Skip to main content

SQLi

15167 CVEs technique

Monthly

CVE-2026-32167 MEDIUM PATCH Exploit Unlikely This Month

SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally through improper neutralization of special elements in SQL commands. Affected versions span SQL Server 2016 SP3 through 2025, with patch available from Microsoft. Attack requires local access and high-privilege credentials (PR:H in CVSS vector), limiting real-world impact to insider threats or compromised administrative accounts; CVSS 6.7 reflects high confidentiality, integrity, and availability impact but constrained by authentication and local-only attack vector.

SQLi Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 Cu 31 Microsoft Sql Server 2017 Gdr +6
NVD VulDB
CVSS 3.1
6.7
EPSS
0.1%
CVE-2025-61848 HIGH This Week

SQL injection in Fortinet FortiAnalyzer and FortiManager versions 7.0-7.6 allows privileged authenticated attackers to execute unauthorized code or commands via the JSON RPC API. This affects both on-premises and cloud variants across multiple major version branches (7.0, 7.2, 7.4, 7.6). The vulnerability requires high-privilege authentication (CVSS PR:H) but is remotely exploitable with low attack complexity. No public exploit identified at time of analysis, though the network attack vector and code execution capability make this a priority for organizations running affected Fortinet management infrastructure.

Fortinet SQLi
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-39815 HIGH This Week

SQL injection in Fortinet FortiDDoS-F 7.2.1-7.2.2 allows authenticated remote attackers to execute unauthorized code or commands with high impact to confidentiality, integrity, and availability. The vulnerability resides in the web management interface and requires low attack complexity with no user interaction. No public exploit identified at time of analysis, with EPSS data not yet available for this recently disclosed CVE.

Fortinet SQLi
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-39809 MEDIUM This Month

SQL injection in Fortinet FortiClientEMS 7.0 through 7.4.5 allows high-privileged local attackers to execute unauthorized code or commands with high integrity and confidentiality impact. The vulnerability requires local access and high privileges (PR:H per CVSS vector), making it a risk primarily in environments where administrative users are untrusted or compromised. CISA SSVC framework rates this as non-exploitable via automation due to privilege requirements, though the technical impact is total (confidentiality, integrity, and availability compromise). No public exploit code has been identified at the time of analysis.

Fortinet SQLi
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-40315 PyPI HIGH PATCH This Week

SQL identifier injection in PraisonAI's SQLiteConversationStore allows authenticated local attackers with configuration control to extract database schema and manipulate query results. The vulnerability affects PraisonAI versions prior to 4.5.133, where unsanitized table_prefix values are concatenated into SQL queries via f-strings. Attackers controlling configuration inputs (from_yaml/from_dict) can inject SQL fragments to access internal SQLite tables like sqlite_master and execute UNION-based injections. A vendor patch is available in version 4.5.133. No public exploit code or active exploitation confirmed at time of analysis. CVSS 7.2 indicates local attack vector with low complexity but requires low privileges and present attack complexity conditions.

SQLi Praisonai
NVD GitHub
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-4352 HIGH This Week

SQL injection in JetEngine WordPress plugin (≤3.8.6.1) via Custom Content Type REST API allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from unsanitized search parameters in REST endpoints, bypassing WordPress's built-in SQL protections. Attack complexity is low (CVSS AC:L) with no user interaction required. EPSS and KEV data not provided; exploitation requires Custom Content Types module enabled with public REST endpoints configured.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27681 CRITICAL Act Now

SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. The scope-change vector (S:C) indicates attackers can pivot beyond the vulnerable component to compromise database resources serving multiple SAP applications. Despite critical CVSS 9.9 severity, EPSS exploitation probability remains low (0.05%, 14th percentile) with CISA SSVC indicating no current exploitation and non-automatable attack profile. SAP security note 3719353 provides remediation guidance.

SAP SQLi
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-37595 LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/manage_employee.php file. The CVSS score of 2.7 reflects limited impact (confidentiality only, no integrity or availability loss) and high authentication barriers (administrator role required). No public exploit code or active exploitation has been confirmed.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37589 LOW Monitor

SQL Injection in SourceCodester Storage Unit Rental Management System v1.0 allows authenticated administrative users to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_storage_unit.php endpoint. The vulnerability requires high-privilege access (PR:H) and returns only limited information (confidentiality impact only), resulting in a low CVSS score of 2.7. No public exploit code or active exploitation has been confirmed at the time of analysis.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37590 LOW Monitor

SQL injection in SourceCodester Storage Unit Rental Management System v1.0 allows high-privileged authenticated attackers to read sensitive database contents via crafted input in /storage/admin/rents/manage_rent.php. The vulnerability requires administrator-level access and produces only limited information disclosure with no impact on data integrity or availability. EPSS and SSVC assessments indicate minimal real-world exploitation risk due to authentication barrier and non-automatable attack requirements.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37591 LOW Monitor

SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privileged remote attackers to read sensitive data through the /storage/admin/tenants/view_details.php endpoint. With a CVSS score of 2.7 and requirement for high administrative privileges (PR:H), this vulnerability has minimal real-world impact despite the SQL injection class; however, it represents a privilege-abuse risk within already-compromised administrative contexts. No public exploit code or active exploitation has been confirmed.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37592 LOW Monitor

SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privilege authenticated administrators to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_pricing.php endpoint, resulting in partial confidentiality impact. The CVSS score of 2.7 reflects the requirement for high administrative privileges and absence of integrity or availability impact, placing this as a low-risk vulnerability despite the SQL injection classification. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37593 LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privileged authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/view_att.php endpoint, potentially disclosing sensitive employee attendance data. The vulnerability requires administrative credentials and carries low real-world risk despite SQL injection's severity class, as evidenced by CVSS 2.7 and SSVC designation of no exploitation likelihood with partial technical impact. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37594 LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege remote attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/view_employee.php endpoint. CVSS 2.7 reflects high authentication barriers (PR:H requires admin access), no automatable exploitation per SSVC, and confidentiality impact only. No public exploit code or active exploitation confirmed at time of analysis.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37596 LOW Monitor

SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to extract sensitive database information via the /wfh_attendance/admin/manage_department.php endpoint. The CVSS 2.7 score reflects low real-world risk due to the requirement for high-privilege administrative credentials and confidentiality-only impact; no public exploit code has been identified, and the vulnerability is not confirmed as actively exploited.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37597 LOW Monitor

SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/attendance_list.php endpoint, enabling unauthorized data disclosure with low confidentiality impact. The vulnerability requires administrator-level access and carries minimal real-world risk due to high privilege requirements and low exploitability (SSVC exploitation status: none), though it represents a defense-in-depth failure in an administrative function.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37598 LOW Monitor

SourceCodester Patient Appointment Scheduler System v1.0 suffers from SQL injection in the SystemSettings.php update_settings function, allowing authenticated high-privilege administrators to execute arbitrary SQL queries. While tagged as RCE, the CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) and SSVC framework indicate limited confidentiality impact with no confirmed integrity or availability consequences; this is primarily a SQL injection vulnerability requiring administrative credentials with no public exploit code identified at time of analysis.

