumeration, data exfiltration, and record manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites beyond network access. A public proof-of-concept exploit has been published on GitHub (CVE-2026-15517 issue tracker), the vendor did not respond to coordinated disclosure, and no patch exists at time of analysis.
SQL injection in Metasoft (美特软件) MetaCRM up to version 6.4.0 Beta06 enables unauthenticated remote attackers to manipulate the `phprpc_args` parameter passed to the `RPCService.query` function at the PHPRPC Remote Call Interface endpoint `/customizemt/xkq/rpc.jsp`, potentially reading, altering, or deleting database contents. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction from any network-reachable position. Publicly available exploit code exists (confirmed by E:P in the CVSS 4.0 supplemental metrics), though this CVE is not currently listed in CISA KEV; the vendor did not respond to disclosure, leaving no official patch available.
SQL injection in Shenzhou Shihan Video Conference System v1.0 lets a remote, unauthenticated attacker inject arbitrary SQL through the /user/getUserLogin endpoint, enabling full database compromise and, per the MITRE report, arbitrary code execution. The flaw is network-reachable against default installs with no authentication or user interaction (CVSS 9.8). No CISA KEV listing exists and EPSS is low (0.27%, 18th percentile); disclosure references (a GitHub CVE issue and a cnblogs write-up) suggest public exploitation details circulate, though weaponized exploit code was not independently confirmed in this analysis.
SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.
SQL injection in Capgo's POST /private/admin_stats endpoint allows platform administrators to inject arbitrary SQL fragments into Cloudflare Analytics Engine queries via an unsanitized limit parameter. Affected versions are all Capgo releases before 12.128.2. An attacker holding valid platform admin credentials can exploit this to enumerate analytics dataset schemas, extract analytics data, or cause denial-of-service against the analytics backend. No public exploit has been identified at time of analysis, and the high-privilege requirement (PR:H) substantially limits realistic blast radius.
SQL injection in SmartHomeAdatum's users.php Login component exposes the backend database to unauthenticated remote manipulation via a crafted Login argument. All commits up to cf495353d81b680675eb8d9aa14a318aa45ce12c of this PHP-based smart home application are affected, with no patch available and a vendor that did not respond to disclosure. No public exploit code or CISA KEV listing exists at time of analysis, though the CVSS 4.0 vector confirms low-complexity unauthenticated network exploitation.
SQL injection in AMTT Hotel Broadband Operation System 1.0 exposes the `manager/network/switch_status.php` endpoint to database manipulation via an unsanitized `ID` parameter, exploitable by authenticated remote attackers. A public proof-of-concept exploit exists (GitHub issue referenced in VulDB entry), though the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 2.0 reflects the high-privilege authentication barrier (PR:H) that significantly constrains real-world attack surface, limiting this primarily to insider threat or post-compromise escalation scenarios within hotel network management environments.
SQL injection in RafyMrX TOKO-ONLINE-ROTI (up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) allows remote unauthenticated attackers to manipulate database queries via the kode_produk and kd_cs parameters in proses/add.php. The CVSS 4.0 vector confirms no privileges or user interaction are required, and a public exploit (E:P) has been released, lowering the skill threshold for opportunistic attacks. The vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.
SQL injection in TOKO-ONLINE-ROTI's login endpoint exposes all deployments up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 to unauthenticated remote database manipulation via the Username parameter in proses/login.php. A public exploit is available (CVSS 4.0 E:P), and the vendor has not responded to responsible disclosure, meaning no vendor-released patch exists and no remediation guidance has been issued. No public exploit identified at time of analysis as confirmed active exploitation (CISA KEV), but the combination of a fully unauthenticated attack path, low complexity, and available proof-of-concept code elevates real-world risk above the 5.5 base score suggests.
SQL injection in Aster Telecom Azcall 10/11 exposes a network-reachable administrative endpoint to unauthenticated query manipulation via the nome, perfil, and status HTTP parameters in the store management handler. The CVSS 4.0 vector confirms no authentication or special prerequisites are required (AV:N/AC:L/PR:N/UI:N), and public exploit code is available (E:P). The vendor did not respond to coordinated disclosure, meaning no official patch exists at time of analysis.
SQL injection in IceHRM 35.0.1 and earlier allows authenticated remote attackers to manipulate backend database queries via the `employeeList` parameter in the EmployeeAttendanceReport PHP component, yielding partial confidentiality, integrity, and availability impact. A public proof-of-concept is available via a GitHub issue report, and the IceHRM project has not responded to the disclosure, leaving no vendor patch available. No CISA KEV listing exists, so widespread active exploitation at scale is unconfirmed, but the public PoC and unpatched status materially elevate practical risk for any organization running this software.
SQL injection in Bahmni bahmnicore up to version 0.93 allows low-privileged authenticated remote attackers to manipulate backend database queries via the additionalParams argument at the /openmrs/ws/rest/v1/bahmnicore/sql Search Endpoint. Public exploit code exists (confirmed by E:P in CVSS 4.0 supplemental metrics and the CVE description), lowering the bar for exploitation to any user with valid application credentials. Fixed versions spanning all active release branches (0.93.1 through 2.0.1) were released July 2026, and organizations running affected versions in healthcare environments should prioritize patching given the sensitivity of stored patient and clinical data.
SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who controls the create_collection() dimension argument to inject arbitrary database tokens. Although the code validates schema, keyspace, and collection-name identifiers, the dimension value - typed as int but never enforced at runtime - is string-interpolated directly into the vector column of the generated CREATE TABLE DDL, so a payload like '3); DROP TABLE tenant_secrets; --' executes against the backing database. No public exploit identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.
Unauthenticated SQL injection in the WP CTA (Sticky CTA Builder / Call Now Button) WordPress plugin through version 2.2.2 lets remote attackers extract database contents - including administrator password hashes - via the 'fildname' parameter of the ajaxCheck() AJAX endpoint. Because the handler is registered through wp_ajax_nopriv_ and performs no capability or nonce checks, exploitation requires no login. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reachable and reported by Wordfence.
Time-based blind SQL injection in the Catalyst Connect Zoho CRM Client Portal WordPress plugin (all versions ≤ 2.2.0) enables authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database via the unsanitized 'uid' parameter. The CVSS vector (PR:H) confirms exploitation requires administrator-level credentials, meaningfully constraining the attack surface. A public proof-of-concept is available on GitHub (BFS-Lab/BFSDV), and no confirmed patch version has been identified in available intelligence at time of analysis.
Unauthenticated SQL injection in the Booking Package WordPress plugin (versions up to and including 1.7.20, by developer masaakitanaka) lets remote attackers append SQL to an existing query via the 'email' form parameter on the /wp-json/booking-package/v1/request REST endpoint, enabling extraction of sensitive database contents. The endpoint is registered with permission_callback __return_true and REST-sourced $_POST values bypass wp_magic_quotes, so single quotes reach the SQL sink without authentication. Exploitability is severely constrained because the parameter is filtered through WordPress's is_email() before use, and there is no public exploit identified at time of analysis.
SQL injection in KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress (all versions through 4.5.0) allows authenticated attackers with doctor-level or equivalent access to exfiltrate arbitrary database contents via a manipulated 'orderby' parameter. The flaw exists in DoctorSessionController.php and the KCQueryBuilder base class, where ORDER BY clause inputs are neither escaped nor parameterized, enabling appended SQL to traverse the entire WordPress database - including patient records, credentials, and clinical data. No public exploit code or active exploitation has been identified at time of analysis, though Wordfence has disclosed the vulnerability with source code references.
SQL injection in the Majestic Support WordPress help desk plugin (versions up to and including 1.1.9) allows any authenticated WordPress user to extract sensitive data from the site's database by appending arbitrary SQL to queries via the unsanitized 'val' AJAX parameter. Although the description characterizes attackers as 'unauthenticated,' exploitation in practice requires a Subscriber-level account to obtain a 'get-smart-reply' nonce - a low but real barrier accurately reflected in the CVSS PR:L rating. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial nonce-acquisition path (create a ticket, visit the result page) means any user permitted to submit support requests can exploit this on unpatched deployments. Version 1.2.0 appears to resolve the issue based on source code changes in the referenced repository tags.
SQL injection in the KiviCare - Clinic & Patient Management System (EHR) WordPress plugin through version 4.5.0 enables authenticated clinic users to extract arbitrary data from the underlying database via a manipulated 'orderby' REST API parameter. The flaw resides in DoctorSessionController.php (lines 648 and 660) where user-supplied sort values are concatenated into queries without escaping or prepared-statement protections, cascading through KCQueryBuilder.php. No public exploit code or CISA KEV listing is identified at time of analysis; EPSS data was not provided, but the authenticated-only prerequisite and niche deployment footprint materially limit real-world impact.
SQL injection in the Drupal Location Selector contributed module (all releases from 0.0.0 up to and including 1.3.0) lets remote attackers inject arbitrary SQL through improperly neutralized input, exposing and modifying database contents. The CVSS 3.1 base score is 7.4 with a network vector but high attack complexity, and the affected products confirm the Drupal 'location_selector' contrib module rather than Drupal core. There is no public exploit identified at time of analysis, and the EPSS score is low at 0.19% (9th percentile), indicating little near-term mass-exploitation pressure.
SQL injection in the Drupal Geolocation Field contributed module exposes sites to unauthenticated database read and partial write access across all module versions prior to 3.15.0. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the attack requires no authentication and no user interaction, making it remotely triggerable against any publicly reachable Drupal installation running the affected module. Impact is bounded by C:L/I:L/A:N - partial data disclosure and modification without availability disruption or full database takeover. No active exploitation has been confirmed (no CISA KEV listing), and EPSS sits at a low 0.16% (5th percentile), indicating minimal current attacker interest. A vendor patch is available.
Frappe framework's check_safe_sql_query function fails to block SELECT INTO OUTFILE statements, allowing authenticated low-privileged users to write arbitrary files to the server filesystem on self-hosted MySQL deployments where the database user holds the MySQL FILE privilege. Affected branches are v15 prior to 15.108.0 and v16 prior to 16.18.3; fixes are released at both version targets. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, with a CVSS 4.0 base score of 2.3 reflecting the narrow, non-default exploitation conditions captured by AT:P.
SQL injection in OpenReplay's enterprise session search and analytics API allows an authenticated member to exfiltrate arbitrary ClickHouse table data and disrupt session search for all project viewers. Affected are enterprise editions with multi-tenancy enabled, running versions prior to 1.27.0, where user-controlled input is inserted unsanitized into ClickHouse query strings at two positions. No public exploit has been identified at time of analysis, and the fix was released in version 1.27.0.
Authenticated SQL injection in the GLPI DataInjection plugin 2.15.6 (GLPI 11 builds) lets an operator with access to the Data injection feature smuggle SQL into the database by placing expressions in CSV field values, which the import routine concatenates directly into queries without parameterization or escaping (CWE-89). By mapping a payload such as SLEEP() to a field like Serial Number, an attacker performs time-based blind extraction of arbitrary database contents. Reported by VulnCheck and fixed in version 2.15.7; it is not on CISA KEV and no public exploit was identified at time of analysis.
SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute arbitrary SQL against the underlying ClickHouse database by passing unsanitized search parameters into the search_by_full_text method. Because those parameters are concatenated into the query without escaping or parameterization, an attacker can read, modify, or delete stored vector-store data. Publicly available exploit code exists (VulnCheck advisory and GitHub issue #38281) and a vendor patch is available; there is no confirmation of active in-the-wild exploitation.
SQL injection in Semtek SEM-PMP through build 23042026 allows remote attackers to inject arbitrary SQL and, per the vendor description, escalate to operating-system command execution through the database layer. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating and is reachable over the network without authentication or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the combination of unauthenticated network reach and command-execution impact makes it a high-priority patching target.
SQL injection in the Coturn TURN/STUN server's HTTPS admin panel (versions prior to 4.12.0) allows an authenticated administrator to inject arbitrary SQL via the du, ds, and dip query parameters of the delete-user, delete-secret, and delete-IP operations, yielding full backend database control and, on PostgreSQL deployments, OS-level command execution through COPY TO PROGRAM. The admin panel's parameters are interpolated into queries with snprintf while bypassing the is_secure_string filter that guards the STUN protocol path. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV; fixed in Coturn 4.12.0.
SQL injection in Adam Retail Automation's MobilMen 20T retail-automation software (versions v3 through build 10072026) lets remote attackers inject arbitrary SQL through improperly neutralized input, yielding full read/write access to the backing database. Rated CVSS 9.8 by TR-CERT with an unauthenticated network-reachable vector, though no public exploit has been identified and it is not on CISA KEV. The vendor was contacted but did not respond, so no fix is available.
SQL injection in the Grav CMS Database plugin (grav-plugin-database) prior to 1.2.0 lets attacker-controlled table names reach a raw SQL query. The PDO::tableExists method interpolates its table argument directly into a query with no sanitization, escaping, quoting, or whitelisting, so any consuming plugin or developer code that forwards untrusted input into that method can execute arbitrary SQL against the configured database. No public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 4.0 base score is 9.2, with an attack-requirement (AT:P) reflecting the dependency on downstream code passing tainted table names.
SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker to inject crafted SQL commands through the management interface, resulting in information disclosure and unauthorized access to data beyond the attacker's authorized scope. Rated CVSS 8.5 with a scope-changed vector, the flaw is reported by Dell (DSA-2026-066) and carries confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in Dell PowerFlex Manager before 5.1.0.1 lets a low-privileged, remotely authenticated user inject crafted SQL into a backend query, resulting in unauthorized reading of database contents (information exposure). The flaw is fixed in 5.1.0.1 per Dell advisory DSA-2026-066, and there is no public exploit identified at time of analysis. Because exploitation requires a valid low-privilege account, the practical risk is highest in multi-tenant or broadly-provisioned management deployments rather than internet-facing unauthenticated exposure.
SQL injection in Postgrex.Notifications' reconnect replay path allows an attacker who can supply untrusted input as a PostgreSQL LISTEN channel name to corrupt the shared notification connection, silently dropping all channel subscriptions and causing persistent denial of service of the notification subsystem. Affected versions are postgrex 0.16.0 through 0.22.2 in the Elixir ecosystem. No arbitrary SQL execution is possible due to double-quote escaping, and no public exploit or CISA KEV listing exists; the CVSS 4.0 base score of 2.1 reflects the constrained, precondition-heavy impact.
Time-based SQL injection in the JoomSport WordPress plugin (all versions through 5.7.9) enables authenticated contributors to exfiltrate sensitive database contents via unsanitized 'event' shortcode attributes. The flaw exists in at least two code paths - joomsport-shortcodes.php and class-jsport-getplayers.php - where user-supplied shortcode parameters are interpolated into SQL queries without parameterization or adequate escaping. Because WordPress Contributor-level users can embed shortcodes in posts and pages, the effective attacker pool includes any registered user granted that role, broadening realistic exposure beyond typical authenticated-only flaws. No public exploit code or CISA KEV listing identified at time of analysis, but a patch commit (changeset 3594276) is referenced in the plugin repository.
Second-order SQL injection in Mail Mint WordPress plugin (all versions ≤ 1.24.1) allows authenticated administrators to exfiltrate arbitrary data from the WordPress database via the 'recipients' parameter in the campaign REST API. The attack exploits a two-stage flaw: a malicious SQL payload bypasses int-cast input validation at write time and persists unsanitized, then fires during a subsequent campaign retrieval request that passes the raw value into an unparameterized query. No public exploit or CISA KEV listing has been identified at time of analysis; real-world risk is moderated by the required administrator-level authentication.
SQL Injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (versions up to and including 4.3.6) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'scan_id' parameter in the cookie scanner module. Exploitation is constrained to administrator-level accounts (PR:H per CVSS vector), making this a privileged read-only database extraction flaw rather than a broad remote attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis; a patch commit is referenced in the WordPress plugin repository changeset.
SQL Injection in the BetterDocs WordPress plugin (versions up to and including 4.6.0) enables authenticated attackers holding at minimum a custom-level WordPress role to append arbitrary SQL to existing queries via the unsanitized `lang` parameter, extracting sensitive data from the underlying database. The attack surface is restricted to sites where one of five specific multilingual plugins (WPML, Polylang, qTranslate, Weglot, or TranslatePress) is active, as the vulnerable code path is guarded by `Helper::is_multilingual_active()`. No public exploit identified at time of analysis; EPSS data unavailable, and the CVE is not listed in CISA KEV.
Unauthenticated SQL injection in the GEO my WP WordPress plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through the numeric 'distance', 'lat', and 'lng' parameters of the proximity-search feature. Because the values are parsed from the raw query string and only passed through esc_sql() at unquoted numeric positions, payloads such as `1 OR SLEEP(3)` execute directly against the database. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV, but the network, no-auth attack profile makes it a high patching priority.
Blind SQL injection in the Ultimate Member WordPress plugin (all versions through 2.10.1) lets unauthenticated attackers inject arbitrary SQL through the member-directory search parameter, enabling extraction of sensitive database contents such as password hashes and user records. The flaw is a residual gap from the earlier CVE-2025-0308 fix, which was only partially remediated in 2.9.2. No public exploit has been identified at time of analysis, but the plugin's large install base and unauthenticated network reachability make it an attractive target.
Time-based SQL Injection in the Booking Calendar, Appointment Booking System WordPress plugin (versions ≤ 3.2.17) permits unauthenticated remote attackers to extract sensitive database contents via the 'wpdevart_id' parameter. The flaw exists in main_class.php due to insufficient parameter escaping and unprepared SQL queries, but is only triggerable when the Pro version is installed with the 'Delete previous dates' option enabled - a non-default configuration that meaningfully limits the exposed population. No public exploit code and no CISA KEV listing have been identified at time of analysis; the CVSS 5.9 Medium rating reflects both the high confidentiality impact and the high attack complexity imposed by the conditional prerequisites.
Time-based blind SQL injection in the rtMedia for WordPress, BuddyPress and bbPress plugin (versions up to and including 4.6.18) allows authenticated attackers with subscriber-level access or higher to exfiltrate sensitive data from the WordPress database via the `order_by` parameter. The low authentication bar - any registered user qualifies - combined with a network-accessible attack vector and high confidentiality impact makes this a meaningful risk for community or membership sites with open user registration enabled. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique (time-based blind SQLi) is well-understood and requires no specialized tooling.
SQL injection in SiYuan's block-search endpoint (POST /api/search/fullTextSearchBlock) before version 3.7.1 lets an unauthenticated publish-mode visitor read documents they should not see. The endpoint concatenates attacker-controlled `paths` values directly into SQL predicates used by its non-SQL search modes, enabling a UNION SELECT that projects rows from hidden documents by spoofing an allowed visible box and path. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; CVSS is 7.5 reflecting confidentiality-only impact.
Time-based blind SQL injection in Pimcore Studio Backend Bundle (before 2025.4.6 and 2026.1.6) lets an authenticated low-privilege user read arbitrary database contents, including the administrator password hash, via the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints interpolate the columnFilters key field directly into SQL with manual backtick wrapping, so a backtick breaks out of quoting to append SLEEP()/IF() subqueries. No public exploit identified at time of analysis; not listed in CISA KEV and no EPSS score supplied.
{idreaction} and {id} URL path parameters, which are concatenated directly into a LIKE clause. Because YesWiki permits open self-registration, the practical barrier is minimal, and the flaw grants full database read/write - including extraction of yeswiki_users password hashes and emails. Publicly available exploit code exists in the advisory (including a time-based blind variant), but there is no public exploit identified as actively used in the wild and no CISA KEV listing.
{tag} endpoint. An attacker plants a page whose tag contains a SQL-breakout payload (the INSERT escapes it but stores the literal quote), makes the page non-orphaned via an {{include}} link, then triggers deletePage(), where the stored tag is concatenated unescaped into a DELETE FROM _links WHERE to_tag='$tag' query. A detailed proof-of-concept with confirmed time-based blind extraction exists; the flaw enables reading password hashes, ACLs, and private page bodies, acting as a low-priv-to-admin escalation primitive. No public evidence of active exploitation was identified at time of analysis.
Boolean-based blind SQL injection in YesWiki's public Bazar entry-listing API allows unauthenticated attackers to read arbitrary database contents by abusing numeric query/queries filters. Because numeric field values are escaped with mysqli_real_escape_string but inserted into the SQL statement without quotes or numeric validation, injected boolean expressions (e.g. '100 OR (SELECT COUNT(*) FROM yeswiki_users)>0') are evaluated by the database, turning the public endpoints into a data-exfiltration oracle. A detailed, self-contained proof-of-concept is published in the advisory; a vendor patch (commit f3b0dd0) is available, though the issue is not listed in CISA KEV.
Stored SQL injection in YesWiki's `recentchanges` action enables arbitrary read of the underlying MySQL database by any user who can save a wiki page - on default installations, this includes unauthenticated visitors. The payload is persisted as wiki page content and executes on every subsequent page load, leaking rows (including admin usernames and password hashes) rendered directly into the HTML response as hyperlinks. A fully working UNION-based proof-of-concept is included in the GitHub security advisory, confirming practical exploitability with no public exploit identified at time of analysis in CISA KEV.
SQL injection in MantisBT 2.28.3 and earlier (fixed in 2.28.4) lets an administrator poison the history_order configuration value, which core/history_api.php concatenates unsanitized into an ORDER BY clause; the injected SQL then fires whenever any authenticated user views a bug that has history entries. This converts an administrator's config-write into database-wide data theft (password hashes, cookie_strings, API tokens, private issues) and, where the MySQL account holds the FILE privilege, remote code execution via INTO OUTFILE dropping a PHP webshell in the web root. No public exploit identified at time of analysis; reported by McCaulay Hudson of watchTowr and tracked as GitHub advisory GHSA-mw6p-33vw-46cc.
SQL injection in EDocman, the Joomla download/document manager extension by Joomdonation, allows remote unauthenticated attackers to inject arbitrary SQL through the extension's request handling (CWE-89). The CVSS 4.0 score of 8.7 reflects high confidentiality impact with no required privileges or user interaction, meaning database contents can be extracted directly over the network. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.
SQL injection in the DPCalendar extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a vulnerable parameter, per the CVSS:4.0 vector (PR:N/UI:N). With confidentiality-only impact rated High and no integrity or availability effect, the flaw primarily enables theft of Joomla database contents such as user records, session data, and configuration secrets. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal was provided.
SQL injection in MetaGuru's HCM (Human Capital Management) platform lets authenticated remote attackers inject malicious SQL through specific request parameters, yielding full read/write control over the backing database and its confidentiality, integrity, and availability. The flaw was reported by TWCERT (Taiwan CERT) and carries a CVSS 4.0 base score of 8.7; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because valid low-privilege credentials are required (PR:L), risk concentrates in environments where accounts are broadly provisioned or credentials can be phished/reused.
SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 lets an authenticated user who holds the office-view permission inject arbitrary SQL through the orderBy request parameter. Because it bypasses the ColumnValidator hardening added for CVE-2024-32838, an attacker can run time-based blind SQL injection to exfiltrate database contents and, by launching concurrent injections that hold connections open, exhaust the database connection pool to cause denial of service. No public exploit identified at time of analysis; the flaw is documented via an oss-security advisory and an upstream fix pull request (apache/fineract #6048).
Blind boolean-based SQL injection in Apache Fineract's Client Search API (GET /api/v1/clients) through version 1.14.0 lets an authenticated user who holds the view-clients permission concatenate unvalidated orderBy (and sortOrder) parameters directly into the backing SQL query. Attackers can extract arbitrary database contents one bit at a time and, on MySQL/MariaDB back ends, read arbitrary files accessible to the DB process via LOAD_FILE(). There is no public exploit identified at time of analysis, though the vendor's fix PR (#6020) ships an integration test containing a working injection payload; not listed in CISA KEV.
SQL injection in Apache Fineract's Report Execution API (the runreports endpoint) in all versions up to and including 1.14.0 lets an authenticated user holding report-run permission inject arbitrary SQL through crafted report parameter values, because those values are concatenated into the generated query without sufficient validation. This yields unauthorized read access to data well beyond what the report was scoped to expose, and by extension other database contents. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; the upstream fix landed in PR #5980, which introduces a configurable InputValidator/validation-profile framework.
UNION-based SQL injection in the Quotes Llama WordPress plugin (all versions before 3.1.6) lets unauthenticated remote attackers inject arbitrary SQL through an unsanitized request parameter and read any data from the WordPress database, including user password hashes. Publicly available exploit code exists and a vendor patch has been released; the flaw carries a high EPSS-relevant profile because it is remotely reachable with no authentication or user interaction. This is no public exploit identified as actively exploited (not in CISA KEV), but working PoC availability makes opportunistic mass-scanning likely.
SQL injection in the web management interface of multiple ASUS router models enables a remotely authenticated, high-privilege user to exfiltrate confidential information by sending crafted requests that bypass the router's existing input validation. The vulnerability is limited to read-only data disclosure (no integrity or availability impact) and requires prior administrative authentication, significantly constraining real-world exploitability. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 reflects the high complexity and authentication prerequisites.
SQL injection in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) allows an authenticated attacker to inject crafted SQL and achieve arbitrary code execution in the context of the current user without any user interaction. The flaw carries a critical 9.9 CVSS with a changed scope, meaning impact extends beyond the vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the total technical impact and low attack complexity make it a high-priority patch for internet-facing ColdFusion servers.
SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows a high-privileged authenticated attacker to inject malicious SQL that can escalate to arbitrary code execution in the context of the current user, enabling account/session takeover. The flaw (CWE-89) is network-reachable and requires no user interaction, but demands existing high privileges per the CVSS PR:H metric. No public exploit is identified at time of analysis and it is not listed in CISA KEV; EPSS was not provided.
Cross-resource SQL injection in the FacturaScripts REST API (all versions through 2026.1) lets a low-privileged, scoped ApiKey read or modify arbitrary database tables via the `filter` query parameter, enabling full admin account takeover. A single GET request with a parenthesized filter key leaks the admin's bcrypt password hash and `logkey` session token, which are then replayed as the `fsLogkey` cookie to reach admin-only endpoints like `/AdminPlugins`. A live end-to-end PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no public exploit identified as being used in active attacks (not in CISA KEV).
Privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated attacker to inject crafted SQL commands over the network and gain higher database privileges (CVSS 8.8). The flaw is a classic improper neutralization of special elements (CWE-89) reachable by any principal already holding low-level database access. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, though a vendor patch is available.
Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user to escalate their privileges by injecting crafted special elements into an SQL command. Microsoft has released a fix and reported the flaw; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation requires existing low-level access, the realistic threat is an insider or a compromised low-privilege account pivoting to higher database privileges.
A vulnerability was detected in SourceCodester Simple and Nice Shopping Cart Script 1.0. This vulnerability affects unknown code of the file /admin/userproductdeletequery.php. Performing a manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
SQL injection and local file disclosure in Snowflake SQLAlchemy before 1.11.0 lets an authenticated application user abuse three distinct weaknesses: unsanitized column identifiers in MERGE/upsert operations, improper literal rendering of bound parameters in Snowflake-specific table-creation queries, and unsafe forwarding of connection parameters that can be coerced into reading arbitrary local files. Any application built on this dialect that passes user-controlled keys, strings, or connection settings into the affected APIs can leak or modify data within the connection role's scope and, in some deployments, exfiltrate local files to an attacker endpoint. No public exploit identified at time of analysis; the issues are reported by the vendor (Snowflake) and fixed in 1.11.0.
SQL injection and input-validation weaknesses in the Snowflake Spark Connector (spark-snowflake) before version 3.2.1 let attackers exfiltrate OAuth client credentials, run arbitrary SQL under the connector's Snowflake role, and redirect COPY data-loading operations to attacker-controlled storage. Reported by Snowflake, the flaws are most dangerous in shared/multi-tenant Spark clusters where injected SQL executes with the cluster admin's JDBC credentials, enabling credential theft and privilege escalation. Rated CVSS 4.0 9.2 (Critical); no public exploit identified at time of analysis.
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/DeleteUser.php endpoint to unauthenticated remote database manipulation. An attacker can craft HTTP requests that inject arbitrary SQL, enabling data extraction, modification, or deletion from the underlying database. A public proof-of-concept exploit exists (GitHub: shihuizhang-dazhi/MY-CVE/issues/4), lowering the bar for exploitation; this vulnerability is not currently listed in CISA KEV.
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/EditUser.php endpoint to remote database manipulation via the unsanitized UserId parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) classifies this as remotely exploitable with no authentication or interaction required, though the Admin path location raises questions about actual auth gating in practice. A public exploit exists (E:P confirmed in CVSS 4.0 and via GitHub issue), lowering the skill bar for exploitation considerably; this CVE is not currently listed in CISA KEV.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin panel endpoint /intrams/admin/add_judges.php to database manipulation via the unsanitized `fname` parameter. Authenticated remote attackers can craft malicious input to read, alter, or potentially enumerate backend database contents. A publicly available proof-of-concept exploit exists on GitHub, though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of 2.1 (Low), reflecting the authenticated access prerequisite and limited-scope CIA impact.
SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API used to refresh the table catalog, where untrusted input is concatenated into a dynamically generated SQL statement. The upstream CVSS 3.1 vector rates this as unauthenticated (PR:N) with full confidentiality, integrity, and availability impact (9.8), enabling database read/write and potentially further compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in SAP S/4HANA Project Management (PPM-PRO) allows a high-privileged authenticated attacker to execute crafted database queries, exposing backend database contents. The vulnerability is reachable over the network but requires both high attack complexity and high privilege level, significantly constraining the realistic attacker pool. No public exploit or active exploitation has been identified at time of analysis, and the CVSS base score of 5.5 reflects these mitigating factors despite the potential for database exposure.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_exam2.php` endpoint to remote unauthenticated database manipulation via the unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions, making this trivially exploitable over the network. A public exploit has been released on GitHub (no public exploit identified at time of analysis for KEV, but publicly available exploit code exists per POC data), and while the vulnerability is not listed in the CISA KEV catalog, the zero-friction attack path elevates real-world risk above what the moderate 5.5 CVSS score might suggest.
Remote code execution in DIRAC (Distributed Infrastructure with Remote Agent Control) grid middleware lets any authenticated user run arbitrary commands on the server through the FileCatalog DatasetManager. A SQL injection (CWE-89) in the checkDataset code path lets the attacker control a value that is fed directly into a Python eval(), turning a data-layer flaw into full server compromise. Rated CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H); no public exploit identified at time of analysis, though the vendor advisory names the exact vulnerable source lines.
Blind SQL injection in decidim-admin's organization user search endpoint allows authenticated organization administrators to execute arbitrary PostgreSQL expressions inside an ORDER BY clause via the `term` query parameter. The flaw spans decidim-admin versions prior to 0.30.9, 0.31.5, and 0.32.0, and is exploitable using time-based payloads such as `pg_sleep` that return HTTP 200 while leaking data through measurable response-time deltas. No public exploit tool is identified at time of analysis and the vulnerability is not in CISA KEV, but the advisory provides working reproduction steps with a concrete payload, confirming practical exploitability.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the admin accept handler to database manipulation by low-privilege authenticated remote attackers via the `appid` POST parameter in `/SimpleOnlineLeave/admin/accept.php`. The CVSS 4.0 vector (PR:L, VC:L/VI:L/VA:L) indicates constrained but real impact against the vulnerable system's database, with confidentiality, integrity, and availability all partially compromised. A public exploit is available on GitHub and the E:P evidence tag in the CVSS 4.0 vector corroborates this - however, no CISA KEV listing exists, meaning active exploitation at scale is not confirmed at time of analysis.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the 'ID' parameter in /SimpleOnlineLeave/admin/deletemp.php. The CVSS 4.0 vector (PR:L) indicates low-privilege authenticated access is sufficient to trigger the flaw, and a public proof-of-concept exploit has been disclosed on GitHub. Impact is assessed as low across confidentiality, integrity, and availability, consistent with the CVSS 4.0 score of 2.1, though the underlying SQL injection primitive could theoretically be chained to extract or corrupt database content.
Blind SQL injection in the persian-gravity-forms WordPress plugin (گرویتی فرم فارسی) affects all versions up to and including 3.0.2, allowing a high-privilege authenticated attacker to inject arbitrary SQL through unsanitized input and blindly extract database contents. The flaw was reported by Patchstack and carries a CVSS 7.6 due to a changed scope and high confidentiality impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Blind SQL injection in the Sergey "AIWU" ai-copilot-content-generator WordPress plugin (all versions through 1.5.4) allows remote attackers to inject arbitrary SQL into backend database queries, per the CVSS:3.1 vector without requiring authentication or user interaction. Because the scope is changed and confidentiality impact is High, an attacker can exfiltrate sensitive database contents (WordPress user credentials, secrets, PII) via time- or boolean-based blind techniques. No public exploit identified at time of analysis and the issue is not on CISA KEV, but its high CVSS (9.3) and the fact that it was catalogued by Patchstack make it a credible risk for exposed WordPress sites.
Blind SQL injection in the APIExperts "Square for WooCommerce" (woosquare) WordPress plugin affects all versions up to and including 4.7.4, allowing an authenticated attacker to inject crafted SQL into a database query and infer or extract data via boolean/time-based blind techniques. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the CVSS vector specifies PR:L, exploitation requires an existing low-privileged authenticated session rather than fully anonymous access.
Authenticated blind SQL injection in the CreativeWS CWS SVGicons WordPress plugin (all versions up to and including 1.5.5) allows a low-privileged authenticated user to inject crafted SQL into a database query, per a Patchstack advisory. Because the CVSS vector reports a scope change with high confidentiality impact, a successful attack can read data beyond the plugin's own tables, exposing the broader WordPress database. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Blind SQL injection in the Zorem "Advanced Shipment Tracking for WooCommerce" WordPress plugin (all versions through 4.0) lets an authenticated high-privileged user inject SQL into a backend query and extract database contents inference by inference. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed via Patchstack. Because exploitation requires elevated WordPress privileges (CVSS PR:H), real-world risk is bounded to trusted-but-abusive or compromised admin/shop-manager accounts rather than anonymous internet attackers.
Blind SQL injection in the WP Inventory Manager WordPress plugin (versions up to and including 2.4.0) lets an authenticated attacker with low privileges inject crafted SQL into database queries, enabling extraction of arbitrary database contents such as user credentials and secrets. Reported by Patchstack, the flaw carries a CVSS 8.5 (scope-changed) rating; no public exploit has been identified at time of analysis and it is not listed in CISA KEV, so risk is currently theoretical but high-impact.
Blind SQL injection in the GD Rating System WordPress plugin (versions up to and including 3.7) allows authenticated attackers to inject arbitrary SQL into backend database queries. Because the CVSS vector shows PR:L, a low-privileged authenticated user can extract sensitive database contents (CVSS 8.5, scope-changed). No public exploit identified at time of analysis; the flaw was reported by Patchstack via its coordinated disclosure database.
Blind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) lets remote attackers inject arbitrary SQL through unsanitized input and extract database contents inference-by-inference. The CVSS 3.1 base score is 9.3, elevated by a changed scope and confidentiality impact against the underlying WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the finding originates from Patchstack.
Blind SQL injection in the Themeum Kirki WordPress customizer framework (all versions up to and including 6.0.12) lets remote attackers inject SQL through improperly neutralized special elements, per the CVSS PR:N vector without authentication, to infer and extract database contents. The scope-changed CVSS 3.1 score of 9.3 reflects impact reaching beyond the plugin's own security boundary into the wider WordPress database. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Blind SQL injection in the LatePoint WordPress appointment-booking plugin (versions up to and including 5.6.3) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input (CWE-89), enabling extraction of database contents via boolean/time-based inference. Reported by Patchstack and rated CVSS 9.3 with a network vector requiring no privileges or user interaction; the changed scope reflects access to the shared WordPress/MySQL database beyond the plugin's own boundary. No public exploit is identified at time of analysis and it is not listed in CISA KEV.
SQL injection in QuantumCloud's Simple Business Directory Pro WordPress plugin (all versions through 15.9.4) allows remote attackers to inject crafted SQL into backend database queries, enabling extraction of sensitive data such as user credentials and stored directory records. Patchstack rates it critical (CVSS 9.3) with a network attack vector and no authentication indicated in the supplied vector; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high score and scope-change flag make it a priority for any site running this plugin.
Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unknown initial release through 2.4.2, allowing remote attackers to inject crafted SQL into database queries and extract sensitive data via boolean/time-based inference. The CVSS 9.3 vector (AV:N/PR:N) indicates network-reachable exploitation without authentication, though this is a Patchstack-reported issue with no public exploit and no CISA KEV listing at time of analysis. Because the injection is blind, exploitation typically requires automated tooling to reconstruct data one condition at a time.
Blind SQL injection in the appsbd Vitepos (vitepos-lite) WordPress point-of-sale plugin affects all versions up to and including 3.4.2, allowing an authenticated attacker with low privileges to inject crafted SQL into backend database queries and infer data via boolean/time-based responses. The CVSS 3.1 base score of 8.5 reflects a scope change (S:C) with high confidentiality impact, meaning the plugin's SQL context can reach database contents beyond its own security boundary. No public exploit was identified at time of analysis, and the CVE is not listed in CISA KEV.
The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.
SQL injection in SourceCodester Online Book Store System 1.0 exposes the admin authentication panel to remote, unauthenticated exploitation via the Username parameter in admin/login.php. A publicly available proof-of-concept - explicitly titled 'SQL Injection Leading to Authentication Bypass' - demonstrates that an attacker can bypass admin login entirely without valid credentials. No active exploitation is confirmed by CISA KEV, but the combination of a publicly released exploit and a trivially low attack complexity significantly elevates real-world risk above what the base CVSS 4.0 score of 6.9 suggests.
SQL injection in itsourcecode Hospital Management System 1.0 exposes patient prescription data to remote authenticated attackers via the `delid` parameter in `/patviewprescription.php`. Low-privilege access is sufficient to exploit this CWE-89 flaw, enabling database read, write, and partial disruption. No public KEV listing exists, but a proof-of-concept exploit is publicly available on GitHub, materially lowering the barrier to exploitation beyond what the CVSS 4.0 score of 5.3 alone implies.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter within /SimpleOnlineLeave/admin/dashboard.php to inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit is confirmed via a GitHub issue reference, elevating real-world risk above the moderate CVSS 4.0 base score of 5.3. The CVE is not currently listed in the CISA KEV catalog, indicating no confirmed widespread active exploitation, but the low attack complexity combined with an available POC makes this a credible near-term threat for any internet-exposed deployment.
SQL injection in Jinher OA 1.0 exposes the PlanGiveOut.aspx endpoint to remote unauthenticated exploitation via the unsanitized `httpOID` parameter, enabling database enumeration, data exfiltration, and record manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites beyond network access. A public proof-of-concept exploit has been published on GitHub (CVE-2026-15517 issue tracker), the vendor did not respond to coordinated disclosure, and no patch exists at time of analysis.
SQL injection in Metasoft (美特软件) MetaCRM up to version 6.4.0 Beta06 enables unauthenticated remote attackers to manipulate the `phprpc_args` parameter passed to the `RPCService.query` function at the PHPRPC Remote Call Interface endpoint `/customizemt/xkq/rpc.jsp`, potentially reading, altering, or deleting database contents. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction from any network-reachable position. Publicly available exploit code exists (confirmed by E:P in the CVSS 4.0 supplemental metrics), though this CVE is not currently listed in CISA KEV; the vendor did not respond to disclosure, leaving no official patch available.
SQL injection in Shenzhou Shihan Video Conference System v1.0 lets a remote, unauthenticated attacker inject arbitrary SQL through the /user/getUserLogin endpoint, enabling full database compromise and, per the MITRE report, arbitrary code execution. The flaw is network-reachable against default installs with no authentication or user interaction (CVSS 9.8). No CISA KEV listing exists and EPSS is low (0.27%, 18th percentile); disclosure references (a GitHub CVE issue and a cnblogs write-up) suggest public exploitation details circulate, though weaponized exploit code was not independently confirmed in this analysis.
SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.
SQL injection in Capgo's POST /private/admin_stats endpoint allows platform administrators to inject arbitrary SQL fragments into Cloudflare Analytics Engine queries via an unsanitized limit parameter. Affected versions are all Capgo releases before 12.128.2. An attacker holding valid platform admin credentials can exploit this to enumerate analytics dataset schemas, extract analytics data, or cause denial-of-service against the analytics backend. No public exploit has been identified at time of analysis, and the high-privilege requirement (PR:H) substantially limits realistic blast radius.
SQL injection in SmartHomeAdatum's users.php Login component exposes the backend database to unauthenticated remote manipulation via a crafted Login argument. All commits up to cf495353d81b680675eb8d9aa14a318aa45ce12c of this PHP-based smart home application are affected, with no patch available and a vendor that did not respond to disclosure. No public exploit code or CISA KEV listing exists at time of analysis, though the CVSS 4.0 vector confirms low-complexity unauthenticated network exploitation.
SQL injection in AMTT Hotel Broadband Operation System 1.0 exposes the `manager/network/switch_status.php` endpoint to database manipulation via an unsanitized `ID` parameter, exploitable by authenticated remote attackers. A public proof-of-concept exploit exists (GitHub issue referenced in VulDB entry), though the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 2.0 reflects the high-privilege authentication barrier (PR:H) that significantly constrains real-world attack surface, limiting this primarily to insider threat or post-compromise escalation scenarios within hotel network management environments.
SQL injection in RafyMrX TOKO-ONLINE-ROTI (up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) allows remote unauthenticated attackers to manipulate database queries via the kode_produk and kd_cs parameters in proses/add.php. The CVSS 4.0 vector confirms no privileges or user interaction are required, and a public exploit (E:P) has been released, lowering the skill threshold for opportunistic attacks. The vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.
SQL injection in TOKO-ONLINE-ROTI's login endpoint exposes all deployments up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 to unauthenticated remote database manipulation via the Username parameter in proses/login.php. A public exploit is available (CVSS 4.0 E:P), and the vendor has not responded to responsible disclosure, meaning no vendor-released patch exists and no remediation guidance has been issued. No public exploit identified at time of analysis as confirmed active exploitation (CISA KEV), but the combination of a fully unauthenticated attack path, low complexity, and available proof-of-concept code elevates real-world risk above the 5.5 base score suggests.
SQL injection in Aster Telecom Azcall 10/11 exposes a network-reachable administrative endpoint to unauthenticated query manipulation via the nome, perfil, and status HTTP parameters in the store management handler. The CVSS 4.0 vector confirms no authentication or special prerequisites are required (AV:N/AC:L/PR:N/UI:N), and public exploit code is available (E:P). The vendor did not respond to coordinated disclosure, meaning no official patch exists at time of analysis.
SQL injection in IceHRM 35.0.1 and earlier allows authenticated remote attackers to manipulate backend database queries via the `employeeList` parameter in the EmployeeAttendanceReport PHP component, yielding partial confidentiality, integrity, and availability impact. A public proof-of-concept is available via a GitHub issue report, and the IceHRM project has not responded to the disclosure, leaving no vendor patch available. No CISA KEV listing exists, so widespread active exploitation at scale is unconfirmed, but the public PoC and unpatched status materially elevate practical risk for any organization running this software.
SQL injection in Bahmni bahmnicore up to version 0.93 allows low-privileged authenticated remote attackers to manipulate backend database queries via the additionalParams argument at the /openmrs/ws/rest/v1/bahmnicore/sql Search Endpoint. Public exploit code exists (confirmed by E:P in CVSS 4.0 supplemental metrics and the CVE description), lowering the bar for exploitation to any user with valid application credentials. Fixed versions spanning all active release branches (0.93.1 through 2.0.1) were released July 2026, and organizations running affected versions in healthcare environments should prioritize patching given the sensitivity of stored patient and clinical data.
SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who controls the create_collection() dimension argument to inject arbitrary database tokens. Although the code validates schema, keyspace, and collection-name identifiers, the dimension value - typed as int but never enforced at runtime - is string-interpolated directly into the vector column of the generated CREATE TABLE DDL, so a payload like '3); DROP TABLE tenant_secrets; --' executes against the backing database. No public exploit identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.
Unauthenticated SQL injection in the WP CTA (Sticky CTA Builder / Call Now Button) WordPress plugin through version 2.2.2 lets remote attackers extract database contents - including administrator password hashes - via the 'fildname' parameter of the ajaxCheck() AJAX endpoint. Because the handler is registered through wp_ajax_nopriv_ and performs no capability or nonce checks, exploitation requires no login. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reachable and reported by Wordfence.
Time-based blind SQL injection in the Catalyst Connect Zoho CRM Client Portal WordPress plugin (all versions ≤ 2.2.0) enables authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database via the unsanitized 'uid' parameter. The CVSS vector (PR:H) confirms exploitation requires administrator-level credentials, meaningfully constraining the attack surface. A public proof-of-concept is available on GitHub (BFS-Lab/BFSDV), and no confirmed patch version has been identified in available intelligence at time of analysis.
Unauthenticated SQL injection in the Booking Package WordPress plugin (versions up to and including 1.7.20, by developer masaakitanaka) lets remote attackers append SQL to an existing query via the 'email' form parameter on the /wp-json/booking-package/v1/request REST endpoint, enabling extraction of sensitive database contents. The endpoint is registered with permission_callback __return_true and REST-sourced $_POST values bypass wp_magic_quotes, so single quotes reach the SQL sink without authentication. Exploitability is severely constrained because the parameter is filtered through WordPress's is_email() before use, and there is no public exploit identified at time of analysis.
SQL injection in KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress (all versions through 4.5.0) allows authenticated attackers with doctor-level or equivalent access to exfiltrate arbitrary database contents via a manipulated 'orderby' parameter. The flaw exists in DoctorSessionController.php and the KCQueryBuilder base class, where ORDER BY clause inputs are neither escaped nor parameterized, enabling appended SQL to traverse the entire WordPress database - including patient records, credentials, and clinical data. No public exploit code or active exploitation has been identified at time of analysis, though Wordfence has disclosed the vulnerability with source code references.
SQL injection in the Majestic Support WordPress help desk plugin (versions up to and including 1.1.9) allows any authenticated WordPress user to extract sensitive data from the site's database by appending arbitrary SQL to queries via the unsanitized 'val' AJAX parameter. Although the description characterizes attackers as 'unauthenticated,' exploitation in practice requires a Subscriber-level account to obtain a 'get-smart-reply' nonce - a low but real barrier accurately reflected in the CVSS PR:L rating. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial nonce-acquisition path (create a ticket, visit the result page) means any user permitted to submit support requests can exploit this on unpatched deployments. Version 1.2.0 appears to resolve the issue based on source code changes in the referenced repository tags.
SQL injection in the KiviCare - Clinic & Patient Management System (EHR) WordPress plugin through version 4.5.0 enables authenticated clinic users to extract arbitrary data from the underlying database via a manipulated 'orderby' REST API parameter. The flaw resides in DoctorSessionController.php (lines 648 and 660) where user-supplied sort values are concatenated into queries without escaping or prepared-statement protections, cascading through KCQueryBuilder.php. No public exploit code or CISA KEV listing is identified at time of analysis; EPSS data was not provided, but the authenticated-only prerequisite and niche deployment footprint materially limit real-world impact.
SQL injection in the Drupal Location Selector contributed module (all releases from 0.0.0 up to and including 1.3.0) lets remote attackers inject arbitrary SQL through improperly neutralized input, exposing and modifying database contents. The CVSS 3.1 base score is 7.4 with a network vector but high attack complexity, and the affected products confirm the Drupal 'location_selector' contrib module rather than Drupal core. There is no public exploit identified at time of analysis, and the EPSS score is low at 0.19% (9th percentile), indicating little near-term mass-exploitation pressure.
SQL injection in the Drupal Geolocation Field contributed module exposes sites to unauthenticated database read and partial write access across all module versions prior to 3.15.0. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the attack requires no authentication and no user interaction, making it remotely triggerable against any publicly reachable Drupal installation running the affected module. Impact is bounded by C:L/I:L/A:N - partial data disclosure and modification without availability disruption or full database takeover. No active exploitation has been confirmed (no CISA KEV listing), and EPSS sits at a low 0.16% (5th percentile), indicating minimal current attacker interest. A vendor patch is available.
Frappe framework's check_safe_sql_query function fails to block SELECT INTO OUTFILE statements, allowing authenticated low-privileged users to write arbitrary files to the server filesystem on self-hosted MySQL deployments where the database user holds the MySQL FILE privilege. Affected branches are v15 prior to 15.108.0 and v16 prior to 16.18.3; fixes are released at both version targets. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, with a CVSS 4.0 base score of 2.3 reflecting the narrow, non-default exploitation conditions captured by AT:P.
SQL injection in OpenReplay's enterprise session search and analytics API allows an authenticated member to exfiltrate arbitrary ClickHouse table data and disrupt session search for all project viewers. Affected are enterprise editions with multi-tenancy enabled, running versions prior to 1.27.0, where user-controlled input is inserted unsanitized into ClickHouse query strings at two positions. No public exploit has been identified at time of analysis, and the fix was released in version 1.27.0.
Authenticated SQL injection in the GLPI DataInjection plugin 2.15.6 (GLPI 11 builds) lets an operator with access to the Data injection feature smuggle SQL into the database by placing expressions in CSV field values, which the import routine concatenates directly into queries without parameterization or escaping (CWE-89). By mapping a payload such as SLEEP() to a field like Serial Number, an attacker performs time-based blind extraction of arbitrary database contents. Reported by VulnCheck and fixed in version 2.15.7; it is not on CISA KEV and no public exploit was identified at time of analysis.
SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute arbitrary SQL against the underlying ClickHouse database by passing unsanitized search parameters into the search_by_full_text method. Because those parameters are concatenated into the query without escaping or parameterization, an attacker can read, modify, or delete stored vector-store data. Publicly available exploit code exists (VulnCheck advisory and GitHub issue #38281) and a vendor patch is available; there is no confirmation of active in-the-wild exploitation.
SQL injection in Semtek SEM-PMP through build 23042026 allows remote attackers to inject arbitrary SQL and, per the vendor description, escalate to operating-system command execution through the database layer. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating and is reachable over the network without authentication or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the combination of unauthenticated network reach and command-execution impact makes it a high-priority patching target.
SQL injection in the Coturn TURN/STUN server's HTTPS admin panel (versions prior to 4.12.0) allows an authenticated administrator to inject arbitrary SQL via the du, ds, and dip query parameters of the delete-user, delete-secret, and delete-IP operations, yielding full backend database control and, on PostgreSQL deployments, OS-level command execution through COPY TO PROGRAM. The admin panel's parameters are interpolated into queries with snprintf while bypassing the is_secure_string filter that guards the STUN protocol path. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV; fixed in Coturn 4.12.0.
SQL injection in Adam Retail Automation's MobilMen 20T retail-automation software (versions v3 through build 10072026) lets remote attackers inject arbitrary SQL through improperly neutralized input, yielding full read/write access to the backing database. Rated CVSS 9.8 by TR-CERT with an unauthenticated network-reachable vector, though no public exploit has been identified and it is not on CISA KEV. The vendor was contacted but did not respond, so no fix is available.
SQL injection in the Grav CMS Database plugin (grav-plugin-database) prior to 1.2.0 lets attacker-controlled table names reach a raw SQL query. The PDO::tableExists method interpolates its table argument directly into a query with no sanitization, escaping, quoting, or whitelisting, so any consuming plugin or developer code that forwards untrusted input into that method can execute arbitrary SQL against the configured database. No public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 4.0 base score is 9.2, with an attack-requirement (AT:P) reflecting the dependency on downstream code passing tainted table names.
SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker to inject crafted SQL commands through the management interface, resulting in information disclosure and unauthorized access to data beyond the attacker's authorized scope. Rated CVSS 8.5 with a scope-changed vector, the flaw is reported by Dell (DSA-2026-066) and carries confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in Dell PowerFlex Manager before 5.1.0.1 lets a low-privileged, remotely authenticated user inject crafted SQL into a backend query, resulting in unauthorized reading of database contents (information exposure). The flaw is fixed in 5.1.0.1 per Dell advisory DSA-2026-066, and there is no public exploit identified at time of analysis. Because exploitation requires a valid low-privilege account, the practical risk is highest in multi-tenant or broadly-provisioned management deployments rather than internet-facing unauthenticated exposure.
SQL injection in Postgrex.Notifications' reconnect replay path allows an attacker who can supply untrusted input as a PostgreSQL LISTEN channel name to corrupt the shared notification connection, silently dropping all channel subscriptions and causing persistent denial of service of the notification subsystem. Affected versions are postgrex 0.16.0 through 0.22.2 in the Elixir ecosystem. No arbitrary SQL execution is possible due to double-quote escaping, and no public exploit or CISA KEV listing exists; the CVSS 4.0 base score of 2.1 reflects the constrained, precondition-heavy impact.
Time-based SQL injection in the JoomSport WordPress plugin (all versions through 5.7.9) enables authenticated contributors to exfiltrate sensitive database contents via unsanitized 'event' shortcode attributes. The flaw exists in at least two code paths - joomsport-shortcodes.php and class-jsport-getplayers.php - where user-supplied shortcode parameters are interpolated into SQL queries without parameterization or adequate escaping. Because WordPress Contributor-level users can embed shortcodes in posts and pages, the effective attacker pool includes any registered user granted that role, broadening realistic exposure beyond typical authenticated-only flaws. No public exploit code or CISA KEV listing identified at time of analysis, but a patch commit (changeset 3594276) is referenced in the plugin repository.
Second-order SQL injection in Mail Mint WordPress plugin (all versions ≤ 1.24.1) allows authenticated administrators to exfiltrate arbitrary data from the WordPress database via the 'recipients' parameter in the campaign REST API. The attack exploits a two-stage flaw: a malicious SQL payload bypasses int-cast input validation at write time and persists unsanitized, then fires during a subsequent campaign retrieval request that passes the raw value into an unparameterized query. No public exploit or CISA KEV listing has been identified at time of analysis; real-world risk is moderated by the required administrator-level authentication.
SQL Injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (versions up to and including 4.3.6) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'scan_id' parameter in the cookie scanner module. Exploitation is constrained to administrator-level accounts (PR:H per CVSS vector), making this a privileged read-only database extraction flaw rather than a broad remote attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis; a patch commit is referenced in the WordPress plugin repository changeset.
SQL Injection in the BetterDocs WordPress plugin (versions up to and including 4.6.0) enables authenticated attackers holding at minimum a custom-level WordPress role to append arbitrary SQL to existing queries via the unsanitized `lang` parameter, extracting sensitive data from the underlying database. The attack surface is restricted to sites where one of five specific multilingual plugins (WPML, Polylang, qTranslate, Weglot, or TranslatePress) is active, as the vulnerable code path is guarded by `Helper::is_multilingual_active()`. No public exploit identified at time of analysis; EPSS data unavailable, and the CVE is not listed in CISA KEV.
Unauthenticated SQL injection in the GEO my WP WordPress plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through the numeric 'distance', 'lat', and 'lng' parameters of the proximity-search feature. Because the values are parsed from the raw query string and only passed through esc_sql() at unquoted numeric positions, payloads such as `1 OR SLEEP(3)` execute directly against the database. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV, but the network, no-auth attack profile makes it a high patching priority.
Blind SQL injection in the Ultimate Member WordPress plugin (all versions through 2.10.1) lets unauthenticated attackers inject arbitrary SQL through the member-directory search parameter, enabling extraction of sensitive database contents such as password hashes and user records. The flaw is a residual gap from the earlier CVE-2025-0308 fix, which was only partially remediated in 2.9.2. No public exploit has been identified at time of analysis, but the plugin's large install base and unauthenticated network reachability make it an attractive target.
Time-based SQL Injection in the Booking Calendar, Appointment Booking System WordPress plugin (versions ≤ 3.2.17) permits unauthenticated remote attackers to extract sensitive database contents via the 'wpdevart_id' parameter. The flaw exists in main_class.php due to insufficient parameter escaping and unprepared SQL queries, but is only triggerable when the Pro version is installed with the 'Delete previous dates' option enabled - a non-default configuration that meaningfully limits the exposed population. No public exploit code and no CISA KEV listing have been identified at time of analysis; the CVSS 5.9 Medium rating reflects both the high confidentiality impact and the high attack complexity imposed by the conditional prerequisites.
Time-based blind SQL injection in the rtMedia for WordPress, BuddyPress and bbPress plugin (versions up to and including 4.6.18) allows authenticated attackers with subscriber-level access or higher to exfiltrate sensitive data from the WordPress database via the `order_by` parameter. The low authentication bar - any registered user qualifies - combined with a network-accessible attack vector and high confidentiality impact makes this a meaningful risk for community or membership sites with open user registration enabled. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique (time-based blind SQLi) is well-understood and requires no specialized tooling.
SQL injection in SiYuan's block-search endpoint (POST /api/search/fullTextSearchBlock) before version 3.7.1 lets an unauthenticated publish-mode visitor read documents they should not see. The endpoint concatenates attacker-controlled `paths` values directly into SQL predicates used by its non-SQL search modes, enabling a UNION SELECT that projects rows from hidden documents by spoofing an allowed visible box and path. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; CVSS is 7.5 reflecting confidentiality-only impact.
Time-based blind SQL injection in Pimcore Studio Backend Bundle (before 2025.4.6 and 2026.1.6) lets an authenticated low-privilege user read arbitrary database contents, including the administrator password hash, via the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints interpolate the columnFilters key field directly into SQL with manual backtick wrapping, so a backtick breaks out of quoting to append SLEEP()/IF() subqueries. No public exploit identified at time of analysis; not listed in CISA KEV and no EPSS score supplied.
{idreaction} and {id} URL path parameters, which are concatenated directly into a LIKE clause. Because YesWiki permits open self-registration, the practical barrier is minimal, and the flaw grants full database read/write - including extraction of yeswiki_users password hashes and emails. Publicly available exploit code exists in the advisory (including a time-based blind variant), but there is no public exploit identified as actively used in the wild and no CISA KEV listing.
{tag} endpoint. An attacker plants a page whose tag contains a SQL-breakout payload (the INSERT escapes it but stores the literal quote), makes the page non-orphaned via an {{include}} link, then triggers deletePage(), where the stored tag is concatenated unescaped into a DELETE FROM _links WHERE to_tag='$tag' query. A detailed proof-of-concept with confirmed time-based blind extraction exists; the flaw enables reading password hashes, ACLs, and private page bodies, acting as a low-priv-to-admin escalation primitive. No public evidence of active exploitation was identified at time of analysis.
Boolean-based blind SQL injection in YesWiki's public Bazar entry-listing API allows unauthenticated attackers to read arbitrary database contents by abusing numeric query/queries filters. Because numeric field values are escaped with mysqli_real_escape_string but inserted into the SQL statement without quotes or numeric validation, injected boolean expressions (e.g. '100 OR (SELECT COUNT(*) FROM yeswiki_users)>0') are evaluated by the database, turning the public endpoints into a data-exfiltration oracle. A detailed, self-contained proof-of-concept is published in the advisory; a vendor patch (commit f3b0dd0) is available, though the issue is not listed in CISA KEV.
Stored SQL injection in YesWiki's `recentchanges` action enables arbitrary read of the underlying MySQL database by any user who can save a wiki page - on default installations, this includes unauthenticated visitors. The payload is persisted as wiki page content and executes on every subsequent page load, leaking rows (including admin usernames and password hashes) rendered directly into the HTML response as hyperlinks. A fully working UNION-based proof-of-concept is included in the GitHub security advisory, confirming practical exploitability with no public exploit identified at time of analysis in CISA KEV.