Skip to main content

SQLi

15165 CVEs technique

Monthly

CVE-2026-7075 MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 allows remote unauthenticated attackers to manipulate the address parameter in /locations.php, enabling arbitrary database queries with confidentiality and integrity impact. Publicly available exploit code exists, increasing real-world risk despite the moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7074 MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 allows remote unauthenticated attackers to manipulate the code parameter in /execute1.php, enabling database query manipulation and potential data exfiltration or modification. Publicly available exploit code exists, increasing real-world risk despite the moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7073 MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 via the code parameter in /execute.php allows remote unauthenticated attackers to execute arbitrary SQL queries and potentially access or modify database contents. The vulnerability has a publicly available exploit and is confirmed to have a low confidentiality, integrity, and availability impact according to CVSS v4.0 scoring.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7072 MEDIUM POC This Month

Remote SQL injection in CodePanda Source canteen_management_system 1.0 allows unauthenticated attackers to manipulate the Username parameter in /api/login.php, enabling arbitrary database queries. Public exploit code is available. The vulnerability affects confidentiality and integrity with low impact scope, making it a practical attack vector for credential harvesting or data exfiltration from the canteen management database.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7070 MEDIUM POC This Month

SQL injection in code-projects Inventory Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter in the Login component, leading to unauthorized database access and potential data exfiltration. The vulnerability has a publicly available exploit and CVSS 6.9 score reflecting low confidentiality, integrity, and availability impact without scope expansion. EPSS data unavailable, but public exploit availability elevates practical risk.

SQLi Inventory Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2021-36438 MEDIUM This Month

SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7063 MEDIUM POC This Month

SQL injection in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the pwd parameter in /370project/process/eprocess.php. CVSS 7.3 (High) with network vector and no prerequisites. Publicly available exploit code exists on GitHub, enabling immediate weaponization. No vendor-released patch identified at time of analysis. EPSS data unavailable; not listed in CISA KEV, suggesting targeted rather than widespread exploitation despite public POC.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7060 MEDIUM POC PATCH This Month

SQL injection in Yu Picture's PageRequest handler allows remote unauthenticated attackers to manipulate database queries via the sortField parameter in PictureServiceImpl.java. The vulnerability exists in MyBatis-Plus integration code at commit a053632c41340152bf75b66b3c543d129123d8ec. Publicly available exploit code exists (GitHub issue #4) with EPSS not yet calculated. Vendor patch available via pull request #3 but remains unmerged, leaving deployed instances vulnerable. CVSS 7.3 reflects network-accessible, low-complexity exploitation with no authentication required, enabling partial confidentiality, integrity, and availability compromise.

Java SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7028 LOW POC Monitor

SQL injection in CodeAstro Online Job Portal 1.0 allows authenticated admin users to manipulate the ID parameter in /admin/jobs-admins/delete-jobs.php, enabling remote SQL injection attacks against the database. The vulnerability requires high-level admin privileges (PR:H) but has a publicly available exploit and low attack complexity (AC:L), permitting remote attackers with admin access to read, modify, or delete sensitive database records. Exploitation is confirmed by public proof-of-concept code.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7023 LOW POC Monitor

SQL injection in ByteDance coze-studio up to version 0.5.1 allows authenticated remote attackers to manipulate the ExecuteSQL function in the databaseTool component, enabling arbitrary SQL query execution with limited confidentiality and integrity impact. The vulnerability has a publicly available exploit and affects the backend database service layer; the vendor has not responded to disclosure efforts.

SQLi Coze Studio
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7002 MEDIUM This Month

SQL injection in KLiK SocialMediaWebsite 1.0.1 and earlier allows remote unauthenticated attackers to execute arbitrary SQL commands via the c_id parameter in /includes/get_message_ajax.php. The vulnerability targets the private message handling component and permits unauthorized database access, modification, and potential data exfiltration. CVSS 7.3 reflects network-accessible, low-complexity exploitation requiring no authentication or user interaction, with partial impact to confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, suggesting limited observed exploitation despite the accessible attack surface.

PHP SQLi
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-6991 LOW Monitor

SQL injection vulnerability in Zod CUID Data Type Handler affects versions up to 4.3.6, allowing authenticated remote attackers to manipulate input validation logic in the regex component and execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept code available; the vendor was contacted early but provided no response, and no patch has been issued as of analysis time.

SQLi Zod
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6982 PHP MEDIUM PATCH This Month

SQL injection in ShowDoc API Page Sort Endpoint allows authenticated remote attackers to manipulate the pages parameter and execute arbitrary SQL queries with limited confidentiality, integrity, and availability impact. Affected versions include 2.10.10, 3.6.2, and 3.8.0; vendor has released patch v3.8.1 but explicitly stated no backports will be provided for older versions.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-6978 LOW POC Monitor

SQL injection in JiZhiCMS up to version 2.5.6 allows authenticated high-privileged administrators to execute arbitrary SQL queries via the sqls parameter in the /index.php/admins/Sys/addcache.html endpoint. The vulnerability is remotely exploitable and publicly available exploit code exists, though the low CVSS score (4.7) reflects the requirement for high-level administrative authentication, limiting real-world attack surface.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-41478 npm CRITICAL PATCH GHSA Act Now

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

SQLi Saltcorn
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-33078 HIGH PATCH This Week

SQL injection in Roxy-WI versions before 8.2.6.4 allows remote unauthenticated attackers to execute arbitrary SQL commands via the server_ip parameter in the haproxy_section_save function. The vulnerability stems from unsanitized URL path parameters being directly interpolated into SQL queries using Python string formatting. Proof-of-concept code exists (CVSS E:P), and the CVSS 4.0 score of 8.9 with network vector (AV:N), low complexity (AC:L), and no authentication (PR:N) indicates a critical, easily exploitable vulnerability. Vendor-released patch available in version 8.2.6.4.

Nginx SQLi Python Apache
NVD GitHub
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-31952 HIGH PATCH This Week

SQL injection in Xibo CMS versions 1.7 through 4.4.0 allows authenticated users with DataSet or Layout access privileges to extract and modify arbitrary database contents via crafted API filter parameters. The vulnerability affects a widely-deployed open source digital signage platform and has been addressed in version 4.4.1, with patches retroactively provided for out-of-support versions (3.3, 2.3, 1.8) indicating vendor awareness of active deployments on legacy versions. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with the broad version range (nearly 7 years of releases) suggest significant exposure across installations.

Microsoft SQLi
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-41460 CRITICAL Act Now

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.

SQLi Authentication Bypass RCE Socialengine
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-6887 CRITICAL Act Now

SQL injection in Borg SPM 2007 allows unauthenticated remote attackers to execute arbitrary SQL commands via network requests, enabling complete database compromise including read, modify, and delete operations. This legacy product (sales ended 2008) receives a critical CVSS 9.3 score with network vector, low complexity, and no authentication required. Taiwan CERT issued advisories identifying this as a SQL injection vulnerability affecting an end-of-life business management system, though no active exploitation evidence (KEV) or public exploit code has been identified at time of analysis.

SQLi Borg Spm 2007
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-40529 MEDIUM This Month

SQL injection in CMS ALAYA 7.4.1.4 and earlier allows authenticated administrators to obtain or modify database information through the administrative interface. The vulnerability requires high-privilege access (PR:H) and carries low confidentiality, integrity, and availability impact per CVSS 4.0 scoring. No public exploit code or active exploitation has been identified at time of analysis.

SQLi Cms Alaya
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-29198 CRITICAL Act Now

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.

SQLi Rocket Chat
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-50229 CRITICAL Act Now

Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.

SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-41167 CRITICAL PATCH Act Now

SQL injection in Jellystat versions prior to 1.1.10 escalates to remote code execution on the PostgreSQL database host. Authenticated attackers can inject arbitrary SQL via multiple API endpoints (`/api/getUserDetails`, `/api/getLibrary`), initially exfiltrating sensitive credentials from the `app_config` table (including Jellystat admin credentials and Jellyfin API keys). Because the application uses node-postgres simple query protocol allowing stacked queries, attackers can leverage PostgreSQL's `COPY ... TO PROGRAM` to achieve command execution on the database server. The project's default docker-compose.yml deploys PostgreSQL with superuser privileges, removing any privilege barriers to RCE. Vendor patch released in version 1.1.10 (GitHub commit 735fe7c confirmed). No active exploitation confirmed by CISA KEV, but publicly available exploit code exists given the detailed technical disclosure in GitHub Security Advisory GHSA-fj7c-2p5q-g56m.