PHP RCE SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37600 LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege users to read sensitive database information via the /scheduler/admin/appointments/view_details.php endpoint. The vulnerability requires administrative credentials and network access but carries low real-world risk due to restrictive authentication requirements (PR:H), limited scope of impact (confidentiality only), and CVSS score of 2.7. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37601 LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege administrators to read sensitive data through the /scheduler/admin/appointments/manage_appointment.php endpoint. The vulnerability requires administrative credentials and does not enable data modification or denial of service, limiting real-world impact despite network-accessible exposure. CVSS score of 2.7 reflects the high authentication barrier and confidentiality-only impact; CISA SSVC framework rates exploitation as 'none' with no automatable attack path.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-37602 LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 at /scheduler/admin/user/manage_user.php allows high-privilege authenticated attackers to read sensitive data via crafted SQL queries. CVSS score of 2.7 reflects the requirement for high administrative privileges (PR:H), limiting real-world impact. SSVC framework confirms no known active exploitation, non-automatable attack, and partial technical impact (confidentiality only). This is a low-severity vulnerability constrained by authentication requirements despite the presence of a SQL injection flaw.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-63939 CRITICAL Act Now

SQL injection in Grocery Store Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the sitem_name parameter in search_products_itname.php. The vulnerability achieves maximum CVSS 9.8 due to network accessibility without authentication, enabling complete database compromise including data exfiltration, modification, and potential system takeover. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists per researcher advisory.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-65133 CRITICAL Act Now

A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database information.

SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-65135 CRITICAL Act Now

Time-based blind SQL injection in manikandan580 School Management System 1.0 allows unauthenticated remote attackers to extract sensitive database contents and potentially execute arbitrary SQL commands through the fromdate POST parameter in /studentms/admin/between-date-reprtsdetails.php. The CVSS 9.8 critical score reflects network-based exploitation requiring no privileges or user interaction, with complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the specific vulnerable parameter and injection type are documented in public security advisories.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-38528 HIGH This Week

SQL injection in Krayin CRM 2.2.x allows authenticated remote attackers to extract sensitive database contents via the rotten_lead parameter in LeadDataGrid.php. CVSS 7.1 severity with network attack vector and low complexity enables database enumeration with low-privilege credentials. No public exploit identified at time of analysis, though EPSS data unavailable. Technical advisory published on GitHub indicates vulnerability affects lead management functionality in this Laravel-based open-source CRM platform.

PHP SQLi
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32272 PHP HIGH PATCH GHSA This Week

SQL injection in Craft Commerce 5.0.0-5.5.4 allows authenticated control panel users to extract arbitrary database contents via ProductQuery::hasVariant and VariantQuery::hasProduct parameters that bypass prior sanitization fixes. Attackers can retrieve security keys to forge admin sessions and escalate privileges. Fixed in version 5.6.0. EPSS 0.03% (8th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.

Privilege Escalation SQLi Commerce
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-32271 PHP HIGH PATCH GHSA This Week

Remote code execution via SQL injection in Craft Commerce 4.x (4.0.0-4.10.2) and 5.x (5.0.0-5.5.4) allows authenticated control panel users to write PHP webshells through a four-step exploitation chain. Attack exploits unsanitized TotalRevenue widget settings interpolated into SQL, PDO multi-statement support, and unsafe PHP deserialization in yii2-queue to instantiate a GuzzleHttp FileCookieJar gadget chain. Complete exploitation requires only three HTTP requests and low-privileged authenticati

SQLi Deserialization RCE PHP
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-6202 LOW POC Monitor

A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6193 MEDIUM POC This Month

A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6191 LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter in /equipments.php, leading to unauthorized data access or modification. The CVSS score of 5.3 reflects low confidentiality and integrity impact, and the extremely low EPSS score (0.03%, 8th percentile) indicates minimal real-world exploitation likelihood despite publicly available exploit code.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6190 LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /employees.php, resulting in confidentiality, integrity, and authenticity breaches. The vulnerability requires low-privilege authentication and has publicly available exploit code, elevating practical risk despite the moderate CVSS score of 6.3.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6189 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Username parameter in /ajax.php?action=login. The vulnerability enables low-complexity attacks requiring no user interaction, with publicly available exploit code (EPSS probability data not provided, not listed in CISA KEV). Attackers can compromise confidentiality, integrity, and availability of the pharmacy inventory database without authentication.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-34186 HIGH This Week

SQL injection in Pandora FMS versions 777 through 800 enables authenticated remote attackers to execute arbitrary SQL commands via specially crafted custom field inputs, potentially exposing sensitive monitoring data, modifying database contents, or compromising the underlying infrastructure management system. The vulnerability requires low-privilege authentication (PR:L) but has high confidentiality and integrity impact across the monitoring platform. No public exploit code or active exploitation confirmed at time of analysis, though the straightforward attack complexity (AC:L) and network accessibility (AV:N) elevate real-world risk for internet-exposed Pandora FMS instances.

SQLi Pandora Fms
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-30813 HIGH This Week

SQL injection in Pandora FMS module search functionality allows authenticated attackers to extract, modify, or delete database contents across versions 777 through 800. Attackers with low-level privileges can execute arbitrary SQL commands through improperly sanitized search parameters, leading to high confidentiality and integrity impact. No confirmed active exploitation (CISA KEV) at time of analysis, though the straightforward attack vector (network-accessible, low complexity, authenticated) and limited scope suggest moderate real-world risk for exposed instances.

SQLi Pandora Fms
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-6188 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=delete_sales, with publicly available exploit code and evidence of active proof-of-concept publication.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6187 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=chk_prod_availability, enabling unauthorized data access and modification. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed proof-of-concept code available on GitHub.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6183 MEDIUM POC This Month

SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /web/index.php and execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score reflecting moderate confidentiality, integrity, and availability impact across the network-accessible endpoint.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6182 MEDIUM POC This Month

SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the User parameter in /web/admin/login.php, enabling database query manipulation with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, increasing real-world attack likelihood despite the moderate CVSS score of 6.9.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6167 MEDIUM POC This Month

SQL injection in code-projects Faculty Management System 1.0 via the ID parameter in /subject-print.php allows unauthenticated remote attackers to execute arbitrary SQL queries and exfiltrate or modify database contents with low confidentiality and integrity impact. Publicly available exploit code exists, creating immediate operational risk for organizations running this system.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6166 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the VEHICLE_ID parameter in /util/UpdateVehicleFunction.php, achieving confidentiality and integrity compromise. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score with confirmed exploitability (E:P rating).

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3830 HIGH POC PATCH This Week

SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity with publicly available exploit code. EPSS data not available, but the combination of unauthenticated access, public POC, and WordPress's large attack surface creates substantial real-world risk for unpatched WooCommerce installations.

SQLi WordPress
NVD WPScan VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-15441 MEDIUM POC PATCH This Month

SQL injection in Form Maker by 10Web WordPress plugin before version 1.15.38 allows unauthenticated remote attackers to read sensitive data via improper SQL query preparation when the MySQL Mapping feature is enabled. The attack requires high complexity to exploit but has high confidentiality impact, affecting all WordPress sites running the vulnerable plugin with this feature active. Public exploit code is available, though EPSS scoring (0.02%) suggests real-world exploitation remains limited despite the presence of proof-of-concept.

SQLi WordPress
NVD WPScan VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-6165 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /util/Login_check.php, leading to unauthorized data access or modification. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk despite its low-to-moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6164 MEDIUM POC This Month

SQL injection in Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the cata parameter in /addcat.php. The vulnerability has CVSS 6.9 (network-accessible, low complexity) and publicly available exploit code exists, making it a practical attack vector for data exfiltration and manipulation in this PHP-based application.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6163 MEDIUM POC This Month

SQL injection in code-projects Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the cat parameter in /catageory.php, enabling data exfiltration and potential database manipulation. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed low impact to confidentiality, integrity, and availability. Active exploitation status has not been confirmed at time of analysis, but the accessible nature of the vulnerability and public exploit availability elevate operational risk.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6161 MEDIUM POC This Month

SQL injection in code-projects Simple ChatBox up to version 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via manipulation of the msg parameter in the /chatbox/insert.php endpoint, leading to confidentiality and integrity compromise. The vulnerability has a CVSS score of 6.9 and publicly available exploit code exists, increasing real-world risk despite the moderate base score.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6153 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the STAFF_ID parameter in /util/StaffDetailsFunction.php, enabling unauthorized database access with limited confidentiality and integrity impact. Public exploit code is available, and the vulnerability has a CVSS score of 6.9 with confirmed exploitability.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6152 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to read, modify, or delete database contents via the STAFF_ID parameter in /util/StaffAddingFunction.php. CVSS score of 7.3 (High) reflects network-accessible attack requiring no privileges or user interaction. Publicly available exploit code exists (GitHub POC), significantly lowering exploitation barrier, though no active exploitation confirmed via CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6151 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the CUSTOMER_ID parameter in /util/PaymentStatusFunction.php. CVSS 7.3 (High) with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation. No vendor-released patch identified at time of analysis, creating an urgent risk for exposed deployments.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6149 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in /util/BookVehicleFunction.php. The vulnerability has publicly available exploit code (GitHub POC), enabling trivial exploitation with low attack complexity. CVSS 7.3 reflects medium-severity impacts across confidentiality, integrity, and availability. No vendor patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6148 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in MonthTotalReportUpdateFunction.php. Publicly available exploit code exists (GitHub POC published), enabling trivial exploitation with no user interaction required. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication barrier, creating immediate risk for internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6142 MEDIUM POC This Month

SQL injection in tushar-2223 Hotel Management System /admin/roomdelete.php allows unauthenticated remote attackers to manipulate database queries via the ID parameter, potentially compromising confidentiality, integrity, and availability of hotel management data. Publicly available exploit code exists (CVSS 7.3, EPSS not provided). The vulnerability affects all versions up to commit bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15 in this rolling-release project, and the maintainer has not responded to responsible disclosure attempts.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-36946 LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/inquiries/view_details.php allows high-privileged authenticated administrators to extract limited data via crafted SQL queries. The vulnerability requires admin-level access and produces only confidentiality impact with minimal real-world exploitation likelihood (EPSS 0.02%, CVSS 2.7, SSVC framework indicates no practical exploitation path).

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36872 LOW Monitor

SQL injection in Sourcecodester Basic Library System v1.0 allows high-privilege authenticated attackers to extract limited information from the database via crafted input to /librarysystem/load_book.php. The vulnerability requires administrative credentials and has very low real-world risk (EPSS 0.02%, CVSS 2.7) with no public exploit code identified; CISA does not list it as actively exploited.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36873 LOW Monitor

SQL injection in Sourcecodester Basic Library System v1.0 allows high-privilege authenticated attackers to extract sensitive data via the /librarysystem/load_admin.php endpoint. The vulnerability requires administrative authentication, limiting exposure to compromised or malicious admin accounts. EPSS exploitation probability is minimal at 0.02% (6th percentile), and no public exploit code has been identified, making this a low-priority issue despite the SQL injection vector.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36874 LOW Monitor

SQL injection in Sourcecodester Basic Library System v1.0 at /librarysystem/load_student.php allows high-privilege authenticated attackers to read sensitive database information. The vulnerability requires administrative-level privileges and manual user interaction is absent, but real-world risk is minimal due to extremely low EPSS score (0.02%), CVSS severity of 2.7, and CISA SSVC assessment indicating no exploitation activity, non-automatable conditions, and only partial technical impact.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36919 LOW Monitor

SQL injection in Sourcecodester Online Reviewer System v1.0 allows high-privileged authenticated attackers to conduct limited information disclosure through the exam update functionality at /system/system/admins/assessments/examproper/exam-update.php. The vulnerability carries minimal real-world risk due to required administrative privileges (PR:H), low EPSS exploitation probability (0.02%), and CISA SSVC assessment indicating no exploitation trend, non-automatable attack, and only partial technical impact.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36920 LOW Monitor

SQL injection in Sourcecodester Online Reviewer System v1.0 allows high-privileged authenticated users to extract limited data via a crafted SQL query in the questions-view.php endpoint. The vulnerability requires administrator-level credentials and lacks evidence of active exploitation or public exploit tooling, resulting in a minimal real-world risk profile despite confirmed SQL injection capability.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36922 LOW Monitor

SQL injection in Sourcecodester Cab Management System v1.0 allows high-privilege authenticated attackers to extract sensitive data via the /cms/admin/categories/view_category.php endpoint. The vulnerability requires administrative credentials and has minimal real-world impact (CVSS 2.7, EPSS 0.02%), with no evidence of active exploitation or public exploit code.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36923 LOW Monitor

SQL Injection in Sourcecodester Cab Management System 1.0 allows high-privilege administrators to extract limited database information via the /cms/admin/bookings/view_booking.php endpoint. The vulnerability requires authenticated admin access and carries minimal real-world risk given its low EPSS score (0.02%) and CISA SSVC assessment indicating no exploitation status, non-automatable exploitation, and only partial technical impact.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36947 LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/services/view_service.php allows authenticated administrators to extract sensitive database information with low complexity. The vulnerability requires high-privilege (admin) access and does not enable data modification or denial of service, limiting real-world impact despite the unauthenticated attack vector network availability. No active exploitation or public proof-of-concept tools have been confirmed; EPSS score of 0.02% and SSVC framework rating 'none' exploitation status indicate minimal practical risk despite CVSS 2.7 rating.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36942 LOW Monitor

SQL injection in Sourcecodester Online Resort Management System v1.0 allows high-privilege authenticated attackers to read sensitive application data via crafted input to the /orms/admin/activities/manage_activity.php endpoint. The vulnerability requires administrator-level credentials and produces only confidentiality impact with negligible real-world exploitation risk, as indicated by 0.02% EPSS score and CISA SSVC partial technical impact assessment.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36943 LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/repairs/manage_repair.php allows authenticated administrators to extract or modify limited database information. The attack requires high-level administrative privileges and produces only confidentiality impact; EPSS probability is minimal (0.02%), and CISA SSVC assessment indicates no evidence of real-world exploitation.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36944 LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows authenticated high-privilege users to read sensitive database content via crafted input in the repairs details viewer. The vulnerability requires admin-level authentication and carries minimal real-world risk given the CVSS 2.7 score, EPSS 0.02% exploitation probability, and CISA SSVC assessment indicating no known exploitation, non-automatable attack, and only partial technical impact (confidentiality). No active exploitation has been confirmed.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36945 LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows authenticated administrators to execute arbitrary SQL queries via the /rsms/admin/clients/manage_client.php endpoint, potentially exposing sensitive data with low confidentiality impact. The vulnerability requires high-privilege administrator authentication and carries minimal real-world risk (EPSS 0.02%, SSVC indicates no exploitation activity), but represents a common code quality issue in open-source PHP applications that warrants remediation during security updates.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36941 LOW Monitor

SQL Injection in Sourcecodester Online Resort Management System v1.0 allows authenticated administrators to extract or modify database contents via the /orms/admin/rooms/manage_room.php endpoint. The vulnerability requires high-privilege administrative access and has minimal real-world impact given the CVSS score of 2.7, EPSS exploitation probability of 0.02%, and CISA SSVC determination of non-exploitable status with only partial technical impact. No active exploitation has been confirmed.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36937 LOW Monitor

SQL injection in Sourcecodester Online Resort Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL queries via the /orms/admin/reservations/view_details.php endpoint, resulting in limited information disclosure. The vulnerability requires administrative access and carries minimal real-world risk due to CVSS 2.7, EPSS 0.02% (6th percentile), and SSVC framework assessment indicating no active exploitation and non-automatable attack requirements.

SQLi PHP
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36938 LOW Monitor

SQL injection in Sourcecodester Online Resort Management System v1.0 allows high-privileged authenticated attackers to query the database with limited confidentiality impact via the /orms/admin/rooms/view_room.php endpoint. The CVSS score of 2.7 and EPSS percentile of 6% reflect low real-world exploitation probability; SSVC assessment confirms no known automated exploit path and only partial technical impact (information disclosure). No public exploit code or active exploitation has been identified.

SQLi PHP
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36948 HIGH This Week

SQL injection in Sourcecodester Online Thesis Archiving System v1.0's /otas/view_archive.php endpoint allows remote unauthenticated attackers to manipulate database queries, potentially extracting sensitive thesis data, authentication credentials, or modifying database contents. No public exploit identified at time of analysis, with minimal observed exploitation probability (EPSS 0.01%, 2nd percentile). The vulnerability affects a PHP-based academic archiving platform with limited deployment footprint.

PHP SQLi
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-36950 LOW Monitor

SQL injection in Sourcecodester Online Thesis Archiving System v1.0 allows high-privilege authenticated attackers to extract sensitive information via the /otas/projects_per_department.php endpoint. The vulnerability requires admin-level credentials (PR:H per CVSS) and has minimal confidentiality impact with an EPSS score of 0.01%, indicating very low real-world exploitation probability despite public disclosure on GitHub.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36952 LOW Monitor

SQL injection in Sourcecodester Online Thesis Archiving System v1.0 at /otas/admin/curriculum/manage_curriculum.php allows authenticated high-privileged administrators to extract sensitive database information through unsanitized query parameters. With a CVSS score of 2.7 and EPSS of 0.01% (2nd percentile), this vulnerability presents minimal real-world risk despite valid SQL injection mechanics, as exploitation requires admin-level credentials and yields only confidentiality impact. No public exploit code or active exploitation has been confirmed.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2019-25713 HIGH POC This Week

MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Project Management
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25710 PHP HIGH POC GHSA This Week

Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25707 HIGH POC This Week

eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25703 HIGH POC This Week

ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25699 HIGH POC This Week

Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure SQLi Newsbull Haber Script
NVD Exploit-DB GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25697 HIGH POC This Week

CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25693 HIGH POC This Week

ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP CSRF
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2018-25257 HIGH POC This Week

Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Adianti Framework
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-5207 MEDIUM This Month

SQL injection in LifterLMS WordPress plugin versions up to 9.2.1 allows authenticated Instructor-level users with edit_post capability to extract sensitive database information via insufficiently escaped 'order' parameter in quiz reporting tables. The vulnerability requires authenticated access with specific WordPress role and post capabilities, limiting exposure to trusted users with elevated privileges; no public exploit code or active exploitation has been identified at time of analysis.

SQLi WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6038 MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 via the BRANCH_ID parameter in /util/RegisterCustomerFunction.php allows unauthenticated remote attackers to manipulate database queries with low complexity, affecting data confidentiality and integrity. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS 6.9 score.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6037 MEDIUM POC This Month

A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. This affects an unknown function of the file /util/AddVehicleFunction.php. This manipulation of the argument BRANCH_ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6036 MEDIUM POC This Month

A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the argument VEHICLE_ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6033 LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fname parameter in /updatedetailsfromstudent.php to execute arbitrary SQL queries, achieving limited confidentiality and integrity impact. The vulnerability has publicly available exploit code and a CVSS score of 5.3, representing a moderate risk requiring authentication to exploit.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6031 MEDIUM POC This Month

SQL injection in code-projects Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the Category parameter in /add-category-function.php. Attackers can read, modify, or delete database contents without authentication. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack vector with low complexity and no user interaction required. Impacts confidentiality, integrity, and availability at low levels.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6030 LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the toolname parameter in /del1.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists, and the vulnerability has been assigned CVSS 6.3 with confirmed exploitability indicators (E:P rating).

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6010 LOW POC Monitor

SQL injection in CodeAstro Online Classroom allows authenticated remote attackers to execute arbitrary SQL queries via the Q1 parameter in /OnlineClassroom/takeassessment2.php, enabling data exfiltration and modification with CVSS 6.3 severity; publicly available exploit code exists and the vulnerability affects all versions of the product.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6007 LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the equipname parameter in /del.php, enabling data exfiltration, modification, and potential denial of service. Publicly available exploit code exists, and the vulnerability carries a CVSS score of 6.3 with confirmed exploitation potential (E:P rating).

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6006 LOW POC Monitor

SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /edit_hpatient.php, leading to unauthorized data access, modification, and potential denial of service. Publicly available exploit code exists (CVSS 6.3, attack vector network, low complexity, requires valid credentials). This is not confirmed as actively exploited by CISA but poses immediate risk given public POC availability and low exploitation complexity.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6005 LOW POC Monitor

SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the hem_id parameter in /hematology_print.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a CVSS score of 6.3 (medium) with publicly available exploit code, though no CISA KEV confirmation indicates active widespread exploitation at time of analysis.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6004 MEDIUM POC This Month

SQL injection in Simple IT Discussion Forum 1.0 by code-projects allows unauthenticated remote attackers to execute arbitrary SQL commands via the cat_id parameter in /delete-category.php, enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack surface with low complexity and no authentication requirement, permitting compromise of confidentiality, integrity, and availability.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
EPSS 0% CVSS 6.7
MEDIUM PATCH Exploit Unlikely This Month

SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally through improper neutralization of special elements in SQL commands. Affected versions span SQL Server 2016 SP3 through 2025, with patch available from Microsoft. Attack requires local access and high-privilege credentials (PR:H in CVSS vector), limiting real-world impact to insider threats or compromised administrative accounts; CVSS 6.7 reflects high confidentiality, integrity, and availability impact but constrained by authentication and local-only attack vector.

SQLi Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack +8
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

SQL injection in Fortinet FortiAnalyzer and FortiManager versions 7.0-7.6 allows privileged authenticated attackers to execute unauthorized code or commands via the JSON RPC API. This affects both on-premises and cloud variants across multiple major version branches (7.0, 7.2, 7.4, 7.6). The vulnerability requires high-privilege authentication (CVSS PR:H) but is remotely exploitable with low attack complexity. No public exploit identified at time of analysis, though the network attack vector and code execution capability make this a priority for organizations running affected Fortinet management infrastructure.

Fortinet SQLi
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection in Fortinet FortiDDoS-F 7.2.1-7.2.2 allows authenticated remote attackers to execute unauthorized code or commands with high impact to confidentiality, integrity, and availability. The vulnerability resides in the web management interface and requires low attack complexity with no user interaction. No public exploit identified at time of analysis, with EPSS data not yet available for this recently disclosed CVE.

Fortinet SQLi
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

SQL injection in Fortinet FortiClientEMS 7.0 through 7.4.5 allows high-privileged local attackers to execute unauthorized code or commands with high integrity and confidentiality impact. The vulnerability requires local access and high privileges (PR:H per CVSS vector), making it a risk primarily in environments where administrative users are untrusted or compromised. CISA SSVC framework rates this as non-exploitable via automation due to privilege requirements, though the technical impact is total (confidentiality, integrity, and availability compromise). No public exploit code has been identified at the time of analysis.

Fortinet SQLi
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

SQL identifier injection in PraisonAI's SQLiteConversationStore allows authenticated local attackers with configuration control to extract database schema and manipulate query results. The vulnerability affects PraisonAI versions prior to 4.5.133, where unsanitized table_prefix values are concatenated into SQL queries via f-strings. Attackers controlling configuration inputs (from_yaml/from_dict) can inject SQL fragments to access internal SQLite tables like sqlite_master and execute UNION-based injections. A vendor patch is available in version 4.5.133. No public exploit code or active exploitation confirmed at time of analysis. CVSS 7.2 indicates local attack vector with low complexity but requires low privileges and present attack complexity conditions.

SQLi Praisonai
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in JetEngine WordPress plugin (≤3.8.6.1) via Custom Content Type REST API allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from unsanitized search parameters in REST endpoints, bypassing WordPress's built-in SQL protections. Attack complexity is low (CVSS AC:L) with no user interaction required. EPSS and KEV data not provided; exploitation requires Custom Content Types module enabled with public REST endpoints configured.

WordPress SQLi
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. The scope-change vector (S:C) indicates attackers can pivot beyond the vulnerable component to compromise database resources serving multiple SAP applications. Despite critical CVSS 9.9 severity, EPSS exploitation probability remains low (0.05%, 14th percentile) with CISA SSVC indicating no current exploitation and non-automatable attack profile. SAP security note 3719353 provides remediation guidance.

SAP SQLi
NVD
EPSS 0% CVSS 2.7
LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/manage_employee.php file. The CVSS score of 2.7 reflects limited impact (confidentiality only, no integrity or availability loss) and high authentication barriers (administrator role required). No public exploit code or active exploitation has been confirmed.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL Injection in SourceCodester Storage Unit Rental Management System v1.0 allows authenticated administrative users to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_storage_unit.php endpoint. The vulnerability requires high-privilege access (PR:H) and returns only limited information (confidentiality impact only), resulting in a low CVSS score of 2.7. No public exploit code or active exploitation has been confirmed at the time of analysis.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Storage Unit Rental Management System v1.0 allows high-privileged authenticated attackers to read sensitive database contents via crafted input in /storage/admin/rents/manage_rent.php. The vulnerability requires administrator-level access and produces only limited information disclosure with no impact on data integrity or availability. EPSS and SSVC assessments indicate minimal real-world exploitation risk due to authentication barrier and non-automatable attack requirements.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privileged remote attackers to read sensitive data through the /storage/admin/tenants/view_details.php endpoint. With a CVSS score of 2.7 and requirement for high administrative privileges (PR:H), this vulnerability has minimal real-world impact despite the SQL injection class; however, it represents a privilege-abuse risk within already-compromised administrative contexts. No public exploit code or active exploitation has been confirmed.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Storage Unit Rental Management System v1.0 allows high-privilege authenticated administrators to execute arbitrary SQL queries via the /storage/admin/maintenance/manage_pricing.php endpoint, resulting in partial confidentiality impact. The CVSS score of 2.7 reflects the requirement for high administrative privileges and absence of integrity or availability impact, placing this as a low-risk vulnerability despite the SQL injection classification. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privileged authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/view_att.php endpoint, potentially disclosing sensitive employee attendance data. The vulnerability requires administrative credentials and carries low real-world risk despite SQL injection's severity class, as evidenced by CVSS 2.7 and SSVC designation of no exploitation likelihood with partial technical impact. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL Injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege remote attackers to read sensitive database contents via crafted input to the /wfh_attendance/admin/view_employee.php endpoint. CVSS 2.7 reflects high authentication barriers (PR:H requires admin access), no automatable exploitation per SSVC, and confidentiality impact only. No public exploit code or active exploitation confirmed at time of analysis.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to extract sensitive database information via the /wfh_attendance/admin/manage_department.php endpoint. The CVSS 2.7 score reflects low real-world risk due to the requirement for high-privilege administrative credentials and confidentiality-only impact; no public exploit code has been identified, and the vulnerability is not confirmed as actively exploited.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Online Employees Work From Home Attendance System v1.0 allows high-privilege authenticated attackers to execute arbitrary SQL queries via the /wfh_attendance/admin/attendance_list.php endpoint, enabling unauthorized data disclosure with low confidentiality impact. The vulnerability requires administrator-level access and carries minimal real-world risk due to high privilege requirements and low exploitability (SSVC exploitation status: none), though it represents a defense-in-depth failure in an administrative function.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SourceCodester Patient Appointment Scheduler System v1.0 suffers from SQL injection in the SystemSettings.php update_settings function, allowing authenticated high-privilege administrators to execute arbitrary SQL queries. While tagged as RCE, the CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) and SSVC framework indicate limited confidentiality impact with no confirmed integrity or availability consequences; this is primarily a SQL injection vulnerability requiring administrative credentials with no public exploit code identified at time of analysis.

PHP RCE SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege users to read sensitive database information via the /scheduler/admin/appointments/view_details.php endpoint. The vulnerability requires administrative credentials and network access but carries low real-world risk due to restrictive authentication requirements (PR:H), limited scope of impact (confidentiality only), and CVSS score of 2.7. No public exploit code or active exploitation has been identified.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 allows authenticated high-privilege administrators to read sensitive data through the /scheduler/admin/appointments/manage_appointment.php endpoint. The vulnerability requires administrative credentials and does not enable data modification or denial of service, limiting real-world impact despite network-accessible exposure. CVSS score of 2.7 reflects the high authentication barrier and confidentiality-only impact; CISA SSVC framework rates exploitation as 'none' with no automatable attack path.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in SourceCodester Patient Appointment Scheduler System v1.0 at /scheduler/admin/user/manage_user.php allows high-privilege authenticated attackers to read sensitive data via crafted SQL queries. CVSS score of 2.7 reflects the requirement for high administrative privileges (PR:H), limiting real-world impact. SSVC framework confirms no known active exploitation, non-automatable attack, and partial technical impact (confidentiality only). This is a low-severity vulnerability constrained by authentication requirements despite the presence of a SQL injection flaw.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in Grocery Store Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the sitem_name parameter in search_products_itname.php. The vulnerability achieves maximum CVSS 9.8 due to network accessibility without authentication, enabling complete database compromise including data exfiltration, modification, and potential system takeover. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists per researcher advisory.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database information.

SQLi
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Time-based blind SQL injection in manikandan580 School Management System 1.0 allows unauthenticated remote attackers to extract sensitive database contents and potentially execute arbitrary SQL commands through the fromdate POST parameter in /studentms/admin/between-date-reprtsdetails.php. The CVSS 9.8 critical score reflects network-based exploitation requiring no privileges or user interaction, with complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the specific vulnerable parameter and injection type are documented in public security advisories.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

SQL injection in Krayin CRM 2.2.x allows authenticated remote attackers to extract sensitive database contents via the rotten_lead parameter in LeadDataGrid.php. CVSS 7.1 severity with network attack vector and low complexity enables database enumeration with low-privilege credentials. No public exploit identified at time of analysis, though EPSS data unavailable. Technical advisory published on GitHub indicates vulnerability affects lead management functionality in this Laravel-based open-source CRM platform.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection in Craft Commerce 5.0.0-5.5.4 allows authenticated control panel users to extract arbitrary database contents via ProductQuery::hasVariant and VariantQuery::hasProduct parameters that bypass prior sanitization fixes. Attackers can retrieve security keys to forge admin sessions and escalate privileges. Fixed in version 5.6.0. EPSS 0.03% (8th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.

Privilege Escalation SQLi Commerce
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Remote code execution via SQL injection in Craft Commerce 4.x (4.0.0-4.10.2) and 5.x (5.0.0-5.5.4) allows authenticated control panel users to write PHP webshells through a four-step exploitation chain. Attack exploits unsanitized TotalRevenue widget settings interpolated into SQL, PDO multi-statement support, and unsafe PHP deserialization in yii2-queue to instantiate a GuzzleHttp FileCookieJar gadget chain. Complete exploitation requires only three HTTP requests and low-privileged authenticati

SQLi Deserialization RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter in /equipments.php, leading to unauthorized data access or modification. The CVSS score of 5.3 reflects low confidentiality and integrity impact, and the extremely low EPSS score (0.03%, 8th percentile) indicates minimal real-world exploitation likelihood despite publicly available exploit code.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /employees.php, resulting in confidentiality, integrity, and authenticity breaches. The vulnerability requires low-privilege authentication and has publicly available exploit code, elevating practical risk despite the moderate CVSS score of 6.3.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Username parameter in /ajax.php?action=login. The vulnerability enables low-complexity attacks requiring no user interaction, with publicly available exploit code (EPSS probability data not provided, not listed in CISA KEV). Attackers can compromise confidentiality, integrity, and availability of the pharmacy inventory database without authentication.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH This Week

SQL injection in Pandora FMS versions 777 through 800 enables authenticated remote attackers to execute arbitrary SQL commands via specially crafted custom field inputs, potentially exposing sensitive monitoring data, modifying database contents, or compromising the underlying infrastructure management system. The vulnerability requires low-privilege authentication (PR:L) but has high confidentiality and integrity impact across the monitoring platform. No public exploit code or active exploitation confirmed at time of analysis, though the straightforward attack complexity (AC:L) and network accessibility (AV:N) elevate real-world risk for internet-exposed Pandora FMS instances.

SQLi Pandora Fms
NVD
EPSS 0% CVSS 8.7
HIGH This Week

SQL injection in Pandora FMS module search functionality allows authenticated attackers to extract, modify, or delete database contents across versions 777 through 800. Attackers with low-level privileges can execute arbitrary SQL commands through improperly sanitized search parameters, leading to high confidentiality and integrity impact. No confirmed active exploitation (CISA KEV) at time of analysis, though the straightforward attack vector (network-accessible, low complexity, authenticated) and limited scope suggest moderate real-world risk for exposed instances.

SQLi Pandora Fms
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=delete_sales, with publicly available exploit code and evidence of active proof-of-concept publication.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=chk_prod_availability, enabling unauthorized data access and modification. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed proof-of-concept code available on GitHub.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /web/index.php and execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score reflecting moderate confidentiality, integrity, and availability impact across the network-accessible endpoint.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the User parameter in /web/admin/login.php, enabling database query manipulation with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, increasing real-world attack likelihood despite the moderate CVSS score of 6.9.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Faculty Management System 1.0 via the ID parameter in /subject-print.php allows unauthenticated remote attackers to execute arbitrary SQL queries and exfiltrate or modify database contents with low confidentiality and integrity impact. Publicly available exploit code exists, creating immediate operational risk for organizations running this system.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the VEHICLE_ID parameter in /util/UpdateVehicleFunction.php, achieving confidentiality and integrity compromise. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score with confirmed exploitability (E:P rating).

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity with publicly available exploit code. EPSS data not available, but the combination of unauthenticated access, public POC, and WordPress's large attack surface creates substantial real-world risk for unpatched WooCommerce installations.

SQLi WordPress
NVD WPScan VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

SQL injection in Form Maker by 10Web WordPress plugin before version 1.15.38 allows unauthenticated remote attackers to read sensitive data via improper SQL query preparation when the MySQL Mapping feature is enabled. The attack requires high complexity to exploit but has high confidentiality impact, affecting all WordPress sites running the vulnerable plugin with this feature active. Public exploit code is available, though EPSS scoring (0.02%) suggests real-world exploitation remains limited despite the presence of proof-of-concept.

SQLi WordPress
NVD WPScan VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /util/Login_check.php, leading to unauthorized data access or modification. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk despite its low-to-moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the cata parameter in /addcat.php. The vulnerability has CVSS 6.9 (network-accessible, low complexity) and publicly available exploit code exists, making it a practical attack vector for data exfiltration and manipulation in this PHP-based application.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the cat parameter in /catageory.php, enabling data exfiltration and potential database manipulation. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed low impact to confidentiality, integrity, and availability. Active exploitation status has not been confirmed at time of analysis, but the accessible nature of the vulnerability and public exploit availability elevate operational risk.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple ChatBox up to version 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via manipulation of the msg parameter in the /chatbox/insert.php endpoint, leading to confidentiality and integrity compromise. The vulnerability has a CVSS score of 6.9 and publicly available exploit code exists, increasing real-world risk despite the moderate base score.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the STAFF_ID parameter in /util/StaffDetailsFunction.php, enabling unauthorized database access with limited confidentiality and integrity impact. Public exploit code is available, and the vulnerability has a CVSS score of 6.9 with confirmed exploitability.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to read, modify, or delete database contents via the STAFF_ID parameter in /util/StaffAddingFunction.php. CVSS score of 7.3 (High) reflects network-accessible attack requiring no privileges or user interaction. Publicly available exploit code exists (GitHub POC), significantly lowering exploitation barrier, though no active exploitation confirmed via CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the CUSTOMER_ID parameter in /util/PaymentStatusFunction.php. CVSS 7.3 (High) with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation. No vendor-released patch identified at time of analysis, creating an urgent risk for exposed deployments.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in /util/BookVehicleFunction.php. The vulnerability has publicly available exploit code (GitHub POC), enabling trivial exploitation with low attack complexity. CVSS 7.3 reflects medium-severity impacts across confidentiality, integrity, and availability. No vendor patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in MonthTotalReportUpdateFunction.php. Publicly available exploit code exists (GitHub POC published), enabling trivial exploitation with no user interaction required. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication barrier, creating immediate risk for internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in tushar-2223 Hotel Management System /admin/roomdelete.php allows unauthenticated remote attackers to manipulate database queries via the ID parameter, potentially compromising confidentiality, integrity, and availability of hotel management data. Publicly available exploit code exists (CVSS 7.3, EPSS not provided). The vulnerability affects all versions up to commit bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15 in this rolling-release project, and the maintainer has not responded to responsible disclosure attempts.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/inquiries/view_details.php allows high-privileged authenticated administrators to extract limited data via crafted SQL queries. The vulnerability requires admin-level access and produces only confidentiality impact with minimal real-world exploitation likelihood (EPSS 0.02%, CVSS 2.7, SSVC framework indicates no practical exploitation path).

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Basic Library System v1.0 allows high-privilege authenticated attackers to extract limited information from the database via crafted input to /librarysystem/load_book.php. The vulnerability requires administrative credentials and has very low real-world risk (EPSS 0.02%, CVSS 2.7) with no public exploit code identified; CISA does not list it as actively exploited.

SQLi PHP N A
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Basic Library System v1.0 allows high-privilege authenticated attackers to extract sensitive data via the /librarysystem/load_admin.php endpoint. The vulnerability requires administrative authentication, limiting exposure to compromised or malicious admin accounts. EPSS exploitation probability is minimal at 0.02% (6th percentile), and no public exploit code has been identified, making this a low-priority issue despite the SQL injection vector.

SQLi PHP N A
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Basic Library System v1.0 at /librarysystem/load_student.php allows high-privilege authenticated attackers to read sensitive database information. The vulnerability requires administrative-level privileges and manual user interaction is absent, but real-world risk is minimal due to extremely low EPSS score (0.02%), CVSS severity of 2.7, and CISA SSVC assessment indicating no exploitation activity, non-automatable conditions, and only partial technical impact.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Online Reviewer System v1.0 allows high-privileged authenticated attackers to conduct limited information disclosure through the exam update functionality at /system/system/admins/assessments/examproper/exam-update.php. The vulnerability carries minimal real-world risk due to required administrative privileges (PR:H), low EPSS exploitation probability (0.02%), and CISA SSVC assessment indicating no exploitation trend, non-automatable attack, and only partial technical impact.

SQLi PHP N A
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Online Reviewer System v1.0 allows high-privileged authenticated users to extract limited data via a crafted SQL query in the questions-view.php endpoint. The vulnerability requires administrator-level credentials and lacks evidence of active exploitation or public exploit tooling, resulting in a minimal real-world risk profile despite confirmed SQL injection capability.

SQLi PHP N A
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Cab Management System v1.0 allows high-privilege authenticated attackers to extract sensitive data via the /cms/admin/categories/view_category.php endpoint. The vulnerability requires administrative credentials and has minimal real-world impact (CVSS 2.7, EPSS 0.02%), with no evidence of active exploitation or public exploit code.

SQLi PHP N A
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL Injection in Sourcecodester Cab Management System 1.0 allows high-privilege administrators to extract limited database information via the /cms/admin/bookings/view_booking.php endpoint. The vulnerability requires authenticated admin access and carries minimal real-world risk given its low EPSS score (0.02%) and CISA SSVC assessment indicating no exploitation status, non-automatable exploitation, and only partial technical impact.

SQLi PHP N A
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/services/view_service.php allows authenticated administrators to extract sensitive database information with low complexity. The vulnerability requires high-privilege (admin) access and does not enable data modification or denial of service, limiting real-world impact despite the unauthenticated attack vector network availability. No active exploitation or public proof-of-concept tools have been confirmed; EPSS score of 0.02% and SSVC framework rating 'none' exploitation status indicate minimal practical risk despite CVSS 2.7 rating.

SQLi PHP N A
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Online Resort Management System v1.0 allows high-privilege authenticated attackers to read sensitive application data via crafted input to the /orms/admin/activities/manage_activity.php endpoint. The vulnerability requires administrator-level credentials and produces only confidentiality impact with negligible real-world exploitation risk, as indicated by 0.02% EPSS score and CISA SSVC partial technical impact assessment.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/repairs/manage_repair.php allows authenticated administrators to extract or modify limited database information. The attack requires high-level administrative privileges and produces only confidentiality impact; EPSS probability is minimal (0.02%), and CISA SSVC assessment indicates no evidence of real-world exploitation.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows authenticated high-privilege users to read sensitive database content via crafted input in the repairs details viewer. The vulnerability requires admin-level authentication and carries minimal real-world risk given the CVSS 2.7 score, EPSS 0.02% exploitation probability, and CISA SSVC assessment indicating no known exploitation, non-automatable attack, and only partial technical impact (confidentiality). No active exploitation has been confirmed.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows authenticated administrators to execute arbitrary SQL queries via the /rsms/admin/clients/manage_client.php endpoint, potentially exposing sensitive data with low confidentiality impact. The vulnerability requires high-privilege administrator authentication and carries minimal real-world risk (EPSS 0.02%, SSVC indicates no exploitation activity), but represents a common code quality issue in open-source PHP applications that warrants remediation during security updates.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL Injection in Sourcecodester Online Resort Management System v1.0 allows authenticated administrators to extract or modify database contents via the /orms/admin/rooms/manage_room.php endpoint. The vulnerability requires high-privilege administrative access and has minimal real-world impact given the CVSS score of 2.7, EPSS exploitation probability of 0.02%, and CISA SSVC determination of non-exploitable status with only partial technical impact. No active exploitation has been confirmed.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Online Resort Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL queries via the /orms/admin/reservations/view_details.php endpoint, resulting in limited information disclosure. The vulnerability requires administrative access and carries minimal real-world risk due to CVSS 2.7, EPSS 0.02% (6th percentile), and SSVC framework assessment indicating no active exploitation and non-automatable attack requirements.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Online Resort Management System v1.0 allows high-privileged authenticated attackers to query the database with limited confidentiality impact via the /orms/admin/rooms/view_room.php endpoint. The CVSS score of 2.7 and EPSS percentile of 6% reflect low real-world exploitation probability; SSVC assessment confirms no known automated exploit path and only partial technical impact (information disclosure). No public exploit code or active exploitation has been identified.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

SQL injection in Sourcecodester Online Thesis Archiving System v1.0's /otas/view_archive.php endpoint allows remote unauthenticated attackers to manipulate database queries, potentially extracting sensitive thesis data, authentication credentials, or modifying database contents. No public exploit identified at time of analysis, with minimal observed exploitation probability (EPSS 0.01%, 2nd percentile). The vulnerability affects a PHP-based academic archiving platform with limited deployment footprint.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Online Thesis Archiving System v1.0 allows high-privilege authenticated attackers to extract sensitive information via the /otas/projects_per_department.php endpoint. The vulnerability requires admin-level credentials (PR:H per CVSS) and has minimal confidentiality impact with an EPSS score of 0.01%, indicating very low real-world exploitation probability despite public disclosure on GitHub.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

SQL injection in Sourcecodester Online Thesis Archiving System v1.0 at /otas/admin/curriculum/manage_curriculum.php allows authenticated high-privileged administrators to extract sensitive database information through unsanitized query parameters. With a CVSS score of 2.7 and EPSS of 0.01% (2nd percentile), this vulnerability presents minimal real-world risk despite valid SQL injection mechanics, as exploitation requires admin-level credentials and yields only confidentiality impact. No public exploit code or active exploitation has been confirmed.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Project Management
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure SQLi Newsbull Haber Script
NVD Exploit-DB GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP CSRF
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Adianti Framework
NVD Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in LifterLMS WordPress plugin versions up to 9.2.1 allows authenticated Instructor-level users with edit_post capability to extract sensitive database information via insufficiently escaped 'order' parameter in quiz reporting tables. The vulnerability requires authenticated access with specific WordPress role and post capabilities, limiting exposure to trusted users with elevated privileges; no public exploit code or active exploitation has been identified at time of analysis.

SQLi WordPress
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Vehicle Showroom Management System 1.0 via the BRANCH_ID parameter in /util/RegisterCustomerFunction.php allows unauthenticated remote attackers to manipulate database queries with low complexity, affecting data confidentiality and integrity. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS 6.9 score.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. This affects an unknown function of the file /util/AddVehicleFunction.php. This manipulation of the argument BRANCH_ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the argument VEHICLE_ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fname parameter in /updatedetailsfromstudent.php to execute arbitrary SQL queries, achieving limited confidentiality and integrity impact. The vulnerability has publicly available exploit code and a CVSS score of 5.3, representing a moderate risk requiring authentication to exploit.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the Category parameter in /add-category-function.php. Attackers can read, modify, or delete database contents without authentication. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack vector with low complexity and no user interaction required. Impacts confidentiality, integrity, and availability at low levels.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the toolname parameter in /del1.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists, and the vulnerability has been assigned CVSS 6.3 with confirmed exploitability indicators (E:P rating).

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Online Classroom allows authenticated remote attackers to execute arbitrary SQL queries via the Q1 parameter in /OnlineClassroom/takeassessment2.php, enabling data exfiltration and modification with CVSS 6.3 severity; publicly available exploit code exists and the vulnerability affects all versions of the product.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the equipname parameter in /del.php, enabling data exfiltration, modification, and potential denial of service. Publicly available exploit code exists, and the vulnerability carries a CVSS score of 6.3 with confirmed exploitation potential (E:P rating).

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /edit_hpatient.php, leading to unauthorized data access, modification, and potential denial of service. Publicly available exploit code exists (CVSS 6.3, attack vector network, low complexity, requires valid credentials). This is not confirmed as actively exploited by CISA but poses immediate risk given public POC availability and low exploitation complexity.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the hem_id parameter in /hematology_print.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a CVSS score of 6.3 (medium) with publicly available exploit code, though no CISA KEV confirmation indicates active widespread exploitation at time of analysis.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple IT Discussion Forum 1.0 by code-projects allows unauthenticated remote attackers to execute arbitrary SQL commands via the cat_id parameter in /delete-category.php, enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack surface with low complexity and no authentication requirement, permitting compromise of confidentiality, integrity, and availability.

SQLi PHP
NVD VulDB GitHub
Prev Page 14 of 169 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy