SQLi
Monthly
SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally through improper neutralization of special elements in SQL commands. Affected versions span SQL Server 2016 SP3 through 2025, with patch available from Microsoft. Attack requires local access and high-privilege credentials (PR:H in CVSS vector), limiting real-world impact to insider threats or compromised administrative accounts; CVSS 6.7 reflects high confidentiality, integrity, and availability impact but constrained by authentication and local-only attack vector.
SQL injection in Fortinet FortiAnalyzer and FortiManager versions 7.0-7.6 allows privileged authenticated attackers to execute unauthorized code or commands via the JSON RPC API. This affects both on-premises and cloud variants across multiple major version branches (7.0, 7.2, 7.4, 7.6). The vulnerability requires high-privilege authentication (CVSS PR:H) but is remotely exploitable with low attack complexity. No public exploit identified at time of analysis, though the network attack vector and code execution capability make this a priority for organizations running affected Fortinet management infrastructure.
SQL injection in Fortinet FortiDDoS-F 7.2.1-7.2.2 allows authenticated remote attackers to execute unauthorized code or commands with high impact to confidentiality, integrity, and availability. The vulnerability resides in the web management interface and requires low attack complexity with no user interaction. No public exploit identified at time of analysis, with EPSS data not yet available for this recently disclosed CVE.
SQL injection in Fortinet FortiClientEMS 7.0 through 7.4.5 allows high-privileged local attackers to execute unauthorized code or commands with high integrity and confidentiality impact. The vulnerability requires local access and high privileges (PR:H per CVSS vector), making it a risk primarily in environments where administrative users are untrusted or compromised. CISA SSVC framework rates this as non-exploitable via automation due to privilege requirements, though the technical impact is total (confidentiality, integrity, and availability compromise). No public exploit code has been identified at the time of analysis.
SQL identifier injection in PraisonAI's SQLiteConversationStore allows authenticated local attackers with configuration control to extract database schema and manipulate query results. The vulnerability affects PraisonAI versions prior to 4.5.133, where unsanitized table_prefix values are concatenated into SQL queries via f-strings. Attackers controlling configuration inputs (from_yaml/from_dict) can inject SQL fragments to access internal SQLite tables like sqlite_master and execute UNION-based injections. A vendor patch is available in version 4.5.133. No public exploit code or active exploitation confirmed at time of analysis. CVSS 7.2 indicates local attack vector with low complexity but requires low privileges and present attack complexity conditions.
SQL injection in JetEngine WordPress plugin (≤3.8.6.1) via Custom Content Type REST API allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from unsanitized search parameters in REST endpoints, bypassing WordPress's built-in SQL protections. Attack complexity is low (CVSS AC:L) with no user interaction required. EPSS and KEV data not provided; exploitation requires Custom Content Types module enabled with public REST endpoints configured.
SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. The scope-change vector (S:C) indicates attackers can pivot beyond the vulnerable component to compromise database resources serving multiple SAP applications. Despite critical CVSS 9.9 severity, EPSS exploitation probability remains low (0.05%, 14th percentile) with CISA SSVC indicating no current exploitation and non-automatable attack profile. SAP security note 3719353 provides remediation guidance.
SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/manage_employee.php file. The CVSS score of 2.7 reflects limited impact (confidentiality only, no integrity or availability loss) and high authentication barriers (administrator role required). No public exploit code or active exploitation has been confirmed.
SQL Injection in SourceCodester Storage Unit Rental Management System v1.0 allows authenticated administrative users to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_storage_unit.php endpoint. The vulnerability requires high-privilege access (PR:H) and returns only limited information (confidentiality impact only), resulting in a low CVSS score of 2.7. No public exploit code or active exploitation has been confirmed at the time of analysis.
SQL injection in SourceCodester Storage Unit Rental Management System v1.0 allows high-privileged authenticated attackers to read sensitive database contents via crafted input in /storage/admin/rents/manage_rent.php. The vulnerability requires administrator-level access and produces only limited information disclosure with no impact on data integrity or availability. EPSS and SSVC assessments indicate minimal real-world exploitation risk due to authentication barrier and non-automatable attack requirements.
SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privileged remote attackers to read sensitive data through the /storage/admin/tenants/view_details.php endpoint. With a CVSS score of 2.7 and requirement for high administrative privileges (PR:H), this vulnerability has minimal real-world impact despite the SQL injection class; however, it represents a privilege-abuse risk within already-compromised administrative contexts. No public exploit code or active exploitation has been confirmed.
SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privilege authenticated administrators to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_pricing.php endpoint, resulting in partial confidentiality impact. The CVSS score of 2.7 reflects the requirement for high administrative privileges and absence of integrity or availability impact, placing this as a low-risk vulnerability despite the SQL injection classification. No public exploit code or active exploitation has been identified.
SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privileged authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/view_att.php endpoint, potentially disclosing sensitive employee attendance data. The vulnerability requires administrative credentials and carries low real-world risk despite SQL injection's severity class, as evidenced by CVSS 2.7 and SSVC designation of no exploitation likelihood with partial technical impact. No public exploit code or active exploitation has been identified.
SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege remote attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/view_employee.php endpoint. CVSS 2.7 reflects high authentication barriers (PR:H requires admin access), no automatable exploitation per SSVC, and confidentiality impact only. No public exploit code or active exploitation confirmed at time of analysis.
SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to extract sensitive database information via the /wfh_attendance/admin/manage_department.php endpoint. The CVSS 2.7 score reflects low real-world risk due to the requirement for high-privilege administrative credentials and confidentiality-only impact; no public exploit code has been identified, and the vulnerability is not confirmed as actively exploited.
SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/attendance_list.php endpoint, enabling unauthorized data disclosure with low confidentiality impact. The vulnerability requires administrator-level access and carries minimal real-world risk due to high privilege requirements and low exploitability (SSVC exploitation status: none), though it represents a defense-in-depth failure in an administrative function.
SourceCodester Patient Appointment Scheduler System v1.0 suffers from SQL injection in the SystemSettings.php update_settings function, allowing authenticated high-privilege administrators to execute arbitrary SQL queries. While tagged as RCE, the CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) and SSVC framework indicate limited confidentiality impact with no confirmed integrity or availability consequences; this is primarily a SQL injection vulnerability requiring administrative credentials with no public exploit code identified at time of analysis.
SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege users to read sensitive database information via the /scheduler/admin/appointments/view_details.php endpoint. The vulnerability requires administrative credentials and network access but carries low real-world risk due to restrictive authentication requirements (PR:H), limited scope of impact (confidentiality only), and CVSS score of 2.7. No public exploit code or active exploitation has been identified.
SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege administrators to read sensitive data through the /scheduler/admin/appointments/manage_appointment.php endpoint. The vulnerability requires administrative credentials and does not enable data modification or denial of service, limiting real-world impact despite network-accessible exposure. CVSS score of 2.7 reflects the high authentication barrier and confidentiality-only impact; CISA SSVC framework rates exploitation as 'none' with no automatable attack path.
SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 at /scheduler/admin/user/manage_user.php allows high-privilege authenticated attackers to read sensitive data via crafted SQL queries. CVSS score of 2.7 reflects the requirement for high administrative privileges (PR:H), limiting real-world impact. SSVC framework confirms no known active exploitation, non-automatable attack, and partial technical impact (confidentiality only). This is a low-severity vulnerability constrained by authentication requirements despite the presence of a SQL injection flaw.
SQL injection in Grocery Store Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the sitem_name parameter in search_products_itname.php. The vulnerability achieves maximum CVSS 9.8 due to network accessibility without authentication, enabling complete database compromise including data exfiltration, modification, and potential system takeover. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists per researcher advisory.
A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database information.
Time-based blind SQL injection in manikandan580 School Management System 1.0 allows unauthenticated remote attackers to extract sensitive database contents and potentially execute arbitrary SQL commands through the fromdate POST parameter in /studentms/admin/between-date-reprtsdetails.php. The CVSS 9.8 critical score reflects network-based exploitation requiring no privileges or user interaction, with complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the specific vulnerable parameter and injection type are documented in public security advisories.
SQL injection in Krayin CRM 2.2.x allows authenticated remote attackers to extract sensitive database contents via the rotten_lead parameter in LeadDataGrid.php. CVSS 7.1 severity with network attack vector and low complexity enables database enumeration with low-privilege credentials. No public exploit identified at time of analysis, though EPSS data unavailable. Technical advisory published on GitHub indicates vulnerability affects lead management functionality in this Laravel-based open-source CRM platform.
SQL injection in Craft Commerce 5.0.0-5.5.4 allows authenticated control panel users to extract arbitrary database contents via ProductQuery::hasVariant and VariantQuery::hasProduct parameters that bypass prior sanitization fixes. Attackers can retrieve security keys to forge admin sessions and escalate privileges. Fixed in version 5.6.0. EPSS 0.03% (8th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.
Remote code execution via SQL injection in Craft Commerce 4.x (4.0.0-4.10.2) and 5.x (5.0.0-5.5.4) allows authenticated control panel users to write PHP webshells through a four-step exploitation chain. Attack exploits unsanitized TotalRevenue widget settings interpolated into SQL, PDO multi-statement support, and unsafe PHP deserialization in yii2-queue to instantiate a GuzzleHttp FileCookieJar gadget chain. Complete exploitation requires only three HTTP requests and low-privileged authenticati
A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter in /equipments.php, leading to unauthorized data access or modification. The CVSS score of 5.3 reflects low confidentiality and integrity impact, and the extremely low EPSS score (0.03%, 8th percentile) indicates minimal real-world exploitation likelihood despite publicly available exploit code.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /employees.php, resulting in confidentiality, integrity, and authenticity breaches. The vulnerability requires low-privilege authentication and has publicly available exploit code, elevating practical risk despite the moderate CVSS score of 6.3.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Username parameter in /ajax.php?action=login. The vulnerability enables low-complexity attacks requiring no user interaction, with publicly available exploit code (EPSS probability data not provided, not listed in CISA KEV). Attackers can compromise confidentiality, integrity, and availability of the pharmacy inventory database without authentication.
SQL injection in Pandora FMS versions 777 through 800 enables authenticated remote attackers to execute arbitrary SQL commands via specially crafted custom field inputs, potentially exposing sensitive monitoring data, modifying database contents, or compromising the underlying infrastructure management system. The vulnerability requires low-privilege authentication (PR:L) but has high confidentiality and integrity impact across the monitoring platform. No public exploit code or active exploitation confirmed at time of analysis, though the straightforward attack complexity (AC:L) and network accessibility (AV:N) elevate real-world risk for internet-exposed Pandora FMS instances.
SQL injection in Pandora FMS module search functionality allows authenticated attackers to extract, modify, or delete database contents across versions 777 through 800. Attackers with low-level privileges can execute arbitrary SQL commands through improperly sanitized search parameters, leading to high confidentiality and integrity impact. No confirmed active exploitation (CISA KEV) at time of analysis, though the straightforward attack vector (network-accessible, low complexity, authenticated) and limited scope suggest moderate real-world risk for exposed instances.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=delete_sales, with publicly available exploit code and evidence of active proof-of-concept publication.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=chk_prod_availability, enabling unauthorized data access and modification. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed proof-of-concept code available on GitHub.
SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /web/index.php and execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score reflecting moderate confidentiality, integrity, and availability impact across the network-accessible endpoint.
SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the User parameter in /web/admin/login.php, enabling database query manipulation with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, increasing real-world attack likelihood despite the moderate CVSS score of 6.9.
SQL injection in code-projects Faculty Management System 1.0 via the ID parameter in /subject-print.php allows unauthenticated remote attackers to execute arbitrary SQL queries and exfiltrate or modify database contents with low confidentiality and integrity impact. Publicly available exploit code exists, creating immediate operational risk for organizations running this system.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the VEHICLE_ID parameter in /util/UpdateVehicleFunction.php, achieving confidentiality and integrity compromise. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score with confirmed exploitability (E:P rating).
SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity with publicly available exploit code. EPSS data not available, but the combination of unauthenticated access, public POC, and WordPress's large attack surface creates substantial real-world risk for unpatched WooCommerce installations.
SQL injection in Form Maker by 10Web WordPress plugin before version 1.15.38 allows unauthenticated remote attackers to read sensitive data via improper SQL query preparation when the MySQL Mapping feature is enabled. The attack requires high complexity to exploit but has high confidentiality impact, affecting all WordPress sites running the vulnerable plugin with this feature active. Public exploit code is available, though EPSS scoring (0.02%) suggests real-world exploitation remains limited despite the presence of proof-of-concept.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /util/Login_check.php, leading to unauthorized data access or modification. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk despite its low-to-moderate CVSS score of 6.9.
SQL injection in Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the cata parameter in /addcat.php. The vulnerability has CVSS 6.9 (network-accessible, low complexity) and publicly available exploit code exists, making it a practical attack vector for data exfiltration and manipulation in this PHP-based application.
SQL injection in code-projects Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the cat parameter in /catageory.php, enabling data exfiltration and potential database manipulation. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed low impact to confidentiality, integrity, and availability. Active exploitation status has not been confirmed at time of analysis, but the accessible nature of the vulnerability and public exploit availability elevate operational risk.
SQL injection in code-projects Simple ChatBox up to version 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via manipulation of the msg parameter in the /chatbox/insert.php endpoint, leading to confidentiality and integrity compromise. The vulnerability has a CVSS score of 6.9 and publicly available exploit code exists, increasing real-world risk despite the moderate base score.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the STAFF_ID parameter in /util/StaffDetailsFunction.php, enabling unauthorized database access with limited confidentiality and integrity impact. Public exploit code is available, and the vulnerability has a CVSS score of 6.9 with confirmed exploitability.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to read, modify, or delete database contents via the STAFF_ID parameter in /util/StaffAddingFunction.php. CVSS score of 7.3 (High) reflects network-accessible attack requiring no privileges or user interaction. Publicly available exploit code exists (GitHub POC), significantly lowering exploitation barrier, though no active exploitation confirmed via CISA KEV at time of analysis.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the CUSTOMER_ID parameter in /util/PaymentStatusFunction.php. CVSS 7.3 (High) with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation. No vendor-released patch identified at time of analysis, creating an urgent risk for exposed deployments.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in /util/BookVehicleFunction.php. The vulnerability has publicly available exploit code (GitHub POC), enabling trivial exploitation with low attack complexity. CVSS 7.3 reflects medium-severity impacts across confidentiality, integrity, and availability. No vendor patch has been identified at time of analysis.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in MonthTotalReportUpdateFunction.php. Publicly available exploit code exists (GitHub POC published), enabling trivial exploitation with no user interaction required. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication barrier, creating immediate risk for internet-exposed instances.
SQL injection in tushar-2223 Hotel Management System /admin/roomdelete.php allows unauthenticated remote attackers to manipulate database queries via the ID parameter, potentially compromising confidentiality, integrity, and availability of hotel management data. Publicly available exploit code exists (CVSS 7.3, EPSS not provided). The vulnerability affects all versions up to commit bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15 in this rolling-release project, and the maintainer has not responded to responsible disclosure attempts.
SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/inquiries/view_details.php allows high-privileged authenticated administrators to extract limited data via crafted SQL queries. The vulnerability requires admin-level access and produces only confidentiality impact with minimal real-world exploitation likelihood (EPSS 0.02%, CVSS 2.7, SSVC framework indicates no practical exploitation path).
SQL injection in Sourcecodester Basic Library System v1.0 allows high-privilege authenticated attackers to extract limited information from the database via crafted input to /librarysystem/load_book.php. The vulnerability requires administrative credentials and has very low real-world risk (EPSS 0.02%, CVSS 2.7) with no public exploit code identified; CISA does not list it as actively exploited.
SQL injection in Sourcecodester Basic Library System v1.0 allows high-privilege authenticated attackers to extract sensitive data via the /librarysystem/load_admin.php endpoint. The vulnerability requires administrative authentication, limiting exposure to compromised or malicious admin accounts. EPSS exploitation probability is minimal at 0.02% (6th percentile), and no public exploit code has been identified, making this a low-priority issue despite the SQL injection vector.
SQL injection in Sourcecodester Basic Library System v1.0 at /librarysystem/load_student.php allows high-privilege authenticated attackers to read sensitive database information. The vulnerability requires administrative-level privileges and manual user interaction is absent, but real-world risk is minimal due to extremely low EPSS score (0.02%), CVSS severity of 2.7, and CISA SSVC assessment indicating no exploitation activity, non-automatable conditions, and only partial technical impact.
SQL injection in Sourcecodester Online Reviewer System v1.0 allows high-privileged authenticated attackers to conduct limited information disclosure through the exam update functionality at /system/system/admins/assessments/examproper/exam-update.php. The vulnerability carries minimal real-world risk due to required administrative privileges (PR:H), low EPSS exploitation probability (0.02%), and CISA SSVC assessment indicating no exploitation trend, non-automatable attack, and only partial technical impact.
SQL injection in Sourcecodester Online Reviewer System v1.0 allows high-privileged authenticated users to extract limited data via a crafted SQL query in the questions-view.php endpoint. The vulnerability requires administrator-level credentials and lacks evidence of active exploitation or public exploit tooling, resulting in a minimal real-world risk profile despite confirmed SQL injection capability.
SQL injection in Sourcecodester Cab Management System v1.0 allows high-privilege authenticated attackers to extract sensitive data via the /cms/admin/categories/view_category.php endpoint. The vulnerability requires administrative credentials and has minimal real-world impact (CVSS 2.7, EPSS 0.02%), with no evidence of active exploitation or public exploit code.
SQL Injection in Sourcecodester Cab Management System 1.0 allows high-privilege administrators to extract limited database information via the /cms/admin/bookings/view_booking.php endpoint. The vulnerability requires authenticated admin access and carries minimal real-world risk given its low EPSS score (0.02%) and CISA SSVC assessment indicating no exploitation status, non-automatable exploitation, and only partial technical impact.
SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/services/view_service.php allows authenticated administrators to extract sensitive database information with low complexity. The vulnerability requires high-privilege (admin) access and does not enable data modification or denial of service, limiting real-world impact despite the unauthenticated attack vector network availability. No active exploitation or public proof-of-concept tools have been confirmed; EPSS score of 0.02% and SSVC framework rating 'none' exploitation status indicate minimal practical risk despite CVSS 2.7 rating.
SQL injection in Sourcecodester Online Resort Management System v1.0 allows high-privilege authenticated attackers to read sensitive application data via crafted input to the /orms/admin/activities/manage_activity.php endpoint. The vulnerability requires administrator-level credentials and produces only confidentiality impact with negligible real-world exploitation risk, as indicated by 0.02% EPSS score and CISA SSVC partial technical impact assessment.
SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/repairs/manage_repair.php allows authenticated administrators to extract or modify limited database information. The attack requires high-level administrative privileges and produces only confidentiality impact; EPSS probability is minimal (0.02%), and CISA SSVC assessment indicates no evidence of real-world exploitation.
SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows authenticated high-privilege users to read sensitive database content via crafted input in the repairs details viewer. The vulnerability requires admin-level authentication and carries minimal real-world risk given the CVSS 2.7 score, EPSS 0.02% exploitation probability, and CISA SSVC assessment indicating no known exploitation, non-automatable attack, and only partial technical impact (confidentiality). No active exploitation has been confirmed.
SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows authenticated administrators to execute arbitrary SQL queries via the /rsms/admin/clients/manage_client.php endpoint, potentially exposing sensitive data with low confidentiality impact. The vulnerability requires high-privilege administrator authentication and carries minimal real-world risk (EPSS 0.02%, SSVC indicates no exploitation activity), but represents a common code quality issue in open-source PHP applications that warrants remediation during security updates.
SQL Injection in Sourcecodester Online Resort Management System v1.0 allows authenticated administrators to extract or modify database contents via the /orms/admin/rooms/manage_room.php endpoint. The vulnerability requires high-privilege administrative access and has minimal real-world impact given the CVSS score of 2.7, EPSS exploitation probability of 0.02%, and CISA SSVC determination of non-exploitable status with only partial technical impact. No active exploitation has been confirmed.
SQL injection in Sourcecodester Online Resort Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL queries via the /orms/admin/reservations/view_details.php endpoint, resulting in limited information disclosure. The vulnerability requires administrative access and carries minimal real-world risk due to CVSS 2.7, EPSS 0.02% (6th percentile), and SSVC framework assessment indicating no active exploitation and non-automatable attack requirements.
SQL injection in Sourcecodester Online Resort Management System v1.0 allows high-privileged authenticated attackers to query the database with limited confidentiality impact via the /orms/admin/rooms/view_room.php endpoint. The CVSS score of 2.7 and EPSS percentile of 6% reflect low real-world exploitation probability; SSVC assessment confirms no known automated exploit path and only partial technical impact (information disclosure). No public exploit code or active exploitation has been identified.
SQL injection in Sourcecodester Online Thesis Archiving System v1.0's /otas/view_archive.php endpoint allows remote unauthenticated attackers to manipulate database queries, potentially extracting sensitive thesis data, authentication credentials, or modifying database contents. No public exploit identified at time of analysis, with minimal observed exploitation probability (EPSS 0.01%, 2nd percentile). The vulnerability affects a PHP-based academic archiving platform with limited deployment footprint.
SQL injection in Sourcecodester Online Thesis Archiving System v1.0 allows high-privilege authenticated attackers to extract sensitive information via the /otas/projects_per_department.php endpoint. The vulnerability requires admin-level credentials (PR:H per CVSS) and has minimal confidentiality impact with an EPSS score of 0.01%, indicating very low real-world exploitation probability despite public disclosure on GitHub.
SQL injection in Sourcecodester Online Thesis Archiving System v1.0 at /otas/admin/curriculum/manage_curriculum.php allows authenticated high-privileged administrators to extract sensitive database information through unsanitized query parameters. With a CVSS score of 2.7 and EPSS of 0.01% (2nd percentile), this vulnerability presents minimal real-world risk despite valid SQL injection mechanics, as exploitation requires admin-level credentials and yields only confidentiality impact. No public exploit code or active exploitation has been confirmed.
MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in LifterLMS WordPress plugin versions up to 9.2.1 allows authenticated Instructor-level users with edit_post capability to extract sensitive database information via insufficiently escaped 'order' parameter in quiz reporting tables. The vulnerability requires authenticated access with specific WordPress role and post capabilities, limiting exposure to trusted users with elevated privileges; no public exploit code or active exploitation has been identified at time of analysis.
SQL injection in code-projects Vehicle Showroom Management System 1.0 via the BRANCH_ID parameter in /util/RegisterCustomerFunction.php allows unauthenticated remote attackers to manipulate database queries with low complexity, affecting data confidentiality and integrity. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS 6.9 score.
A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. This affects an unknown function of the file /util/AddVehicleFunction.php. This manipulation of the argument BRANCH_ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the argument VEHICLE_ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fname parameter in /updatedetailsfromstudent.php to execute arbitrary SQL queries, achieving limited confidentiality and integrity impact. The vulnerability has publicly available exploit code and a CVSS score of 5.3, representing a moderate risk requiring authentication to exploit.
SQL injection in code-projects Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the Category parameter in /add-category-function.php. Attackers can read, modify, or delete database contents without authentication. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack vector with low complexity and no user interaction required. Impacts confidentiality, integrity, and availability at low levels.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the toolname parameter in /del1.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists, and the vulnerability has been assigned CVSS 6.3 with confirmed exploitability indicators (E:P rating).
SQL injection in CodeAstro Online Classroom allows authenticated remote attackers to execute arbitrary SQL queries via the Q1 parameter in /OnlineClassroom/takeassessment2.php, enabling data exfiltration and modification with CVSS 6.3 severity; publicly available exploit code exists and the vulnerability affects all versions of the product.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the equipname parameter in /del.php, enabling data exfiltration, modification, and potential denial of service. Publicly available exploit code exists, and the vulnerability carries a CVSS score of 6.3 with confirmed exploitation potential (E:P rating).
SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /edit_hpatient.php, leading to unauthorized data access, modification, and potential denial of service. Publicly available exploit code exists (CVSS 6.3, attack vector network, low complexity, requires valid credentials). This is not confirmed as actively exploited by CISA but poses immediate risk given public POC availability and low exploitation complexity.
SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the hem_id parameter in /hematology_print.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a CVSS score of 6.3 (medium) with publicly available exploit code, though no CISA KEV confirmation indicates active widespread exploitation at time of analysis.
SQL injection in Simple IT Discussion Forum 1.0 by code-projects allows unauthenticated remote attackers to execute arbitrary SQL commands via the cat_id parameter in /delete-category.php, enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack surface with low complexity and no authentication requirement, permitting compromise of confidentiality, integrity, and availability.
SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally through improper neutralization of special elements in SQL commands. Affected versions span SQL Server 2016 SP3 through 2025, with patch available from Microsoft. Attack requires local access and high-privilege credentials (PR:H in CVSS vector), limiting real-world impact to insider threats or compromised administrative accounts; CVSS 6.7 reflects high confidentiality, integrity, and availability impact but constrained by authentication and local-only attack vector.
SQL injection in Fortinet FortiAnalyzer and FortiManager versions 7.0-7.6 allows privileged authenticated attackers to execute unauthorized code or commands via the JSON RPC API. This affects both on-premises and cloud variants across multiple major version branches (7.0, 7.2, 7.4, 7.6). The vulnerability requires high-privilege authentication (CVSS PR:H) but is remotely exploitable with low attack complexity. No public exploit identified at time of analysis, though the network attack vector and code execution capability make this a priority for organizations running affected Fortinet management infrastructure.
SQL injection in Fortinet FortiDDoS-F 7.2.1-7.2.2 allows authenticated remote attackers to execute unauthorized code or commands with high impact to confidentiality, integrity, and availability. The vulnerability resides in the web management interface and requires low attack complexity with no user interaction. No public exploit identified at time of analysis, with EPSS data not yet available for this recently disclosed CVE.
SQL injection in Fortinet FortiClientEMS 7.0 through 7.4.5 allows high-privileged local attackers to execute unauthorized code or commands with high integrity and confidentiality impact. The vulnerability requires local access and high privileges (PR:H per CVSS vector), making it a risk primarily in environments where administrative users are untrusted or compromised. CISA SSVC framework rates this as non-exploitable via automation due to privilege requirements, though the technical impact is total (confidentiality, integrity, and availability compromise). No public exploit code has been identified at the time of analysis.
SQL identifier injection in PraisonAI's SQLiteConversationStore allows authenticated local attackers with configuration control to extract database schema and manipulate query results. The vulnerability affects PraisonAI versions prior to 4.5.133, where unsanitized table_prefix values are concatenated into SQL queries via f-strings. Attackers controlling configuration inputs (from_yaml/from_dict) can inject SQL fragments to access internal SQLite tables like sqlite_master and execute UNION-based injections. A vendor patch is available in version 4.5.133. No public exploit code or active exploitation confirmed at time of analysis. CVSS 7.2 indicates local attack vector with low complexity but requires low privileges and present attack complexity conditions.
SQL injection in JetEngine WordPress plugin (≤3.8.6.1) via Custom Content Type REST API allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from unsanitized search parameters in REST endpoints, bypassing WordPress's built-in SQL protections. Attack complexity is low (CVSS AC:L) with no user interaction required. EPSS and KEV data not provided; exploitation requires Custom Content Types module enabled with public REST endpoints configured.
SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. The scope-change vector (S:C) indicates attackers can pivot beyond the vulnerable component to compromise database resources serving multiple SAP applications. Despite critical CVSS 9.9 severity, EPSS exploitation probability remains low (0.05%, 14th percentile) with CISA SSVC indicating no current exploitation and non-automatable attack profile. SAP security note 3719353 provides remediation guidance.
SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/manage_employee.php file. The CVSS score of 2.7 reflects limited impact (confidentiality only, no integrity or availability loss) and high authentication barriers (administrator role required). No public exploit code or active exploitation has been confirmed.
SQL Injection in SourceCodester Storage Unit Rental Management System v1.0 allows authenticated administrative users to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_storage_unit.php endpoint. The vulnerability requires high-privilege access (PR:H) and returns only limited information (confidentiality impact only), resulting in a low CVSS score of 2.7. No public exploit code or active exploitation has been confirmed at the time of analysis.
SQL injection in SourceCodester Storage Unit Rental Management System v1.0 allows high-privileged authenticated attackers to read sensitive database contents via crafted input in /storage/admin/rents/manage_rent.php. The vulnerability requires administrator-level access and produces only limited information disclosure with no impact on data integrity or availability. EPSS and SSVC assessments indicate minimal real-world exploitation risk due to authentication barrier and non-automatable attack requirements.
SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privileged remote attackers to read sensitive data through the /storage/admin/tenants/view_details.php endpoint. With a CVSS score of 2.7 and requirement for high administrative privileges (PR:H), this vulnerability has minimal real-world impact despite the SQL injection class; however, it represents a privilege-abuse risk within already-compromised administrative contexts. No public exploit code or active exploitation has been confirmed.
SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privilege authenticated administrators to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_pricing.php endpoint, resulting in partial confidentiality impact. The CVSS score of 2.7 reflects the requirement for high administrative privileges and absence of integrity or availability impact, placing this as a low-risk vulnerability despite the SQL injection classification. No public exploit code or active exploitation has been identified.
SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privileged authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/view_att.php endpoint, potentially disclosing sensitive employee attendance data. The vulnerability requires administrative credentials and carries low real-world risk despite SQL injection's severity class, as evidenced by CVSS 2.7 and SSVC designation of no exploitation likelihood with partial technical impact. No public exploit code or active exploitation has been identified.
SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege remote attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/view_employee.php endpoint. CVSS 2.7 reflects high authentication barriers (PR:H requires admin access), no automatable exploitation per SSVC, and confidentiality impact only. No public exploit code or active exploitation confirmed at time of analysis.
SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to extract sensitive database information via the /wfh_attendance/admin/manage_department.php endpoint. The CVSS 2.7 score reflects low real-world risk due to the requirement for high-privilege administrative credentials and confidentiality-only impact; no public exploit code has been identified, and the vulnerability is not confirmed as actively exploited.
SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/attendance_list.php endpoint, enabling unauthorized data disclosure with low confidentiality impact. The vulnerability requires administrator-level access and carries minimal real-world risk due to high privilege requirements and low exploitability (SSVC exploitation status: none), though it represents a defense-in-depth failure in an administrative function.
SourceCodester Patient Appointment Scheduler System v1.0 suffers from SQL injection in the SystemSettings.php update_settings function, allowing authenticated high-privilege administrators to execute arbitrary SQL queries. While tagged as RCE, the CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) and SSVC framework indicate limited confidentiality impact with no confirmed integrity or availability consequences; this is primarily a SQL injection vulnerability requiring administrative credentials with no public exploit code identified at time of analysis.
SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege users to read sensitive database information via the /scheduler/admin/appointments/view_details.php endpoint. The vulnerability requires administrative credentials and network access but carries low real-world risk due to restrictive authentication requirements (PR:H), limited scope of impact (confidentiality only), and CVSS score of 2.7. No public exploit code or active exploitation has been identified.
SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege administrators to read sensitive data through the /scheduler/admin/appointments/manage_appointment.php endpoint. The vulnerability requires administrative credentials and does not enable data modification or denial of service, limiting real-world impact despite network-accessible exposure. CVSS score of 2.7 reflects the high authentication barrier and confidentiality-only impact; CISA SSVC framework rates exploitation as 'none' with no automatable attack path.
SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 at /scheduler/admin/user/manage_user.php allows high-privilege authenticated attackers to read sensitive data via crafted SQL queries. CVSS score of 2.7 reflects the requirement for high administrative privileges (PR:H), limiting real-world impact. SSVC framework confirms no known active exploitation, non-automatable attack, and partial technical impact (confidentiality only). This is a low-severity vulnerability constrained by authentication requirements despite the presence of a SQL injection flaw.
SQL injection in Grocery Store Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the sitem_name parameter in search_products_itname.php. The vulnerability achieves maximum CVSS 9.8 due to network accessibility without authentication, enabling complete database compromise including data exfiltration, modification, and potential system takeover. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists per researcher advisory.
A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database information.
Time-based blind SQL injection in manikandan580 School Management System 1.0 allows unauthenticated remote attackers to extract sensitive database contents and potentially execute arbitrary SQL commands through the fromdate POST parameter in /studentms/admin/between-date-reprtsdetails.php. The CVSS 9.8 critical score reflects network-based exploitation requiring no privileges or user interaction, with complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the specific vulnerable parameter and injection type are documented in public security advisories.
SQL injection in Krayin CRM 2.2.x allows authenticated remote attackers to extract sensitive database contents via the rotten_lead parameter in LeadDataGrid.php. CVSS 7.1 severity with network attack vector and low complexity enables database enumeration with low-privilege credentials. No public exploit identified at time of analysis, though EPSS data unavailable. Technical advisory published on GitHub indicates vulnerability affects lead management functionality in this Laravel-based open-source CRM platform.
SQL injection in Craft Commerce 5.0.0-5.5.4 allows authenticated control panel users to extract arbitrary database contents via ProductQuery::hasVariant and VariantQuery::hasProduct parameters that bypass prior sanitization fixes. Attackers can retrieve security keys to forge admin sessions and escalate privileges. Fixed in version 5.6.0. EPSS 0.03% (8th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.
Remote code execution via SQL injection in Craft Commerce 4.x (4.0.0-4.10.2) and 5.x (5.0.0-5.5.4) allows authenticated control panel users to write PHP webshells through a four-step exploitation chain. Attack exploits unsanitized TotalRevenue widget settings interpolated into SQL, PDO multi-statement support, and unsafe PHP deserialization in yii2-queue to instantiate a GuzzleHttp FileCookieJar gadget chain. Complete exploitation requires only three HTTP requests and low-privileged authenticati
A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter in /equipments.php, leading to unauthorized data access or modification. The CVSS score of 5.3 reflects low confidentiality and integrity impact, and the extremely low EPSS score (0.03%, 8th percentile) indicates minimal real-world exploitation likelihood despite publicly available exploit code.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /employees.php, resulting in confidentiality, integrity, and authenticity breaches. The vulnerability requires low-privilege authentication and has publicly available exploit code, elevating practical risk despite the moderate CVSS score of 6.3.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Username parameter in /ajax.php?action=login. The vulnerability enables low-complexity attacks requiring no user interaction, with publicly available exploit code (EPSS probability data not provided, not listed in CISA KEV). Attackers can compromise confidentiality, integrity, and availability of the pharmacy inventory database without authentication.
SQL injection in Pandora FMS versions 777 through 800 enables authenticated remote attackers to execute arbitrary SQL commands via specially crafted custom field inputs, potentially exposing sensitive monitoring data, modifying database contents, or compromising the underlying infrastructure management system. The vulnerability requires low-privilege authentication (PR:L) but has high confidentiality and integrity impact across the monitoring platform. No public exploit code or active exploitation confirmed at time of analysis, though the straightforward attack complexity (AC:L) and network accessibility (AV:N) elevate real-world risk for internet-exposed Pandora FMS instances.
SQL injection in Pandora FMS module search functionality allows authenticated attackers to extract, modify, or delete database contents across versions 777 through 800. Attackers with low-level privileges can execute arbitrary SQL commands through improperly sanitized search parameters, leading to high confidentiality and integrity impact. No confirmed active exploitation (CISA KEV) at time of analysis, though the straightforward attack vector (network-accessible, low complexity, authenticated) and limited scope suggest moderate real-world risk for exposed instances.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=delete_sales, with publicly available exploit code and evidence of active proof-of-concept publication.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=chk_prod_availability, enabling unauthorized data access and modification. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed proof-of-concept code available on GitHub.
SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /web/index.php and execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score reflecting moderate confidentiality, integrity, and availability impact across the network-accessible endpoint.
SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the User parameter in /web/admin/login.php, enabling database query manipulation with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, increasing real-world attack likelihood despite the moderate CVSS score of 6.9.
SQL injection in code-projects Faculty Management System 1.0 via the ID parameter in /subject-print.php allows unauthenticated remote attackers to execute arbitrary SQL queries and exfiltrate or modify database contents with low confidentiality and integrity impact. Publicly available exploit code exists, creating immediate operational risk for organizations running this system.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the VEHICLE_ID parameter in /util/UpdateVehicleFunction.php, achieving confidentiality and integrity compromise. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score with confirmed exploitability (E:P rating).
SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity with publicly available exploit code. EPSS data not available, but the combination of unauthenticated access, public POC, and WordPress's large attack surface creates substantial real-world risk for unpatched WooCommerce installations.
SQL injection in Form Maker by 10Web WordPress plugin before version 1.15.38 allows unauthenticated remote attackers to read sensitive data via improper SQL query preparation when the MySQL Mapping feature is enabled. The attack requires high complexity to exploit but has high confidentiality impact, affecting all WordPress sites running the vulnerable plugin with this feature active. Public exploit code is available, though EPSS scoring (0.02%) suggests real-world exploitation remains limited despite the presence of proof-of-concept.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /util/Login_check.php, leading to unauthorized data access or modification. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk despite its low-to-moderate CVSS score of 6.9.
SQL injection in Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the cata parameter in /addcat.php. The vulnerability has CVSS 6.9 (network-accessible, low complexity) and publicly available exploit code exists, making it a practical attack vector for data exfiltration and manipulation in this PHP-based application.
SQL injection in code-projects Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the cat parameter in /catageory.php, enabling data exfiltration and potential database manipulation. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed low impact to confidentiality, integrity, and availability. Active exploitation status has not been confirmed at time of analysis, but the accessible nature of the vulnerability and public exploit availability elevate operational risk.
SQL injection in code-projects Simple ChatBox up to version 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via manipulation of the msg parameter in the /chatbox/insert.php endpoint, leading to confidentiality and integrity compromise. The vulnerability has a CVSS score of 6.9 and publicly available exploit code exists, increasing real-world risk despite the moderate base score.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the STAFF_ID parameter in /util/StaffDetailsFunction.php, enabling unauthorized database access with limited confidentiality and integrity impact. Public exploit code is available, and the vulnerability has a CVSS score of 6.9 with confirmed exploitability.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to read, modify, or delete database contents via the STAFF_ID parameter in /util/StaffAddingFunction.php. CVSS score of 7.3 (High) reflects network-accessible attack requiring no privileges or user interaction. Publicly available exploit code exists (GitHub POC), significantly lowering exploitation barrier, though no active exploitation confirmed via CISA KEV at time of analysis.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the CUSTOMER_ID parameter in /util/PaymentStatusFunction.php. CVSS 7.3 (High) with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation. No vendor-released patch identified at time of analysis, creating an urgent risk for exposed deployments.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in /util/BookVehicleFunction.php. The vulnerability has publicly available exploit code (GitHub POC), enabling trivial exploitation with low attack complexity. CVSS 7.3 reflects medium-severity impacts across confidentiality, integrity, and availability. No vendor patch has been identified at time of analysis.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in MonthTotalReportUpdateFunction.php. Publicly available exploit code exists (GitHub POC published), enabling trivial exploitation with no user interaction required. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication barrier, creating immediate risk for internet-exposed instances.
SQL injection in tushar-2223 Hotel Management System /admin/roomdelete.php allows unauthenticated remote attackers to manipulate database queries via the ID parameter, potentially compromising confidentiality, integrity, and availability of hotel management data. Publicly available exploit code exists (CVSS 7.3, EPSS not provided). The vulnerability affects all versions up to commit bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15 in this rolling-release project, and the maintainer has not responded to responsible disclosure attempts.
SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/inquiries/view_details.php allows high-privileged authenticated administrators to extract limited data via crafted SQL queries. The vulnerability requires admin-level access and produces only confidentiality impact with minimal real-world exploitation likelihood (EPSS 0.02%, CVSS 2.7, SSVC framework indicates no practical exploitation path).
SQL injection in Sourcecodester Basic Library System v1.0 allows high-privilege authenticated attackers to extract limited information from the database via crafted input to /librarysystem/load_book.php. The vulnerability requires administrative credentials and has very low real-world risk (EPSS 0.02%, CVSS 2.7) with no public exploit code identified; CISA does not list it as actively exploited.
SQL injection in Sourcecodester Basic Library System v1.0 allows high-privilege authenticated attackers to extract sensitive data via the /librarysystem/load_admin.php endpoint. The vulnerability requires administrative authentication, limiting exposure to compromised or malicious admin accounts. EPSS exploitation probability is minimal at 0.02% (6th percentile), and no public exploit code has been identified, making this a low-priority issue despite the SQL injection vector.
SQL injection in Sourcecodester Basic Library System v1.0 at /librarysystem/load_student.php allows high-privilege authenticated attackers to read sensitive database information. The vulnerability requires administrative-level privileges and manual user interaction is absent, but real-world risk is minimal due to extremely low EPSS score (0.02%), CVSS severity of 2.7, and CISA SSVC assessment indicating no exploitation activity, non-automatable conditions, and only partial technical impact.
SQL injection in Sourcecodester Online Reviewer System v1.0 allows high-privileged authenticated attackers to conduct limited information disclosure through the exam update functionality at /system/system/admins/assessments/examproper/exam-update.php. The vulnerability carries minimal real-world risk due to required administrative privileges (PR:H), low EPSS exploitation probability (0.02%), and CISA SSVC assessment indicating no exploitation trend, non-automatable attack, and only partial technical impact.
SQL injection in Sourcecodester Online Reviewer System v1.0 allows high-privileged authenticated users to extract limited data via a crafted SQL query in the questions-view.php endpoint. The vulnerability requires administrator-level credentials and lacks evidence of active exploitation or public exploit tooling, resulting in a minimal real-world risk profile despite confirmed SQL injection capability.
SQL injection in Sourcecodester Cab Management System v1.0 allows high-privilege authenticated attackers to extract sensitive data via the /cms/admin/categories/view_category.php endpoint. The vulnerability requires administrative credentials and has minimal real-world impact (CVSS 2.7, EPSS 0.02%), with no evidence of active exploitation or public exploit code.
SQL Injection in Sourcecodester Cab Management System 1.0 allows high-privilege administrators to extract limited database information via the /cms/admin/bookings/view_booking.php endpoint. The vulnerability requires authenticated admin access and carries minimal real-world risk given its low EPSS score (0.02%) and CISA SSVC assessment indicating no exploitation status, non-automatable exploitation, and only partial technical impact.
SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/services/view_service.php allows authenticated administrators to extract sensitive database information with low complexity. The vulnerability requires high-privilege (admin) access and does not enable data modification or denial of service, limiting real-world impact despite the unauthenticated attack vector network availability. No active exploitation or public proof-of-concept tools have been confirmed; EPSS score of 0.02% and SSVC framework rating 'none' exploitation status indicate minimal practical risk despite CVSS 2.7 rating.
SQL injection in Sourcecodester Online Resort Management System v1.0 allows high-privilege authenticated attackers to read sensitive application data via crafted input to the /orms/admin/activities/manage_activity.php endpoint. The vulnerability requires administrator-level credentials and produces only confidentiality impact with negligible real-world exploitation risk, as indicated by 0.02% EPSS score and CISA SSVC partial technical impact assessment.
SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/repairs/manage_repair.php allows authenticated administrators to extract or modify limited database information. The attack requires high-level administrative privileges and produces only confidentiality impact; EPSS probability is minimal (0.02%), and CISA SSVC assessment indicates no evidence of real-world exploitation.
SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows authenticated high-privilege users to read sensitive database content via crafted input in the repairs details viewer. The vulnerability requires admin-level authentication and carries minimal real-world risk given the CVSS 2.7 score, EPSS 0.02% exploitation probability, and CISA SSVC assessment indicating no known exploitation, non-automatable attack, and only partial technical impact (confidentiality). No active exploitation has been confirmed.
SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows authenticated administrators to execute arbitrary SQL queries via the /rsms/admin/clients/manage_client.php endpoint, potentially exposing sensitive data with low confidentiality impact. The vulnerability requires high-privilege administrator authentication and carries minimal real-world risk (EPSS 0.02%, SSVC indicates no exploitation activity), but represents a common code quality issue in open-source PHP applications that warrants remediation during security updates.
SQL Injection in Sourcecodester Online Resort Management System v1.0 allows authenticated administrators to extract or modify database contents via the /orms/admin/rooms/manage_room.php endpoint. The vulnerability requires high-privilege administrative access and has minimal real-world impact given the CVSS score of 2.7, EPSS exploitation probability of 0.02%, and CISA SSVC determination of non-exploitable status with only partial technical impact. No active exploitation has been confirmed.
SQL injection in Sourcecodester Online Resort Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL queries via the /orms/admin/reservations/view_details.php endpoint, resulting in limited information disclosure. The vulnerability requires administrative access and carries minimal real-world risk due to CVSS 2.7, EPSS 0.02% (6th percentile), and SSVC framework assessment indicating no active exploitation and non-automatable attack requirements.
SQL injection in Sourcecodester Online Resort Management System v1.0 allows high-privileged authenticated attackers to query the database with limited confidentiality impact via the /orms/admin/rooms/view_room.php endpoint. The CVSS score of 2.7 and EPSS percentile of 6% reflect low real-world exploitation probability; SSVC assessment confirms no known automated exploit path and only partial technical impact (information disclosure). No public exploit code or active exploitation has been identified.
SQL injection in Sourcecodester Online Thesis Archiving System v1.0's /otas/view_archive.php endpoint allows remote unauthenticated attackers to manipulate database queries, potentially extracting sensitive thesis data, authentication credentials, or modifying database contents. No public exploit identified at time of analysis, with minimal observed exploitation probability (EPSS 0.01%, 2nd percentile). The vulnerability affects a PHP-based academic archiving platform with limited deployment footprint.
SQL injection in Sourcecodester Online Thesis Archiving System v1.0 allows high-privilege authenticated attackers to extract sensitive information via the /otas/projects_per_department.php endpoint. The vulnerability requires admin-level credentials (PR:H per CVSS) and has minimal confidentiality impact with an EPSS score of 0.01%, indicating very low real-world exploitation probability despite public disclosure on GitHub.
SQL injection in Sourcecodester Online Thesis Archiving System v1.0 at /otas/admin/curriculum/manage_curriculum.php allows authenticated high-privileged administrators to extract sensitive database information through unsanitized query parameters. With a CVSS score of 2.7 and EPSS of 0.01% (2nd percentile), this vulnerability presents minimal real-world risk despite valid SQL injection mechanics, as exploitation requires admin-level credentials and yields only confidentiality impact. No public exploit code or active exploitation has been confirmed.
MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in LifterLMS WordPress plugin versions up to 9.2.1 allows authenticated Instructor-level users with edit_post capability to extract sensitive database information via insufficiently escaped 'order' parameter in quiz reporting tables. The vulnerability requires authenticated access with specific WordPress role and post capabilities, limiting exposure to trusted users with elevated privileges; no public exploit code or active exploitation has been identified at time of analysis.
SQL injection in code-projects Vehicle Showroom Management System 1.0 via the BRANCH_ID parameter in /util/RegisterCustomerFunction.php allows unauthenticated remote attackers to manipulate database queries with low complexity, affecting data confidentiality and integrity. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS 6.9 score.
A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. This affects an unknown function of the file /util/AddVehicleFunction.php. This manipulation of the argument BRANCH_ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the argument VEHICLE_ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fname parameter in /updatedetailsfromstudent.php to execute arbitrary SQL queries, achieving limited confidentiality and integrity impact. The vulnerability has publicly available exploit code and a CVSS score of 5.3, representing a moderate risk requiring authentication to exploit.
SQL injection in code-projects Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the Category parameter in /add-category-function.php. Attackers can read, modify, or delete database contents without authentication. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack vector with low complexity and no user interaction required. Impacts confidentiality, integrity, and availability at low levels.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the toolname parameter in /del1.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists, and the vulnerability has been assigned CVSS 6.3 with confirmed exploitability indicators (E:P rating).
SQL injection in CodeAstro Online Classroom allows authenticated remote attackers to execute arbitrary SQL queries via the Q1 parameter in /OnlineClassroom/takeassessment2.php, enabling data exfiltration and modification with CVSS 6.3 severity; publicly available exploit code exists and the vulnerability affects all versions of the product.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the equipname parameter in /del.php, enabling data exfiltration, modification, and potential denial of service. Publicly available exploit code exists, and the vulnerability carries a CVSS score of 6.3 with confirmed exploitation potential (E:P rating).
SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /edit_hpatient.php, leading to unauthorized data access, modification, and potential denial of service. Publicly available exploit code exists (CVSS 6.3, attack vector network, low complexity, requires valid credentials). This is not confirmed as actively exploited by CISA but poses immediate risk given public POC availability and low exploitation complexity.
SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the hem_id parameter in /hematology_print.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a CVSS score of 6.3 (medium) with publicly available exploit code, though no CISA KEV confirmation indicates active widespread exploitation at time of analysis.
SQL injection in Simple IT Discussion Forum 1.0 by code-projects allows unauthenticated remote attackers to execute arbitrary SQL commands via the cat_id parameter in /delete-category.php, enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack surface with low complexity and no authentication requirement, permitting compromise of confidentiality, integrity, and availability.