Docker SQLi PostgreSQL
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-41640 npm HIGH POC PATCH GHSA This Week

SQL injection in NocoBase's @nocobase/database package allows authenticated users with record-creation privileges to execute arbitrary SQL queries and extract database credentials. The vulnerability exists in the queryParentSQL() function, which constructs recursive Common Table Expression (CTE) queries using string concatenation instead of parameterized queries when processing tree collections with string primary keys. An attacker can inject malicious SQL by creating records with crafted primary key values, triggering the vulnerability when recursive eager loading occurs. Successful exploitation leads to full database compromise, with confirmed extraction of administrator credentials (emails and password hashes) in testing against PostgreSQL. On databases where the service account has elevated privileges, attackers can achieve operating system command execution via PostgreSQL's COPY...TO PROGRAM feature. Vendor patch available via GitHub PR #9133.

Command Injection Debian SQLi PostgreSQL
NVD GitHub
CVSS 3.1
7.5
EPSS
4.2%
CVE-2026-41641 npm HIGH POC PATCH GHSA This Week

SQL injection in NocoBase plugin-collection-sql allows authenticated users with collection management permissions to bypass validation controls and execute arbitrary SQL queries. The checkSQL() function blocks dangerous keywords on collection creation and execution but is completely absent from the update endpoint, enabling attackers to create benign SQL collections then modify them with malicious queries to exfiltrate sensitive data including user credentials. Vendor patch available via GitHub PR #9134 and commit 851aee5. CVSS 7.2 reflects high privileges required (PR:H), but real-world impact is severe for environments where collection managers are not fully trusted administrators.

SQLi PostgreSQL Privilege Escalation
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-41422 Go HIGH PATCH GHSA This Week

SQL injection in Daptin's `/aggregate/:typename` endpoint allows authenticated low-privilege users to extract arbitrary database content via unsanitized query parameters. The `column` and `group` parameters are passed directly to raw SQL literal expressions without validation, enabling data exfiltration from any table including user credentials, database schema disclosure, and cross-table correlation attacks. Patched in version 0.11.4 which replaces all raw SQL construction with parameterized queries and schema-based validation. No evidence of active exploitation or public POC at time of analysis, though exploitation is straightforward for authenticated users.

SQLi
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-6833 HIGH This Week

SQL injection in aEnrich a+HRD allows authenticated remote attackers to read database contents through malicious SQL command injection. The vulnerability requires low-privilege authentication but enables complete confidentiality breach of database information. No active exploitation confirmed via CISA KEV, and EPSS data not available, but the low attack complexity (AC:L) and network attack vector (AV:N) make this exploitable by any authenticated user with basic SQL injection knowledge.

SQLi A Hrd
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41457 MEDIUM PATCH This Month

SQL injection in OwnTone Server 28.4 through 29.0 allows unauthenticated remote attackers to inject arbitrary SQL expressions via the query= and filter= parameters in DAAP requests, enabling bypass of access controls and unauthorized retrieval of media library data. The vulnerability stems from insufficient sanitization of integer-mapped DAAP field parameters and affects default network-accessible deployments without requiring user interaction.

Authentication Bypass SQLi Owntone Server
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-40906 HIGH PATCH This Week

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.

SQLi PostgreSQL Electric
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41320 MEDIUM PATCH This Month

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available.

SQLi Hrms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-40871 HIGH PATCH This Week

Second-order SQL injection in mailcow: dockerized versions prior to 2026-03b allows authenticated API users with high privileges to execute arbitrary SQL commands through the quarantine notification system. Attackers inject malicious SQL via the quarantine_category field in /api/v1/add/mailbox endpoint, which executes when quarantine_notify.py runs its scheduled job, enabling data exfiltration of admin credentials and sensitive information through UNION-based queries rendered in notification emails. No public exploit code or active exploitation confirmed at time of analysis, with vendor patch available in version 2026-03b.

Information Disclosure Docker SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-41029 CRITICAL PATCH Act Now

SQL injection in Zeon Academy Pro allows remote unauthenticated attackers to execute arbitrary SQL commands via the 'phonenumber' parameter in /private/continue-upload.php, enabling full database compromise including data exfiltration, modification, and deletion. The vulnerability is exploitable over the network without authentication (CVSS:4.0 9.3 Critical, AV:N/PR:N), representing a complete compromise of database confidentiality and integrity. Patch available from vendor per INCIBE-CERT advisory, though specific fixed version not disclosed in public references.

PHP SQLi
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-6674 MEDIUM This Month

SQL injection in the CMS für Motorrad Werkstätten WordPress plugin (versions up to 1.0.0) allows authenticated attackers with subscriber-level privileges to extract sensitive database information via an unsanitized 'arttype' parameter. The vulnerability requires valid WordPress user credentials but no special configuration, making it exploitable against any WordPress installation running the affected plugin. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39946 Go MEDIUM PATCH GHSA This Month

OpenBao 2.5.2 and earlier fails to properly quote PostgreSQL schema names during role revocation in the PostgreSQL database secrets engine, allowing authenticated high-privilege administrators to execute arbitrary SQL injection as the database management user. The vulnerability affects the credentials management workflow when revoking database roles, potentially compromising database integrity. A vendor-released patch (version 2.5.3) is available.

PostgreSQL SQLi Hashicorp Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-35588 PyPI MEDIUM PATCH GHSA This Month

Cassandra export module in Glances prior to version 4.5.4 allows local privilege-escalated users to redirect monitoring data to attacker-controlled databases by injecting CQL statements through unvalidated configuration parameters. An authenticated local attacker with write access to the Glances configuration file can modify keyspace, table, and replication_factor settings to execute arbitrary CQL, enabling data exfiltration or denial of service against the monitoring infrastructure. This vulnerability requires elevated local access but carries high confidentiality and integrity impact.

SQLi Suse
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-70420 HIGH This Week

A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements.

SQLi
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-66335 PyPI MEDIUM PATCH This Month

SQL injection in Apache Doris MCP Server versions before 0.6.1 allows unauthenticated remote attackers to execute unintended SQL statements and bypass query validation and access restrictions via improper neutralization in the MCP query execution interface. The vulnerability has a CVSS score of 5.3 (network-accessible, low complexity, no authentication required) but is classified as partial impact (confidentiality only, no integrity or availability impact) and has not been confirmed as actively exploited. A vendor patch is available.

Apache SQLi
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6629 MEDIUM POC This Month

SQL injection in Metasoft MetaCRM versions up to 6.4.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the 'sql' parameter in sql.jsp interface endpoint. Publicly available exploit code exists (disclosed via Feishu document), enabling attackers to read/modify database contents and potentially execute commands. CVSS 7.3 (High) with network vector and low complexity. Vendor non-responsive to disclosure, leaving patch status uncertain. EPSS data not provided but POC availability elevates practical exploitation risk.

SQLi Metacrm
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6628 LOW POC Monitor

SQL injection in phili67 Ecclesia CRM up to version 8.0.0 allows authenticated remote attackers to execute arbitrary SQL queries via the 'custom' parameter in the Query Viewer Component (/v2/query/view/). The vulnerability has a publicly available exploit and affects confidentiality, integrity, and availability of database operations. The vendor has not responded to early disclosure notification.

SQLi Ecclesia Crm
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5964 CRITICAL Act Now

SQL Injection in Digiwin EasyFlow .NET enables unauthenticated remote attackers to execute arbitrary SQL commands against the application database, allowing full compromise of data confidentiality, integrity, and availability. Taiwan CERT (TWCERT) publicly disclosed this critical vulnerability with CVSS 9.3 scoring, indicating network-accessible exploitation requiring no authentication or user interaction. No CISA KEV listing identified at time of analysis, suggesting either limited deployment scope or recent disclosure. EPSS data not provided, but CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation if product is internet-facing.

SQLi Easyflow Net
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-5963 CRITICAL Act Now

Critical SQL injection in Digiwin EasyFlow .NET allows unauthenticated remote attackers to execute arbitrary SQL commands against the application database. With maximum CVSS 4.0 score of 9.3 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete database compromise. Taiwan CERT reported this issue, indicating regional targeting or discovery. No active exploitation confirmed in CISA KEV at time of analysis, but the combination of trivial exploitation conditions and catastrophic impact warrants immediate priority.

SQLi Easyflow Net
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-6595 MEDIUM POC This Month

SQL injection in ProjectsAndPrograms School Management System allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the bus_id parameter in buslocation.php. The vulnerability affects all versions up to commit 6b6fae5, with publicly available exploit code (EPSS not provided). Vendor was notified but did not respond, leaving the product vulnerable at time of analysis. The rolling release model means no fixed version number exists.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-39110 HIGH This Week

SQL injection in Apartment Visitors Management System v1.1 allows unauthenticated remote attackers to extract sensitive database contents via the contactno parameter on the password reset page. The vulnerability bypasses authentication controls through crafted input during password recovery operations. EPSS and KEV data not available, but SSVC framework indicates proof-of-concept exists and the vulnerability is automatable with partial technical impact. The CVSS score of 8.2 reflects high confidentiality impact with network-accessible attack surface requiring no user interaction.

PHP SQLi N A
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-39111 HIGH This Week

SQL Injection in Apartment Visitors Management System v1.1 allows unauthenticated remote attackers to extract sensitive user data via the forgot-password.php email parameter. The vulnerability requires no authentication (PR:N), no user interaction (UI:N), and has low attack complexity (AC:L), enabling trivial exploitation against any internet-facing installation. EPSS data unavailable; not listed in CISA KEV. GitHub repository references suggest proof-of-concept code may exist, increasing immediate exploitation risk for the small but vulnerable user base of this PHP-based application.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-39109 CRITICAL Act Now

SQL injection in Apartment Visitors Management System V1.1's login form allows remote unauthenticated attackers to bypass authentication and extract database contents via the username parameter. The vulnerability scores 9.4 CVSS with network attack vector and low complexity. Public exploit code exists (SSVC confirms POC status), making this immediately exploitable. EPSS data unavailable, but SSVC framework rates it as automatable with partial technical impact, indicating high practical risk for internet-exposed installations.

PHP SQLi N A
NVD GitHub VulDB
CVSS 3.1
9.4
EPSS
0.2%
CVE-2026-6562 MEDIUM POC This Month

SQL injection in dameng100 muucmf 1.9.5.20260309 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the 'keyword' parameter in /index/Search/index.html. Public exploit code is available (thinhneee.github.io), increasing immediate exploitation risk. EPSS and KEV data not available, but CVSS 7.3 with network attack vector (AV:N), low complexity (AC:L), and no authentication required (PR:N) indicate high accessibility. Vendor (dameng100) has not responded to disclosure, suggesting no official patch timeline.

SQLi Muucmf
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-40482 HIGH This Week

SQL injection in ChurchCRM's FinancialService getMemberByScanString() method allows authenticated attackers to exfiltrate sensitive database contents and modify limited data. Affects ChurchCRM versions prior to 7.2.0. The vulnerability stems from unsanitized $routeAndAccount parameter concatenated directly into SQL queries without parameterization. Fixed via commit 214694eb and pull request #8607. EPSS data not available. Not listed in CISA KEV. Public exploit code exists (GitHub advisory GHSA-hc37-vx3w-34fg with PoC). CVSS 7.1 reflects network-accessible attack requiring low-privileged authentication with high confidentiality impact and low integrity impact.

SQLi
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-40285 HIGH PATCH This Week

SQL injection in WeGIA charitable institution manager allows authenticated users to impersonate arbitrary identities and execute database queries with elevated privileges. The cpf_usuario parameter in dao/memorando/UsuarioDAO.php bypasses session-based identity controls through PHP's extract($_REQUEST) function, enabling any low-privileged authenticated user to query sensitive data or modify database contents as any other user, including administrators. WeGIA versions before 3.6.10 are affected. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L) requiring only valid user credentials.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6490 MEDIUM POC This Month

SQL injection in QueryMine SMS admin/deletecourse.php allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in GET requests. Affects all versions up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. Public exploit code exists (GitHub POC available). EPSS data not available. Not listed in CISA KEV. Vendor non-responsive to disclosure. CVSS 7.3 with network attack vector and no authentication required indicates moderate-high severity, but real-world risk depends on deployment exposure of admin interface.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6488 LOW POC Monitor

SQL injection in QueryMine SMS admin/editcourse.php parameter handler allows authenticated remote attackers to query or modify the database via a crafted ID parameter, with publicly available exploit code demonstrating the vulnerability. The affected product uses rolling releases with no versioning available, and the vendor has not responded to disclosure attempts. CVSS 5.3 reflects limited scope impact under authenticated access (PR:L), but real-world risk depends on network exposure of the administrative interface.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15625 CRITICAL Act Now

SQL injection in Sparx Pro Cloud Server 6.0.163 allows remote attackers without authentication to execute arbitrary SQL commands against the backend database, leading to complete system compromise. Despite critical CVSS 9.5 scoring with network attack vector and no authentication required, exploitation complexity is rated HIGH and EPSS indicates only 0.06% probability (19th percentile). SSVC framework classifies technical impact as total but exploitation as none and not automatable, suggesting this requires specialized knowledge or non-default configurations to exploit. No active exploitation confirmed, no public exploit code identified at time of analysis.

SQLi Sparx Pro Cloud Server
NVD VulDB
CVSS 4.0
9.5
EPSS
0.1%
CVE-2026-34018 MEDIUM This Month

SQL injection in CubeCart prior to 6.6.0 allows remote unauthenticated attackers to execute arbitrary SQL statements through a request requiring user interaction, affecting the e-commerce platform's database integrity and confidentiality. The vulnerability has a CVSS score of 6.3 with network-accessible attack vector and low complexity, though exploitation requires user engagement (UI:R) which moderates real-world risk. No public exploit code or active exploitation in CISA KEV has been confirmed at time of analysis.

SQLi Cubecart
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-6080 MEDIUM This Month

SQL injection in Tutor LMS plugin for WordPress through version 3.9.8 allows authenticated Admin-level attackers to extract sensitive database information by injecting malicious SQL via the 'date' parameter, which is insufficiently escaped before being interpolated into a SQL fragment passed to $wpdb->prepare(). The vulnerability requires Admin authentication and does not permit data modification or denial of service. CVSS 6.5 reflects confidentiality impact; exploitation is limited to high-privilege authenticated users.

WordPress SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3330 MEDIUM This Month

SQL injection in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows authenticated administrators to extract sensitive database information via unsanitized parameters (ip_search, startdate, enddate, username_search, useremail_search) in the Submissions display function. The vulnerability stems from the validate_data() method stripping WordPress's magic quotes protection and get_labels_parameters() concatenating user input directly into SQL queries without prepared statements. A CSRF vector exists because the vulnerable display task lacks nonce verification, enabling attackers to trick administrators into triggering the injection via a crafted link. Exploitation requires Administrator-level privileges but can be chained with CSRF for unauthorized triggering.

WordPress SQLi CSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-4817 MEDIUM This Month

Time-based blind SQL injection in MasterStudy LMS WordPress plugin up to version 3.7.25 allows authenticated subscribers and above to extract sensitive database information including user credentials and session tokens via unquoted ORDER BY clause injection in the /lms/stm-lms/order/items REST API endpoint. The vulnerability stems from a custom Query builder that concatenates user-supplied sort parameters containing parentheses directly into SQL ORDER BY clauses without proper quoting, bypassing the plugin's use of esc_sql(). CVSS score of 6.5 reflects network-accessible exploitation requiring low privilege (subscriber-level) authentication and no user interaction.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-37749 CRITICAL NEWS Act Now

SQL injection in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation. CISA SSVC framework confirms proof-of-concept exists, attack is automatable, and technical impact is total (full system compromise). Public POC available on GitHub enables immediate weaponization by attackers with no specialized skills.

PHP SQLi N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-40901 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

Deserialization SQLi RCE Dataease
NVD GitHub
CVSS 4.0
7.5
EPSS
0.4%
CVE-2026-40900 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33207 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.

Java SQLi
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-33122 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from the user-submitted configuration is passed to DatasourceSyncManage.createEngineTable, where it is substituted into a CREATE TABLE statement template without any sanitization or identifier escaping. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-33121 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple string replacement without any sanitization or escaping of the table name. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information such as the MySQL version. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33084 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the sort parameter of the /de2api/datasetData/enumValueObj endpoint. The DatasetDataManage service layer directly transfers the user-supplied sort value to the sorting metadata DTO, which is passed to Order2SQLObj where it is incorporated into the SQL ORDER BY clause without any whitelist validation, and then executed via CalciteProvider. An authenticated attacker can inject arbitrary SQL commands through the sort parameter, enabling time-based blind SQL injection. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33083 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class directly assigns the raw user-supplied orderDirection value into the SQL query without any validation or whitelist enforcement, and the value is rendered into the ORDER BY clause via StringTemplate before being executed against the database. An authenticated attacker can inject arbitrary SQL commands through the sorting direction field, enabling time-based blind data extraction and denial of service. This issue has been fixed in version 2.10.21.

Denial Of Service SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33082 HIGH PATCH This Week

DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and passed to WhereTree2Str.transFilterTrees for SQL translation, where user-controlled values in "like" filter terms are directly concatenated into SQL fragments without sanitization. An attacker can inject arbitrary SQL commands by escaping the string literal in the filter value, enabling blind SQL injection through techniques such as time-based extraction of database information. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-37347 CRITICAL Act Now

SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-37346 MEDIUM This Month

SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-37345 CRITICAL Act Now

SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37344 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated administrators to execute arbitrary SQL commands via the /parking/manage_location.php endpoint. CVSS 7.2 indicates high-privilege requirement (PR:H) limiting exploitation to compromised admin accounts or insider threats. EPSS score of 0.01% (2nd percentile) suggests minimal observed exploitation activity. No CISA KEV listing indicates no confirmed active exploitation in enterprise environments.

PHP SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37343 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL queries via the /parking/manage_user.php endpoint. CVSS 7.2 with network vector but requires high-privilege authentication (PR:H), significantly limiting attack surface. EPSS probability is very low (0.01%, 2nd percentile), indicating minimal observed exploitation activity. No CISA KEV listing or public POC confirmation, though a technical writeup exists in GitHub repository mt-0505/cve-report.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37342 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL commands via the /parking/view_parked_details.php endpoint. The vulnerability requires administrative credentials (CVSS PR:H) but enables full database compromise once authenticated. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. A public proof-of-concept exists on GitHub, lowering the technical barrier for authenticated attackers.

PHP SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37341 HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows high-privileged authenticated attackers to execute arbitrary SQL commands via the /parking/manage_category.php endpoint, enabling complete database compromise. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. Proof-of-concept exploit code is publicly available on GitHub, lowering the barrier for authenticated attackers with administrative access.

PHP SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-37340 CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0's /music/edit_music.php endpoint allows unauthenticated remote attackers to execute arbitrary SQL commands with full database access. The vulnerability carries a critical CVSS 9.8 score with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS probability is notably low at 0.01% (2nd percentile), suggesting limited real-world exploitation interest despite the critical severity rating. Proof-of-concept code is publicly available via GitHub, lowering the barrier for opportunistic attacks against exposed instances.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37339 CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the /music/view_genre.php endpoint, enabling complete database compromise including data theft, modification, and potential server takeover. CVSS 9.8 (Critical) with network-exploitable attack vector requiring no authentication or user interaction. EPSS score of 0.01% (2nd percentile) indicates low observed exploitation probability despite critical severity. Publicly available proof-of-concept exists (GitHub repository), lowering exploitation barrier for opportunistic attackers.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-37338 CRITICAL Act Now

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php.

PHP SQLi
NVD GitHub
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-37337 HIGH This Week

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php.

PHP SQLi
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-37336 HIGH This Week

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php.

PHP SQLi
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-5785 HIGH PATCH This Week

Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.

SQLi Manageengine Pam360 Manageengine Password Manager Pro
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-3489 HIGH This Week

The DirectoryPress - Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3773 MEDIUM This Month

SQL injection in Accessibility Suite by Ability, Inc WordPress plugin (versions up to 4.20) allows authenticated attackers with Subscriber-level access to extract sensitive database information via an unescaped 'scan_id' parameter. The vulnerability is unauthenticated remote network-accessible but requires low-privilege login credentials; no public exploit code or active exploitation has been identified at the time of analysis.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3599 HIGH This Week

SQL injection in Riaxe Product Customizer for WordPress (all versions ≤2.1.2) allows unauthenticated remote attackers to extract sensitive database contents via crafted REST API requests. The vulnerability exists in the /wp-json/InkXEProductDesignerLite/add-item-to-cart endpoint where the 'options' parameter keys within 'product_data' lack proper SQL escaping. CVSS 7.5 (High) with attack vector network/low complexity/no authentication required. Wordfence discovery indicates active researcher attention. No CISA KEV listing or public exploit code identified at time of analysis, but EPSS data unavailable for risk calibration.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-63029 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through 3.7.1.

SQLi Wcfm Marketplace
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-20061 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device.

Cisco SQLi
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-40745 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2.

SQLi Element Pack Elementor Addons Elementor
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-40744 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue affects Beaver Builder: from n/a through <= 2.10.1.2.

SQLi Beaver Builder
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-30995 HIGH This Week

Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint.

SQLi PHP
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-40887 npm CRITICAL POC PATCH GHSA Act Now

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. ## Affected versions - `@vendure/core` < 2.3.4 - `@vendure/core` >= 3.0.0, < 3.5.7 - `@vendure/core` >= 3.6.0, < 3.6.2 Note: versions 2.3.4 and above in the 2.x line are patched. There were no 2.4.x or 2.x releases between 2.3.x and 3.0.0. ## Patched versions - `@vendure/core` 2.3.4 - `@vendure/core` 3.5.7 - `@vendure/core` 3.6.2 ## Details In `ProductService.findOneBySlug`, the request context's `languageCode` value is interpolated into a SQL `CASE` expression via a JavaScript template literal: ```ts .addSelect( `CASE translation.languageCode WHEN '${ctx.languageCode}' THEN 2 WHEN '${ctx.channel.defaultLanguageCode}' THEN 1 ELSE 0 END`, 'sort_order', ) ``` TypeORM has no opportunity to parameterize this value because it is embedded directly into the SQL string before being passed to the query builder. The `languageCode` value can originate from the HTTP query string and is set on the request context for every incoming API request. The value is cast to the `LanguageCode` TypeScript type at compile time, but no runtime validation is performed -- the raw query string value is used as-is. ## Attack vector An unauthenticated attacker can append a crafted `languageCode` query parameter to any Shop API request to inject arbitrary SQL into the query. No user interaction is required. The vulnerable endpoint is exposed on every default Vendure installation. ## Mitigation **Upgrade to a patched version immediately.** If you cannot upgrade right away, apply the following hotfix to `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query: ```ts private getLanguageCode(req: Request, channel: Channel): LanguageCode | undefined { const queryLanguageCode = req.query?.languageCode as string | undefined; const isValidFormat = queryLanguageCode && /^[a-zA-Z0-9_-]+$/.test(queryLanguageCode); return ( (isValidFormat ? (queryLanguageCode as LanguageCode) : undefined) ?? channel.defaultLanguageCode ?? this.configService.defaultLanguageCode ); } ``` This replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.

SQLi PostgreSQL
NVD GitHub
CVSS 3.1
9.1
EPSS
4.6%
CVE-2026-33714 HIGH PATCH This Week

SQL injection in Chamilo LMS 2.0.0-RC.2 allows authenticated administrators to extract arbitrary database contents via unsanitized date parameters in the statistics AJAX endpoint's users_active action. This represents an incomplete fix for CVE-2026-30881, where only one of two vulnerable parameter sets was sanitized. Time-based blind SQL injection techniques enable data exfiltration despite requiring admin-level authentication. EPSS data not available; no public exploit identified at time of analysis, though the incomplete remediation pattern and technical details in the GitHub advisory lower exploitation barriers for attackers with admin access.

SQLi PHP
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-32176 MEDIUM PATCH Exploit Unlikely This Month

SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally via improper neutralization of SQL command elements. Affected versions include SQL Server 2016 SP3, 2017, 2019, 2022, and 2025 across multiple cumulative updates and GDR releases. The CVSS 6.7 score reflects the requirement for high-privilege authentication and local attack vector, but the high confidentiality, integrity, and availability impact makes this a material risk f

SQLi Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 Cu 31 Microsoft Sql Server 2017 Gdr +6
NVD VulDB
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-32167 MEDIUM PATCH Exploit Unlikely This Month

SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally through improper neutralization of special elements in SQL commands. Affected versions span SQL Server 2016 SP3 through 2025, with patch available from Microsoft. Attack requires local access and high-privilege credentials (PR:H in CVSS vector), limiting real-world impact to insider threats or compromised administrative accounts; CVSS 6.7 reflects high confidentiality, integrity, and availability impact but constrained by authentication and local-only attack vector.

SQLi Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 Cu 31 Microsoft Sql Server 2017 Gdr +6
NVD VulDB
CVSS 3.1
6.7
EPSS
0.1%
CVE-2025-61848 HIGH This Week

SQL injection in Fortinet FortiAnalyzer and FortiManager versions 7.0-7.6 allows privileged authenticated attackers to execute unauthorized code or commands via the JSON RPC API. This affects both on-premises and cloud variants across multiple major version branches (7.0, 7.2, 7.4, 7.6). The vulnerability requires high-privilege authentication (CVSS PR:H) but is remotely exploitable with low attack complexity. No public exploit identified at time of analysis, though the network attack vector and code execution capability make this a priority for organizations running affected Fortinet management infrastructure.

Fortinet SQLi
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 allows remote unauthenticated attackers to manipulate the address parameter in /locations.php, enabling arbitrary database queries with confidentiality and integrity impact. Publicly available exploit code exists, increasing real-world risk despite the moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 allows remote unauthenticated attackers to manipulate the code parameter in /execute1.php, enabling database query manipulation and potential data exfiltration or modification. Publicly available exploit code exists, increasing real-world risk despite the moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Construction Management System 1.0 via the code parameter in /execute.php allows remote unauthenticated attackers to execute arbitrary SQL queries and potentially access or modify database contents. The vulnerability has a publicly available exploit and is confirmed to have a low confidentiality, integrity, and availability impact according to CVSS v4.0 scoring.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Remote SQL injection in CodePanda Source canteen_management_system 1.0 allows unauthenticated attackers to manipulate the Username parameter in /api/login.php, enabling arbitrary database queries. Public exploit code is available. The vulnerability affects confidentiality and integrity with low impact scope, making it a practical attack vector for credential harvesting or data exfiltration from the canteen management database.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Inventory Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter in the Login component, leading to unauthorized database access and potential data exfiltration. The vulnerability has a publicly available exploit and CVSS 6.9 score reflecting low confidentiality, integrity, and availability impact without scope expansion. EPSS data unavailable, but public exploit availability elevates practical risk.

SQLi Inventory Management System
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the pwd parameter in /370project/process/eprocess.php. CVSS 7.3 (High) with network vector and no prerequisites. Publicly available exploit code exists on GitHub, enabling immediate weaponization. No vendor-released patch identified at time of analysis. EPSS data unavailable; not listed in CISA KEV, suggesting targeted rather than widespread exploitation despite public POC.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

SQL injection in Yu Picture's PageRequest handler allows remote unauthenticated attackers to manipulate database queries via the sortField parameter in PictureServiceImpl.java. The vulnerability exists in MyBatis-Plus integration code at commit a053632c41340152bf75b66b3c543d129123d8ec. Publicly available exploit code exists (GitHub issue #4) with EPSS not yet calculated. Vendor patch available via pull request #3 but remains unmerged, leaving deployed instances vulnerable. CVSS 7.3 reflects network-accessible, low-complexity exploitation with no authentication required, enabling partial confidentiality, integrity, and availability compromise.

Java SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in CodeAstro Online Job Portal 1.0 allows authenticated admin users to manipulate the ID parameter in /admin/jobs-admins/delete-jobs.php, enabling remote SQL injection attacks against the database. The vulnerability requires high-level admin privileges (PR:H) but has a publicly available exploit and low attack complexity (AC:L), permitting remote attackers with admin access to read, modify, or delete sensitive database records. Exploitation is confirmed by public proof-of-concept code.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in ByteDance coze-studio up to version 0.5.1 allows authenticated remote attackers to manipulate the ExecuteSQL function in the databaseTool component, enabling arbitrary SQL query execution with limited confidentiality and integrity impact. The vulnerability has a publicly available exploit and affects the backend database service layer; the vendor has not responded to disclosure efforts.

SQLi Coze Studio
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in KLiK SocialMediaWebsite 1.0.1 and earlier allows remote unauthenticated attackers to execute arbitrary SQL commands via the c_id parameter in /includes/get_message_ajax.php. The vulnerability targets the private message handling component and permits unauthorized database access, modification, and potential data exfiltration. CVSS 7.3 reflects network-accessible, low-complexity exploitation requiring no authentication or user interaction, with partial impact to confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, suggesting limited observed exploitation despite the accessible attack surface.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection vulnerability in Zod CUID Data Type Handler affects versions up to 4.3.6, allowing authenticated remote attackers to manipulate input validation logic in the regex component and execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept code available; the vendor was contacted early but provided no response, and no patch has been issued as of analysis time.

SQLi Zod
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

SQL injection in ShowDoc API Page Sort Endpoint allows authenticated remote attackers to manipulate the pages parameter and execute arbitrary SQL queries with limited confidentiality, integrity, and availability impact. Affected versions include 2.10.10, 3.6.2, and 3.8.0; vendor has released patch v3.8.1 but explicitly stated no backports will be provided for older versions.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in JiZhiCMS up to version 2.5.6 allows authenticated high-privileged administrators to execute arbitrary SQL queries via the sqls parameter in the /index.php/admins/Sys/addcache.html endpoint. The vulnerability is remotely exploitable and publicly available exploit code exists, though the low CVSS score (4.7) reflects the requirement for high-level administrative authentication, limiting real-world attack surface.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

SQLi Saltcorn
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

SQL injection in Roxy-WI versions before 8.2.6.4 allows remote unauthenticated attackers to execute arbitrary SQL commands via the server_ip parameter in the haproxy_section_save function. The vulnerability stems from unsanitized URL path parameters being directly interpolated into SQL queries using Python string formatting. Proof-of-concept code exists (CVSS E:P), and the CVSS 4.0 score of 8.9 with network vector (AV:N), low complexity (AC:L), and no authentication (PR:N) indicates a critical, easily exploitable vulnerability. Vendor-released patch available in version 8.2.6.4.

Nginx SQLi Python +1
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

SQL injection in Xibo CMS versions 1.7 through 4.4.0 allows authenticated users with DataSet or Layout access privileges to extract and modify arbitrary database contents via crafted API filter parameters. The vulnerability affects a widely-deployed open source digital signage platform and has been addressed in version 4.4.1, with patches retroactively provided for out-of-support versions (3.3, 2.3, 1.8) indicating vendor awareness of active deployments on legacy versions. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with the broad version range (nearly 7 years of releases) suggest significant exposure across installations.

Microsoft SQLi
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary data from the database, reset administrator account passwords, and gain unauthorized access to the Packages Manager in the Admin Panel, potentially enabling remote code execution.

SQLi Authentication Bypass RCE +1
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in Borg SPM 2007 allows unauthenticated remote attackers to execute arbitrary SQL commands via network requests, enabling complete database compromise including read, modify, and delete operations. This legacy product (sales ended 2008) receives a critical CVSS 9.3 score with network vector, low complexity, and no authentication required. Taiwan CERT issued advisories identifying this as a SQL injection vulnerability affecting an end-of-life business management system, though no active exploitation evidence (KEV) or public exploit code has been identified at time of analysis.

SQLi Borg Spm 2007
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

SQL injection in CMS ALAYA 7.4.1.4 and earlier allows authenticated administrators to obtain or modify database information through the administrative interface. The vulnerability requires high-privilege access (PR:H) and carries low confidentiality, integrity, and availability impact per CVSS 4.0 scoring. No public exploit code or active exploitation has been identified at time of analysis.

SQLi Cms Alaya
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.

SQLi Rocket Chat
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

SQL injection in Jellystat versions prior to 1.1.10 escalates to remote code execution on the PostgreSQL database host. Authenticated attackers can inject arbitrary SQL via multiple API endpoints (`/api/getUserDetails`, `/api/getLibrary`), initially exfiltrating sensitive credentials from the `app_config` table (including Jellystat admin credentials and Jellyfin API keys). Because the application uses node-postgres simple query protocol allowing stacked queries, attackers can leverage PostgreSQL's `COPY ... TO PROGRAM` to achieve command execution on the database server. The project's default docker-compose.yml deploys PostgreSQL with superuser privileges, removing any privilege barriers to RCE. Vendor patch released in version 1.1.10 (GitHub commit 735fe7c confirmed). No active exploitation confirmed by CISA KEV, but publicly available exploit code exists given the detailed technical disclosure in GitHub Security Advisory GHSA-fj7c-2p5q-g56m.

Docker SQLi PostgreSQL
NVD GitHub
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

SQL injection in NocoBase's @nocobase/database package allows authenticated users with record-creation privileges to execute arbitrary SQL queries and extract database credentials. The vulnerability exists in the queryParentSQL() function, which constructs recursive Common Table Expression (CTE) queries using string concatenation instead of parameterized queries when processing tree collections with string primary keys. An attacker can inject malicious SQL by creating records with crafted primary key values, triggering the vulnerability when recursive eager loading occurs. Successful exploitation leads to full database compromise, with confirmed extraction of administrator credentials (emails and password hashes) in testing against PostgreSQL. On databases where the service account has elevated privileges, attackers can achieve operating system command execution via PostgreSQL's COPY...TO PROGRAM feature. Vendor patch available via GitHub PR #9133.

Command Injection Debian SQLi +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

SQL injection in NocoBase plugin-collection-sql allows authenticated users with collection management permissions to bypass validation controls and execute arbitrary SQL queries. The checkSQL() function blocks dangerous keywords on collection creation and execution but is completely absent from the update endpoint, enabling attackers to create benign SQL collections then modify them with malicious queries to exfiltrate sensitive data including user credentials. Vendor patch available via GitHub PR #9134 and commit 851aee5. CVSS 7.2 reflects high privileges required (PR:H), but real-world impact is severe for environments where collection managers are not fully trusted administrators.

SQLi PostgreSQL Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

SQL injection in Daptin's `/aggregate/:typename` endpoint allows authenticated low-privilege users to extract arbitrary database content via unsanitized query parameters. The `column` and `group` parameters are passed directly to raw SQL literal expressions without validation, enabling data exfiltration from any table including user credentials, database schema disclosure, and cross-table correlation attacks. Patched in version 0.11.4 which replaces all raw SQL construction with parameterized queries and schema-based validation. No evidence of active exploitation or public POC at time of analysis, though exploitation is straightforward for authenticated users.

SQLi
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

SQL injection in aEnrich a+HRD allows authenticated remote attackers to read database contents through malicious SQL command injection. The vulnerability requires low-privilege authentication but enables complete confidentiality breach of database information. No active exploitation confirmed via CISA KEV, and EPSS data not available, but the low attack complexity (AC:L) and network attack vector (AV:N) make this exploitable by any authenticated user with basic SQL injection knowledge.

SQLi A Hrd
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

SQL injection in OwnTone Server 28.4 through 29.0 allows unauthenticated remote attackers to inject arbitrary SQL expressions via the query= and filter= parameters in DAAP requests, enabling bypass of access controls and unauthorized retrieval of media library data. The vulnerability stems from insufficient sanitization of integer-mapped DAAP field parameters and affects default network-accessible deployments without requiring user interaction.

Authentication Bypass SQLi Owntone Server
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.

SQLi PostgreSQL Electric
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 14.38.1 contain a patch. No known workarounds are available.

SQLi Hrms
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Second-order SQL injection in mailcow: dockerized versions prior to 2026-03b allows authenticated API users with high privileges to execute arbitrary SQL commands through the quarantine notification system. Attackers inject malicious SQL via the quarantine_category field in /api/v1/add/mailbox endpoint, which executes when quarantine_notify.py runs its scheduled job, enabling data exfiltration of admin credentials and sensitive information through UNION-based queries rendered in notification emails. No public exploit code or active exploitation confirmed at time of analysis, with vendor patch available in version 2026-03b.

Information Disclosure Docker SQLi
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

SQL injection in Zeon Academy Pro allows remote unauthenticated attackers to execute arbitrary SQL commands via the 'phonenumber' parameter in /private/continue-upload.php, enabling full database compromise including data exfiltration, modification, and deletion. The vulnerability is exploitable over the network without authentication (CVSS:4.0 9.3 Critical, AV:N/PR:N), representing a complete compromise of database confidentiality and integrity. Patch available from vendor per INCIBE-CERT advisory, though specific fixed version not disclosed in public references.

PHP SQLi
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the CMS für Motorrad Werkstätten WordPress plugin (versions up to 1.0.0) allows authenticated attackers with subscriber-level privileges to extract sensitive database information via an unsanitized 'arttype' parameter. The vulnerability requires valid WordPress user credentials but no special configuration, making it exploitable against any WordPress installation running the affected plugin. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

OpenBao 2.5.2 and earlier fails to properly quote PostgreSQL schema names during role revocation in the PostgreSQL database secrets engine, allowing authenticated high-privilege administrators to execute arbitrary SQL injection as the database management user. The vulnerability affects the credentials management workflow when revoking database roles, potentially compromising database integrity. A vendor-released patch (version 2.5.3) is available.

PostgreSQL SQLi Hashicorp +2
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cassandra export module in Glances prior to version 4.5.4 allows local privilege-escalated users to redirect monitoring data to attacker-controlled databases by injecting CQL statements through unvalidated configuration parameters. An authenticated local attacker with write access to the Glances configuration file can modify keyspace, table, and replication_factor settings to execute arbitrary CQL, enabling data exfiltration or denial of service against the monitoring infrastructure. This vulnerability requires elevated local access but carries high confidentiality and integrity impact.

SQLi Suse
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements.

SQLi
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

SQL injection in Apache Doris MCP Server versions before 0.6.1 allows unauthenticated remote attackers to execute unintended SQL statements and bypass query validation and access restrictions via improper neutralization in the MCP query execution interface. The vulnerability has a CVSS score of 5.3 (network-accessible, low complexity, no authentication required) but is classified as partial impact (confidentiality only, no integrity or availability impact) and has not been confirmed as actively exploited. A vendor patch is available.

Apache SQLi
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Metasoft MetaCRM versions up to 6.4.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the 'sql' parameter in sql.jsp interface endpoint. Publicly available exploit code exists (disclosed via Feishu document), enabling attackers to read/modify database contents and potentially execute commands. CVSS 7.3 (High) with network vector and low complexity. Vendor non-responsive to disclosure, leaving patch status uncertain. EPSS data not provided but POC availability elevates practical exploitation risk.

SQLi Metacrm
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in phili67 Ecclesia CRM up to version 8.0.0 allows authenticated remote attackers to execute arbitrary SQL queries via the 'custom' parameter in the Query Viewer Component (/v2/query/view/). The vulnerability has a publicly available exploit and affects confidentiality, integrity, and availability of database operations. The vendor has not responded to early disclosure notification.

SQLi Ecclesia Crm
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL Injection in Digiwin EasyFlow .NET enables unauthenticated remote attackers to execute arbitrary SQL commands against the application database, allowing full compromise of data confidentiality, integrity, and availability. Taiwan CERT (TWCERT) publicly disclosed this critical vulnerability with CVSS 9.3 scoring, indicating network-accessible exploitation requiring no authentication or user interaction. No CISA KEV listing identified at time of analysis, suggesting either limited deployment scope or recent disclosure. EPSS data not provided, but CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation if product is internet-facing.

SQLi Easyflow Net
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Critical SQL injection in Digiwin EasyFlow .NET allows unauthenticated remote attackers to execute arbitrary SQL commands against the application database. With maximum CVSS 4.0 score of 9.3 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete database compromise. Taiwan CERT reported this issue, indicating regional targeting or discovery. No active exploitation confirmed in CISA KEV at time of analysis, but the combination of trivial exploitation conditions and catastrophic impact warrants immediate priority.

SQLi Easyflow Net
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in ProjectsAndPrograms School Management System allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the bus_id parameter in buslocation.php. The vulnerability affects all versions up to commit 6b6fae5, with publicly available exploit code (EPSS not provided). Vendor was notified but did not respond, leaving the product vulnerable at time of analysis. The rolling release model means no fixed version number exists.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

SQL injection in Apartment Visitors Management System v1.1 allows unauthenticated remote attackers to extract sensitive database contents via the contactno parameter on the password reset page. The vulnerability bypasses authentication controls through crafted input during password recovery operations. EPSS and KEV data not available, but SSVC framework indicates proof-of-concept exists and the vulnerability is automatable with partial technical impact. The CVSS score of 8.2 reflects high confidentiality impact with network-accessible attack surface requiring no user interaction.

PHP SQLi N A
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL Injection in Apartment Visitors Management System v1.1 allows unauthenticated remote attackers to extract sensitive user data via the forgot-password.php email parameter. The vulnerability requires no authentication (PR:N), no user interaction (UI:N), and has low attack complexity (AC:L), enabling trivial exploitation against any internet-facing installation. EPSS data unavailable; not listed in CISA KEV. GitHub repository references suggest proof-of-concept code may exist, increasing immediate exploitation risk for the small but vulnerable user base of this PHP-based application.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

SQL injection in Apartment Visitors Management System V1.1's login form allows remote unauthenticated attackers to bypass authentication and extract database contents via the username parameter. The vulnerability scores 9.4 CVSS with network attack vector and low complexity. Public exploit code exists (SSVC confirms POC status), making this immediately exploitable. EPSS data unavailable, but SSVC framework rates it as automatable with partial technical impact, indicating high practical risk for internet-exposed installations.

PHP SQLi N A
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in dameng100 muucmf 1.9.5.20260309 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the 'keyword' parameter in /index/Search/index.html. Public exploit code is available (thinhneee.github.io), increasing immediate exploitation risk. EPSS and KEV data not available, but CVSS 7.3 with network attack vector (AV:N), low complexity (AC:L), and no authentication required (PR:N) indicate high accessibility. Vendor (dameng100) has not responded to disclosure, suggesting no official patch timeline.

SQLi Muucmf
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

SQL injection in ChurchCRM's FinancialService getMemberByScanString() method allows authenticated attackers to exfiltrate sensitive database contents and modify limited data. Affects ChurchCRM versions prior to 7.2.0. The vulnerability stems from unsanitized $routeAndAccount parameter concatenated directly into SQL queries without parameterization. Fixed via commit 214694eb and pull request #8607. EPSS data not available. Not listed in CISA KEV. Public exploit code exists (GitHub advisory GHSA-hc37-vx3w-34fg with PoC). CVSS 7.1 reflects network-accessible attack requiring low-privileged authentication with high confidentiality impact and low integrity impact.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in WeGIA charitable institution manager allows authenticated users to impersonate arbitrary identities and execute database queries with elevated privileges. The cpf_usuario parameter in dao/memorando/UsuarioDAO.php bypasses session-based identity controls through PHP's extract($_REQUEST) function, enabling any low-privileged authenticated user to query sensitive data or modify database contents as any other user, including administrators. WeGIA versions before 3.6.10 are affected. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L) requiring only valid user credentials.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in QueryMine SMS admin/deletecourse.php allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in GET requests. Affects all versions up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. Public exploit code exists (GitHub POC available). EPSS data not available. Not listed in CISA KEV. Vendor non-responsive to disclosure. CVSS 7.3 with network attack vector and no authentication required indicates moderate-high severity, but real-world risk depends on deployment exposure of admin interface.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in QueryMine SMS admin/editcourse.php parameter handler allows authenticated remote attackers to query or modify the database via a crafted ID parameter, with publicly available exploit code demonstrating the vulnerability. The affected product uses rolling releases with no versioning available, and the vendor has not responded to disclosure attempts. CVSS 5.3 reflects limited scope impact under authenticated access (PR:L), but real-world risk depends on network exposure of the administrative interface.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 9.5
CRITICAL Act Now

SQL injection in Sparx Pro Cloud Server 6.0.163 allows remote attackers without authentication to execute arbitrary SQL commands against the backend database, leading to complete system compromise. Despite critical CVSS 9.5 scoring with network attack vector and no authentication required, exploitation complexity is rated HIGH and EPSS indicates only 0.06% probability (19th percentile). SSVC framework classifies technical impact as total but exploitation as none and not automatable, suggesting this requires specialized knowledge or non-default configurations to exploit. No active exploitation confirmed, no public exploit code identified at time of analysis.

SQLi Sparx Pro Cloud Server
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

SQL injection in CubeCart prior to 6.6.0 allows remote unauthenticated attackers to execute arbitrary SQL statements through a request requiring user interaction, affecting the e-commerce platform's database integrity and confidentiality. The vulnerability has a CVSS score of 6.3 with network-accessible attack vector and low complexity, though exploitation requires user engagement (UI:R) which moderates real-world risk. No public exploit code or active exploitation in CISA KEV has been confirmed at time of analysis.

SQLi Cubecart
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in Tutor LMS plugin for WordPress through version 3.9.8 allows authenticated Admin-level attackers to extract sensitive database information by injecting malicious SQL via the 'date' parameter, which is insufficiently escaped before being interpolated into a SQL fragment passed to $wpdb->prepare(). The vulnerability requires Admin authentication and does not permit data modification or denial of service. CVSS 6.5 reflects confidentiality impact; exploitation is limited to high-privilege authenticated users.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows authenticated administrators to extract sensitive database information via unsanitized parameters (ip_search, startdate, enddate, username_search, useremail_search) in the Submissions display function. The vulnerability stems from the validate_data() method stripping WordPress's magic quotes protection and get_labels_parameters() concatenating user input directly into SQL queries without prepared statements. A CSRF vector exists because the vulnerable display task lacks nonce verification, enabling attackers to trick administrators into triggering the injection via a crafted link. Exploitation requires Administrator-level privileges but can be chained with CSRF for unauthorized triggering.

WordPress SQLi CSRF
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based blind SQL injection in MasterStudy LMS WordPress plugin up to version 3.7.25 allows authenticated subscribers and above to extract sensitive database information including user credentials and session tokens via unquoted ORDER BY clause injection in the /lms/stm-lms/order/items REST API endpoint. The vulnerability stems from a custom Query builder that concatenates user-supplied sort parameters containing parentheses directly into SQL ORDER BY clauses without proper quoting, bypassing the plugin's use of esc_sql(). CVSS score of 6.5 reflects network-accessible exploitation requiring low privilege (subscriber-level) authentication and no user interaction.

WordPress SQLi
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation. CISA SSVC framework confirms proof-of-concept exists, attack is automatable, and technical impact is total (full system compromise). Public POC available on GitHub enables immediate weaponization by attackers with no specialized skills.

PHP SQLi N A
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

Deserialization SQLi RCE +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.

Java SQLi
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from the user-submitted configuration is passed to DatasourceSyncManage.createEngineTable, where it is substituted into a CREATE TABLE statement template without any sanitization or identifier escaping. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple string replacement without any sanitization or escaping of the table name. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information such as the MySQL version. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the sort parameter of the /de2api/datasetData/enumValueObj endpoint. The DatasetDataManage service layer directly transfers the user-supplied sort value to the sorting metadata DTO, which is passed to Order2SQLObj where it is incorporated into the SQL ORDER BY clause without any whitelist validation, and then executed via CalciteProvider. An authenticated attacker can inject arbitrary SQL commands through the sort parameter, enabling time-based blind SQL injection. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class directly assigns the raw user-supplied orderDirection value into the SQL query without any validation or whitelist enforcement, and the value is rendered into the ORDER BY clause via StringTemplate before being executed against the database. An authenticated attacker can inject arbitrary SQL commands through the sorting direction field, enabling time-based blind data extraction and denial of service. This issue has been fixed in version 2.10.21.

Denial Of Service SQLi Dataease
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and passed to WhereTree2Str.transFilterTrees for SQL translation, where user-controlled values in "like" filter terms are directly concatenated into SQL fragments without sanitization. An attacker can inject arbitrary SQL commands by escaping the string literal in the filter value, enabling blind SQL injection through techniques such as time-based extraction of database information. This issue has been fixed in version 2.10.21.

SQLi Dataease
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated administrators to execute arbitrary SQL commands via the /parking/manage_location.php endpoint. CVSS 7.2 indicates high-privilege requirement (PR:H) limiting exploitation to compromised admin accounts or insider threats. EPSS score of 0.01% (2nd percentile) suggests minimal observed exploitation activity. No CISA KEV listing indicates no confirmed active exploitation in enterprise environments.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL queries via the /parking/manage_user.php endpoint. CVSS 7.2 with network vector but requires high-privilege authentication (PR:H), significantly limiting attack surface. EPSS probability is very low (0.01%, 2nd percentile), indicating minimal observed exploitation activity. No CISA KEV listing or public POC confirmation, though a technical writeup exists in GitHub repository mt-0505/cve-report.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL commands via the /parking/view_parked_details.php endpoint. The vulnerability requires administrative credentials (CVSS PR:H) but enables full database compromise once authenticated. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. A public proof-of-concept exists on GitHub, lowering the technical barrier for authenticated attackers.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

SQL injection in SourceCodester Vehicle Parking Area Management System v1.0 allows high-privileged authenticated attackers to execute arbitrary SQL commands via the /parking/manage_category.php endpoint, enabling complete database compromise. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. Proof-of-concept exploit code is publicly available on GitHub, lowering the barrier for authenticated attackers with administrative access.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0's /music/edit_music.php endpoint allows unauthenticated remote attackers to execute arbitrary SQL commands with full database access. The vulnerability carries a critical CVSS 9.8 score with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS probability is notably low at 0.01% (2nd percentile), suggesting limited real-world exploitation interest despite the critical severity rating. Proof-of-concept code is publicly available via GitHub, lowering the barrier for opportunistic attacks against exposed instances.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in SourceCodester Simple Music Cloud Community System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the /music/view_genre.php endpoint, enabling complete database compromise including data theft, modification, and potential server takeover. CVSS 9.8 (Critical) with network-exploitable attack vector requiring no authentication or user interaction. EPSS score of 0.01% (2nd percentile) indicates low observed exploitation probability despite critical severity. Publicly available proof-of-concept exists (GitHub repository), lowering exploitation barrier for opportunistic attackers.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL Act Now

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.

SQLi Manageengine Pam360 Manageengine Password Manager Pro
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The DirectoryPress - Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in Accessibility Suite by Ability, Inc WordPress plugin (versions up to 4.20) allows authenticated attackers with Subscriber-level access to extract sensitive database information via an unescaped 'scan_id' parameter. The vulnerability is unauthenticated remote network-accessible but requires low-privilege login credentials; no public exploit code or active exploitation has been identified at the time of analysis.

WordPress SQLi
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in Riaxe Product Customizer for WordPress (all versions ≤2.1.2) allows unauthenticated remote attackers to extract sensitive database contents via crafted REST API requests. The vulnerability exists in the /wp-json/InkXEProductDesignerLite/add-item-to-cart endpoint where the 'options' parameter keys within 'product_data' lack proper SQL escaping. CVSS 7.5 (High) with attack vector network/low complexity/no authentication required. Wordfence discovery indicates active researcher attention. No CISA KEV listing or public exploit code identified at time of analysis, but EPSS data unavailable for risk calibration.

WordPress SQLi
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through 3.7.1.

SQLi Wcfm Marketplace
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device.

Cisco SQLi
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2.

SQLi Element Pack Elementor Addons Elementor
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue affects Beaver Builder: from n/a through <= 2.10.1.2.

SQLi Beaver Builder
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint.

SQLi PHP
NVD VulDB
EPSS 5% CVSS 9.1
CRITICAL POC PATCH Act Now

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression without parameterization or validation, allowing an attacker to execute arbitrary SQL against the database. This affects all supported database backends (PostgreSQL, MySQL/MariaDB, SQLite). The Admin API is also affected, though exploitation there requires authentication. ## Affected versions - `@vendure/core` < 2.3.4 - `@vendure/core` >= 3.0.0, < 3.5.7 - `@vendure/core` >= 3.6.0, < 3.6.2 Note: versions 2.3.4 and above in the 2.x line are patched. There were no 2.4.x or 2.x releases between 2.3.x and 3.0.0. ## Patched versions - `@vendure/core` 2.3.4 - `@vendure/core` 3.5.7 - `@vendure/core` 3.6.2 ## Details In `ProductService.findOneBySlug`, the request context's `languageCode` value is interpolated into a SQL `CASE` expression via a JavaScript template literal: ```ts .addSelect( `CASE translation.languageCode WHEN '${ctx.languageCode}' THEN 2 WHEN '${ctx.channel.defaultLanguageCode}' THEN 1 ELSE 0 END`, 'sort_order', ) ``` TypeORM has no opportunity to parameterize this value because it is embedded directly into the SQL string before being passed to the query builder. The `languageCode` value can originate from the HTTP query string and is set on the request context for every incoming API request. The value is cast to the `LanguageCode` TypeScript type at compile time, but no runtime validation is performed -- the raw query string value is used as-is. ## Attack vector An unauthenticated attacker can append a crafted `languageCode` query parameter to any Shop API request to inject arbitrary SQL into the query. No user interaction is required. The vulnerable endpoint is exposed on every default Vendure installation. ## Mitigation **Upgrade to a patched version immediately.** If you cannot upgrade right away, apply the following hotfix to `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query: ```ts private getLanguageCode(req: Request, channel: Channel): LanguageCode | undefined { const queryLanguageCode = req.query?.languageCode as string | undefined; const isValidFormat = queryLanguageCode && /^[a-zA-Z0-9_-]+$/.test(queryLanguageCode); return ( (isValidFormat ? (queryLanguageCode as LanguageCode) : undefined) ?? channel.defaultLanguageCode ?? this.configService.defaultLanguageCode ); } ``` This replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.

SQLi PostgreSQL
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Chamilo LMS 2.0.0-RC.2 allows authenticated administrators to extract arbitrary database contents via unsanitized date parameters in the statistics AJAX endpoint's users_active action. This represents an incomplete fix for CVE-2026-30881, where only one of two vulnerable parameter sets was sanitized. Time-based blind SQL injection techniques enable data exfiltration despite requiring admin-level authentication. EPSS data not available; no public exploit identified at time of analysis, though the incomplete remediation pattern and technical details in the GitHub advisory lower exploitation barriers for attackers with admin access.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM PATCH Exploit Unlikely This Month

SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally via improper neutralization of SQL command elements. Affected versions include SQL Server 2016 SP3, 2017, 2019, 2022, and 2025 across multiple cumulative updates and GDR releases. The CVSS 6.7 score reflects the requirement for high-privilege authentication and local attack vector, but the high confidentiality, integrity, and availability impact makes this a material risk f

SQLi Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack +8
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH Exploit Unlikely This Month

SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally through improper neutralization of special elements in SQL commands. Affected versions span SQL Server 2016 SP3 through 2025, with patch available from Microsoft. Attack requires local access and high-privilege credentials (PR:H in CVSS vector), limiting real-world impact to insider threats or compromised administrative accounts; CVSS 6.7 reflects high confidentiality, integrity, and availability impact but constrained by authentication and local-only attack vector.

SQLi Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack +8
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

SQL injection in Fortinet FortiAnalyzer and FortiManager versions 7.0-7.6 allows privileged authenticated attackers to execute unauthorized code or commands via the JSON RPC API. This affects both on-premises and cloud variants across multiple major version branches (7.0, 7.2, 7.4, 7.6). The vulnerability requires high-privilege authentication (CVSS PR:H) but is remotely exploitable with low attack complexity. No public exploit identified at time of analysis, though the network attack vector and code execution capability make this a priority for organizations running affected Fortinet management infrastructure.

Fortinet SQLi
NVD VulDB
Prev Page 13 of 169 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy