Skip to main content

SQLi

15169 CVEs technique

Monthly

CVE-2026-33545 PyPI MEDIUM PATCH This Month

A SQL injection vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

SQLi Denial Of Service Information Disclosure Python Apple +1
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23921 HIGH PATCH This Week

A blind SQL injection vulnerability exists in Zabbix's API service layer (include/classes/api/CApiService.php) via the sortfield parameter that allows low-privilege users with API access to execute arbitrary SQL SELECT queries without direct result exfiltration. An attacker can leverage time-based blind SQL injection techniques to extract sensitive data such as session identifiers and administrator credentials, potentially leading to full administrative compromise of the Zabbix monitoring infrastructure. No CVSS score, EPSS data, or KEV status has been published, but the vulnerability's reliance on blind techniques and low-privilege requirement suggests moderate real-world exploitability.

PHP SQLi Suse
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33539 npm HIGH PATCH This Week

Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability in PostgreSQL aggregate operations that allows attackers with master key access to execute arbitrary SQL statements, escalating from application-level administrator privileges to database-level access. Only PostgreSQL-backed Parse Server deployments are affected; MongoDB deployments are not vulnerable. No CVSS score or EPSS data is currently available, and no KEV or active exploitation reports have been confirmed at this time.

Privilege Escalation Node.js PostgreSQL SQLi
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25643 HIGH POC This Week

eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25642 HIGH POC This Week

Unauthenticated SQL injection in Bootstrapy CMS allows remote attackers to extract sensitive database information or cause denial of service through multiple POST parameters in forum and contact modules. The vulnerability affects forum-thread.php (thread_id), contact-submit.php (subject), and post-new-submit.php (post-id) endpoints. Public exploit code exists via Exploit-DB #46590, though EPSS probability remains low at 0.06% (19th percentile), suggesting limited real-world exploitation despite ease of attack (AV:N/AC:L/PR:N). SSVC framework confirms proof-of-concept availability and automated exploitation potential with partial technical impact.

PHP SQLi Denial Of Service Bootstrap
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25641 HIGH POC This Week

Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25640 HIGH POC This Week

SQL injection in Inout Article Base CMS allows remote unauthenticated attackers to extract sensitive database information or cause denial of service through malicious XOR-based and time-based SQL payloads injected via 'p' and 'u' parameters in GET requests to portalLogin.php. Public exploit code demonstrates the attack (Exploit-DB 46593), though EPSS scoring indicates low probability of widespread exploitation (0.06%, 19th percentile). No vendor patch has been identified, and the vendor website reference provides no security advisory, leaving deployments at continued risk.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25639 HIGH POC This Week

Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25638 HIGH POC This Week

Meeplace Business Review Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25636 HIGH POC This Week

Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25635 HIGH POC This Week

Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Zeeways Matrimony Cms
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-4662 HIGH This Week

The JetEngine plugin for WordPress contains a SQL injection vulnerability in the listing_load_more AJAX action that allows unauthenticated attackers to extract sensitive database information. All versions up to and including 3.8.6.1 are affected. The vulnerability exists on sites using JetEngine Listing Grid with Load More functionality enabled and SQL Query Builder queries, with a CVSS score of 7.5 indicating high severity for confidentiality impact.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4632 MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the Name parameter in /sms/user/index.php?view=add, potentially enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4625 MEDIUM POC This Month

SourceCodester Online Admission System 1.0 contains a SQL injection vulnerability in the /programmes.php file's program parameter that allows unauthenticated remote attackers to execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The flaw enables attackers to potentially read, modify, or delete sensitive admission system data.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4624 MEDIUM POC This Month

SQL injection in SourceCodester Online Library Management System 1.0 allows unauthenticated remote attackers to manipulate the searchField parameter in /home.php, enabling data exfiltration, modification, and potential service disruption. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3079 MEDIUM This Month

The LearnDash LMS plugin for WordPress contains a blind time-based SQL injection vulnerability in the 'filters[orderby_order]' parameter of the 'learndash_propanel_template' AJAX action, affecting all versions up to and including 5.0.3. Authenticated attackers with Contributor-level access or higher can exploit insufficient input escaping and lack of prepared statements to extract sensitive database information through time-based SQL injection techniques. While the CVSS score of 6.5 reflects medium severity with high confidentiality impact, the requirement for authentication and low network complexity means this poses a real but contained risk, particularly in multi-user WordPress environments where contributor accounts are common.

WordPress SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4615 MEDIUM This Month

SQL injection in SourceCodester Online Catering Reservation 1.0 via the rcode parameter in /search.php allows unauthenticated remote attackers to manipulate database queries with no user interaction required. The vulnerability enables attackers to read, modify, or delete sensitive data, and public exploit code is readily available. PHP-based deployments of this catering reservation system are actively targeted due to the ease of exploitation and lack of available patches.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4614 LOW Monitor

SQL injection in the Parameter Handler of itsourcecode sanitize or validate this input 1.0 allows authenticated remote attackers to manipulate the subject_code argument in /admin/subjects.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-30655 MEDIUM This Month

SQL injection in the password reset function of ESICLivre v0.2.2 and earlier allows unauthenticated attackers to extract sensitive data by manipulating the cpfcnpj parameter. The vulnerability requires no user interaction and can be exploited remotely over the network, though no patch is currently available.

SQLi PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4613 MEDIUM POC This Month

SQL injection in SourceCodester E-Commerce Site 1.0 through the Search parameter in /products.php enables unauthenticated remote attackers to read, modify, and delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available, putting all installations at immediate risk.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4306 HIGH This Week

The WP Job Portal plugin for WordPress contains an unauthenticated SQL injection vulnerability in the 'radius' parameter affecting all versions up to and including 2.4.8. Unauthenticated remote attackers can exploit this flaw to extract sensitive information from the database, including user credentials, personal data, and other confidential information stored in WordPress tables. The vulnerability has a CVSS score of 7.5 indicating high severity with no authentication required for exploitation.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2412 MEDIUM This Month

The Quiz and Survey Master (QSM) WordPress plugin versions up to 10.3.5 contains a SQL injection vulnerability in the 'merged_question' parameter that allows authenticated attackers with Contributor-level access or higher to extract sensitive database information. The vulnerability exists because the plugin uses sanitize_text_field() which does not prevent SQL metacharacters from being injected into an SQL IN() clause, and the resulting query is not properly parameterized using $wpdb->prepare() or integer casting. With a CVSS score of 6.5 and network-based attack vector requiring only low privileges, this represents a moderate but real threat to WordPress installations using this plugin.

WordPress SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4612 MEDIUM POC This Month

SQL injection in the Free Hotel Reservation System 1.0 admin panel allows unauthenticated remote attackers to manipulate the account_id parameter and execute arbitrary SQL queries with potential for data theft, modification, and system disruption. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4597 LOW POC Monitor

SQL injection in the Stream Proxy Query Handler component of wvp-GB28181-pro up to version 2.7.4 allows authenticated remote attackers to execute arbitrary SQL queries and potentially read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The affected Java application processes unsanitized input in the selectAll function without proper parameterized queries.

SQLi Java
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-33723 PHP HIGH This Week

WWBN AVideo, an open source video platform, contains a SQL injection vulnerability in the Subscribe::save() method that allows authenticated attackers to execute arbitrary SQL queries. Versions up to and including 26.0 are affected, with the vulnerability stemming from unsanitized user input from the $_POST['user_id'] parameter being concatenated directly into INSERT queries. An attacker with low-level authentication can extract sensitive data including password hashes, API keys, and encryption salts from the database, representing a significant information disclosure risk.

PHP Information Disclosure SQLi
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33651 PHP HIGH This Week

SQL injection in WWBN AVideo up to version 26.0 allows authenticated users to extract arbitrary database contents through time-based blind SQL injection via the remindMe.json.php endpoint. The vulnerability stems from insufficient input sanitization of the live_schedule_id parameter, which is concatenated directly into a SQL LIKE clause despite partial validation in intermediate functions. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-4594 MEDIUM POC This Month

SQL injection in Erupt up to version 1.13.3 allows unauthenticated remote attackers to execute arbitrary SQL queries through the sort.field parameter in the HQL query builder. Public exploit code exists for this vulnerability, and no patch is currently available. Affected Java applications using vulnerable versions of Erupt are at risk of data exfiltration and manipulation.

SQLi Java
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4593 LOW POC Monitor

SQL injection in Erupt's MCP Tool Interface allows authenticated attackers to manipulate database queries through the EruptDataQuery component, potentially exposing or modifying sensitive data. The vulnerability affects Java-based Erupt deployments version 1.13.3 and has public exploit code available. No patch is currently available from the vendor, who has not responded to disclosure efforts.

Java SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-41008 CRITICAL Act Now

A SQL injection vulnerability exists in Sinturno that allows unauthenticated or low-privileged attackers to execute arbitrary SQL commands through the 'client' parameter in the '/_adm/scripts/modalReport_data.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, updating, and deletion of database objects. The vulnerability was reported by INCIBE and affects all versions of Sinturno; no CVSS score, EPSS data, or KEV status has been published, but the ability to perform CRUD operations on databases represents critical severity regardless of formal scoring.

PHP SQLi
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-41007 CRITICAL PATCH Act Now

A SQL injection vulnerability exists in Cuantis that allows unauthenticated attackers to execute arbitrary SQL commands through the 'search' parameter in the '/search.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, modification, and deletion of database contents. A patch is available from the vendor, and exploitation requires only network access to the affected application with no special privileges or user interaction.

PHP SQLi
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-32969 HIGH This Week

A pre-authentication blind SQL injection vulnerability exists in the userinfo endpoint's authentication method, allowing unauthenticated remote attackers to extract sensitive data from backend databases without any credentials. Affected products include MB Connect Line's mbCONNECT24 and mymbCONNECT24 industrial remote access solutions, as well as Helmholz's myREX24v2 and myREX24v2.virtual platforms used in industrial automation environments. With a CVSS score of 7.5 and complete loss of confidentiality, this represents a significant risk to industrial control systems, though no active exploitation (KEV) or public POC has been reported yet.

SQLi Mb Connect Line Mbconnect24 Mymbconnect24 Myrex24V2 Myrex24V2 Virtual
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4581 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0's /checklogin.php parameter handler allows unauthenticated remote attackers to manipulate the Username field and execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, leaving affected PHP installations vulnerable to data theft and unauthorized access.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4580 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0's /checkupdatestatus.php parameter handler allows unauthenticated remote attackers to manipulate the serviceId argument and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available, creating immediate risk for affected deployments.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4579 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 through the serviceId parameter in /viewdetail.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can exploit this to read or modify sensitive database information.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4574 LOW POC Monitor

SQL injection in SourceCodester Simple E-learning System 1.0's user profile update functionality allows authenticated remote attackers to manipulate the firstName parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read or modify sensitive database information. No patch is currently available.

SQLi Simple E Learning System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4573 LOW POC Monitor

SQL injection in SourceCodester Simple E-learning System 1.0 allows authenticated attackers to manipulate the post_id parameter in the delete_post.php endpoint, enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4572 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the searchtxt parameter in /view_product.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4571 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows remote authenticated attackers to manipulate the searchtxt parameter in /view_payments.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed with low complexity over the network.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4570 LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_customers.php endpoint where the searchtxt parameter is insufficiently sanitized, allowing authenticated attackers to execute arbitrary SQL queries and manipulate database contents. The vulnerability requires valid credentials but can be exploited remotely over the network, and public exploit code is available. No patch is currently available for this vulnerability.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4569 LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_category.php endpoint's searchtxt parameter that allows authenticated attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and there is currently no available patch. The attack requires valid credentials but can be executed remotely over the network.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4568 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_supplier.php allows authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2580 HIGH This Week

A time-based SQL injection vulnerability exists in the WP Maps - Store Locator plugin for WordPress through version 4.9.1, allowing unauthenticated attackers to extract sensitive database information via the insufficiently sanitized 'orderby' parameter. With a CVSS score of 7.5 (High), this vulnerability requires no privileges or user interaction and can be exploited remotely over the network. No KEV listing or EPSS data is provided, but the vulnerability has been publicly disclosed by Wordfence with technical details and code references available.

WordPress SQLi Google
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4550 LOW POC Monitor

SQL injection in Simple Gym Management System up to version 1.0 allows remote attackers with high privileges to manipulate the Trainer_id and fname parameters in /gym/func.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4540 MEDIUM POC This Month

SQL injection in projectworlds Online Notes Sharing System 1.0 allows unauthenticated remote attackers to manipulate the Benutzer parameter in /login.php, enabling unauthorized data access, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4533 LOW POC Monitor

SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to manipulate the Status parameter in all-tickets.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete database contents. The affected PHP application currently lacks a security patch.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4530 LOW POC Monitor

SQL injection in apconw Aix-DB through the terminology_retriever.py module allows local attackers to manipulate the Description argument and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected versions include Aix-DB up to 1.2.3.

SQLi Aix Db
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2019-25581 HIGH POC This Week

i-doit CMDB 1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the objGroupID parameter. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Doit Cmdb
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25580 HIGH POC This Week

ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload SQLi PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2019-25578 HIGH POC This Week

phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25576 HIGH POC This Week

Kepler Wallpaper Script 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the category parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kepler Wallpaper Script
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25575 HIGH POC This Week

SimplePress CMS 1.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'p' and 's' parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Simplepress Cms
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25573 HIGH POC This Week

Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-4513 LOW POC Monitor

SQL injection in vanna-ai vanna versions up to 2.0.2 allows authenticated remote attackers to manipulate the ask function in vanna/legacy/base/base.py, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

SQLi Vanna
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2503 MEDIUM This Month

The ElementCamp plugin for WordPress contains a time-based SQL injection vulnerability in the 'tcg_select2_search_post' AJAX action through improper validation of the 'meta_query[compare]' parameter. Authenticated attackers with Author-level privileges or higher can inject arbitrary SQL operators to extract sensitive database information, as the vulnerable code places user-supplied comparison operators directly into SQL queries without allowlist validation, rendering esc_sql() ineffective for operator-level payloads. The CVSS score of 6.5 reflects moderate severity with high confidentiality impact but no integrity or availability impact, limited to authenticated users with elevated privileges.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4087 MEDIUM This Month

SQL injection in the Pre* Party Resource Hints WordPress plugin up to version 1.8.20 allows authenticated users with Subscriber-level permissions or higher to execute arbitrary database queries through the unescaped 'hint_ids' parameter in the pprh_update_hints AJAX action. An attacker can exploit this to extract sensitive information from the WordPress database without user interaction. No patch is currently available for this vulnerability.

WordPress SQLi
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2468 HIGH This Week

The Quentn WP plugin for WordPress contains an SQL Injection vulnerability that allows unauthenticated attackers to extract sensitive database information through a malicious 'qntn_wp_access' cookie value. All versions up to and including 1.2.12 are affected. With a CVSS score of 7.5 and requiring no authentication or user interaction, this represents a significant risk for WordPress sites using this plugin, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1800 HIGH This Week

The Fonts Manager | Custom Fonts plugin for WordPress contains a time-based SQL injection vulnerability in versions up to and including 1.2. Unauthenticated attackers can exploit the vulnerable 'fmcfIdSelectedFnt' parameter to extract sensitive database information without requiring any privileges or user interaction. The vulnerability has a CVSS score of 7.5, indicating high confidentiality impact, though no KEV listing or EPSS score is provided in the available data.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3334 HIGH PATCH This Week

The CMS Commander plugin for WordPress contains an SQL Injection vulnerability in all versions up to and including 2.288. Authenticated attackers with API key access can exploit the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in the restore workflow to append malicious SQL queries and extract sensitive database information. With a CVSS score of 8.8, this represents a high-severity vulnerability requiring low attack complexity and low privileges, though no active exploitation (KEV) or public POC has been reported at this time.

WordPress SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2279 HIGH PATCH This Week

The myLinksDump plugin for WordPress contains a SQL injection vulnerability in the 'sort_by' and 'sort_order' parameters affecting all versions up to and including 1.6. Authenticated attackers with administrator-level access can exploit insufficient input escaping and inadequate SQL query preparation to append malicious SQL queries and extract sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 7.2 with high impact to confidentiality, integrity, and availability.

WordPress SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-4508 MEDIUM POC This Month

SQL injection in PbootCMS versions up to 3.2.12 allows unauthenticated remote attackers to manipulate the Username parameter in the Member Login function, potentially enabling unauthorized database access and data manipulation. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4507 LOW POC Monitor

SQL injection in Mindinventory MindSQL versions up to 0.2.1 allows authenticated remote attackers to execute arbitrary SQL commands through the ask_db function. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure attempts. Attackers with valid credentials can manipulate database queries to access, modify, or delete sensitive data.

SQLi Mindsql
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-33505 Go HIGH PATCH This Week

Ory Keto, an open-source authorization service, contains a SQL injection vulnerability in its GetRelationships API due to insecure pagination token handling. Attackers who know or can exploit the default hard-coded pagination encryption secret can craft malicious tokens to execute arbitrary SQL queries. The CVSS score of 7.2 reflects high privileges required (PR:H), though the actual risk is elevated when default secrets remain unchanged in production deployments.

SQLi OpenSSL Suse
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33504 Go HIGH PATCH This Week

Ory Hydra, an OAuth 2.0 and OpenID Connect provider, contains a SQL injection vulnerability in three admin APIs (listOAuth2Clients, listOAuth2ConsentSessions, listTrustedOAuth2JwtGrantIssuers) due to insecure pagination token handling. Attackers who know the pagination secret can craft malicious encrypted tokens to execute arbitrary SQL queries. The CVSS score of 7.2 requires high privileges (PR:H), but successful exploitation grants full database access with high confidentiality, integrity, and availability impact.

SQLi OpenSSL Suse
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33503 Go HIGH PATCH This Week

Ory Kratos, an open-source identity and user management system, contains a SQL injection vulnerability in its ListCourierMessages Admin API through malicious pagination tokens. Attackers who know or can exploit the default pagination encryption secret can craft tokens to execute arbitrary SQL queries against the backend database. The vulnerability requires high privileges (PR:H) but is network-exploitable (AV:N) with low complexity (AC:L), scoring CVSS 7.2.

SQLi OpenSSL Suse
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33468 npm HIGH PATCH This Week

Kysely, a TypeScript SQL query builder for Node.js, contains a SQL injection vulnerability in its MySQL dialect due to incomplete string escaping in the DefaultQueryCompiler.sanitizeStringLiteral() method. Applications using kysely (npm package) with MySQL that pass user-controlled input to CreateIndexBuilder.where() or CreateViewBuilder.as() methods are vulnerable to SQL injection attacks that can lead to data exfiltration, modification, or authentication bypass. A proof-of-concept exploit is publicly available demonstrating how backslash-escaped single quotes bypass the sanitization logic when NO_BACKSLASH_ESCAPES is disabled (MySQL default).

SQLi Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33442 npm HIGH PATCH This Week

SQL injection in PostgreSQL via unsafe backslash handling in Kysely's query compiler allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting backslashes into JSON path string literals that bypass quote escaping. The vulnerability affects systems using the default BACKSLASH_ESCAPES SQL mode, where attackers can break out of sanitized JSON path expressions through specially crafted input. No patch is currently available.

SQLi PostgreSQL
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33485 PHP HIGH GHSA This Week

An unauthenticated SQL injection vulnerability exists in the AVideo platform's RTMP on_publish callback, allowing remote attackers to extract the entire database via time-based blind SQL injection. The vulnerability affects the wwbn_avideo composer package and can be exploited without authentication to steal user password hashes, email addresses, and API keys. A detailed proof-of-concept is publicly available in the GitHub Security Advisory, and the vulnerability has a CVSS score of 7.5 (High) with network attack vector and low complexity.

SQLi PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-4504 MEDIUM POC This Month

SQL injection in eosphoros-ai db-gpt versions up to 0.7.5 allows unauthenticated remote attackers to manipulate the /api/v1/editor/ endpoint and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. This vulnerability impacts confidentiality, integrity, and availability of affected systems.

SQLi Db Gpt
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-62846 HIGH PATCH This Week

An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unauthorized code or commands through SQL injection techniques. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires an attacker to first obtain legitimate administrator credentials on the affected device. While no CVSS score or EPSS data is currently published, the SQL injection classification (CWE-89) combined with code execution impact represents a critical risk for compromised administrator accounts.

SQLi Qurouter
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-4485 LOW POC Monitor

SQL injection in the College Management System 1.0 admin search_student.php endpoint allows authenticated attackers to manipulate the Search parameter and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to potentially extract, modify, or delete sensitive student data. The vulnerability affects PHP-based installations and currently lacks an available patch.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-33134 CRITICAL PATCH Act Now

WeGIA, a web manager for charitable institutions, contains an authenticated SQL injection vulnerability in versions 3.6.5 and below via the id_producto parameter in the restaurar_produto.php endpoint. An authenticated attacker can execute arbitrary SQL commands to fully compromise the database, extracting sensitive donor information, beneficiary records, and administrative credentials. No evidence of active exploitation (not in CISA KEV) is currently available, though proof-of-concept details are publicly disclosed in the GitHub security advisory.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-33133 HIGH PATCH This Week

WeGIA versions 3.6.5 and 3.6.6 contain an unauthenticated SQL injection vulnerability in the loadBackupDB() function that fails to validate SQL content within uploaded backup archives. An attacker can craft a malicious backup file to execute arbitrary SQL statements, including creation of rogue administrator accounts, password modification, or complete database compromise. The vulnerability was introduced in commit 370104c and patched in version 3.6.7; no active exploitation in the wild has been confirmed, but the simplicity of the attack vector and availability of proof-of-concept references via GitHub advisory suggest moderate real-world risk.

SQLi Wegia
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-4473 LOW Monitor

SQL injection in itsourcecode Online Doctor Appointment System 1.0 allows remote attackers with high privileges to manipulate the appointment_id parameter in /admin/appointment_action.php, potentially compromising data confidentiality and integrity. Public exploit code exists for this vulnerability, though no patch is currently available for PHP-based deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4472 LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated remote attackers to manipulate the Supplier_Name parameter in /admin/admin_edit_supplier.php, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4471 LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated administrators to manipulate the First_Name parameter in /admin/admin_edit_employee.php, enabling remote database compromise. Public exploit code exists for this vulnerability, which requires high-level privileges but carries low complexity for exploitation. The affected system currently lacks an available patch.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4470 LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high privileges to manipulate the product_name parameter in /admin/admin_edit_menu.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The affected PHP application currently lacks an available patch.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4469 LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high-level privileges to manipulate the product_name parameter in /admin/admin_edit_menu_action.php, potentially exposing or modifying sensitive database information. Public exploit code for this vulnerability exists, though no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-33025 HIGH PATCH This Week

Unauthenticated SQL injection in AVideo versions before 8.0 allows authenticated attackers to manipulate database queries through unsanitized sort parameters in POST requests, potentially leading to unauthorized data access or modification. The vulnerability stems from improper use of real_escape_string() on SQL identifiers rather than string literals, rendering the escaping mechanism ineffective. Affected organizations should upgrade to version 8.0 or implement WAF rules restricting sort parameter characters to alphanumeric and underscore values.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-32954 HIGH PATCH This Week

A blind SQL injection vulnerability exists in ERPNext, a free and open-source Enterprise Resource Planning system, affecting versions prior to 15.100.0 and beta versions 16.0.0-beta.1 through 16.7.x. The vulnerability allows authenticated attackers with low-level privileges to perform time-based and boolean-based blind SQL injection attacks through insufficiently validated parameters on certain endpoints, enabling them to infer and extract sensitive database information. This is tagged as an SQLi vulnerability and has been assigned EUVD-2026-13547 by ENISA, with patches available in versions 15.100.0 and 16.8.0.

SQLi Erpnext
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32950 HIGH PATCH This Week

SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.

SQLi RCE PostgreSQL Command Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-32888 HIGH This Week

Open Source Point of Sale (opensourcepos) contains a critical SQL Injection vulnerability in the Items search functionality when custom attribute search is enabled. An authenticated attacker with basic item search permissions can execute arbitrary SQL queries by manipulating the search GET parameter, which is directly interpolated into a HAVING clause without sanitization. The vulnerability affects all versions up to and including 3.4.1, carries a CVSS score of 8.8 (High), and had no patch available at the time of publication.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33288 HIGH This Week

SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected, with no patch currently available.

Privilege Escalation SQLi Suitecrm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-29099 HIGH This Week

SQL injection in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to execute arbitrary SQL queries through improper input validation in the EmailUIAjax module's retrieve() function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete sensitive database records without restrictions. The vulnerability requires authentication but has no patch currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-29096 HIGH This Week

A second-order SQL injection vulnerability exists in the Reports module of SuiteCRM, allowing authenticated users with reporting privileges to execute arbitrary SQL queries when viewing reports. The vulnerability affects SuiteCRM versions before 7.15.1 and 8.9.3, enabling attackers to extract sensitive database contents including password hashes, API tokens, and configuration values, with potential for remote code execution on MySQL installations with FILE privileges. While no public exploits or active exploitation have been reported, the vulnerability has a high CVSS score of 8.1 due to the potential for both data theft and system compromise.

SQLi Suitecrm
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33352 PHP CRITICAL PATCH Act Now

An unauthenticated SQL injection vulnerability in AVideo allows remote attackers to execute arbitrary SQL queries through the doNotShowCats parameter in the getAllCategories() method. The vulnerability bypasses quote-stripping sanitization using backslash escape techniques, enabling attackers to extract sensitive data including user credentials, modify database contents, or potentially achieve remote code execution. No active exploitation has been reported in KEV, but proof-of-concept exploitation details are publicly available in the GitHub advisory.

PHP SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
10.0%
CVE-2026-30711 HIGH This Week

Authenticated attackers can execute arbitrary SQL queries in Devome GRR v4.5.0 through injection vulnerabilities in the referer and user-agent parameters within include/session.inc.php, enabling full database compromise including data exfiltration, modification, and potential remote code execution. The vulnerability carries a CVSS score of 8.8 (High) with low attack complexity requiring only low-level privileges and no user interaction. EPSS probability of exploitation is extremely low at 0.01% (2nd percentile), and no public exploit identified at time of analysis beyond technical disclosure and audit documentation.

PHP SQLi
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3658 HIGH This Week

Unauthenticated attackers can exploit SQL injection in the Simply Schedule Appointments Booking Plugin for WordPress (versions up to 1.6.10.0) through the 'fields' parameter to extract sensitive database information including usernames, email addresses, and password hashes. The vulnerability stems from insufficient input escaping and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27413 CRITICAL Act Now

Blind SQL injection in Profile Builder Pro WordPress plugin versions up to 3.13.9 allows remote unauthenticated attackers to extract database contents and cause service degradation. The vulnerability exploits improper input sanitization in SQL queries, enabling attackers to manipulate database commands without authentication. CVSS score of 9.3 (Critical) reflects network-accessible attack surface with no authentication barrier, though EPSS score of 0.03% (8th percentile) indicates minimal observed exploitation attempts. Patchstack database confirms vulnerability details; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.

SQLi Profile Builder Pro
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-32698 CRITICAL PATCH Act Now

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.

SQLi Openproject
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-32321 HIGH PATCH This Week

An authenticated time-based blind SQL injection vulnerability exists in the ClipBucket v5 open source video sharing platform, affecting versions prior to 5.5.3 #80. The vulnerability resides in the actions/ajax.php endpoint where the userid parameter lacks proper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries. This can lead to full database disclosure and potential administrative account takeover with a CVSS score of 8.8.

SQLi PHP Clipbucket V5
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A SQL injection vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

SQLi Denial Of Service Information Disclosure +3
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

A blind SQL injection vulnerability exists in Zabbix's API service layer (include/classes/api/CApiService.php) via the sortfield parameter that allows low-privilege users with API access to execute arbitrary SQL SELECT queries without direct result exfiltration. An attacker can leverage time-based blind SQL injection techniques to extract sensitive data such as session identifiers and administrator credentials, potentially leading to full administrative compromise of the Zabbix monitoring infrastructure. No CVSS score, EPSS data, or KEV status has been published, but the vulnerability's reliance on blind techniques and low-privilege requirement suggests moderate real-world exploitability.

PHP SQLi Suse
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability in PostgreSQL aggregate operations that allows attackers with master key access to execute arbitrary SQL statements, escalating from application-level administrator privileges to database-level access. Only PostgreSQL-backed Parse Server deployments are affected; MongoDB deployments are not vulnerable. No CVSS score or EPSS data is currently available, and no KEV or active exploitation reports have been confirmed at this time.

Privilege Escalation Node.js PostgreSQL +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Unauthenticated SQL injection in Bootstrapy CMS allows remote attackers to extract sensitive database information or cause denial of service through multiple POST parameters in forum and contact modules. The vulnerability affects forum-thread.php (thread_id), contact-submit.php (subject), and post-new-submit.php (post-id) endpoints. Public exploit code exists via Exploit-DB #46590, though EPSS probability remains low at 0.06% (19th percentile), suggesting limited real-world exploitation despite ease of attack (AV:N/AC:L/PR:N). SSVC framework confirms proof-of-concept availability and automated exploitation potential with partial technical impact.

PHP SQLi Denial Of Service +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection in Inout Article Base CMS allows remote unauthenticated attackers to extract sensitive database information or cause denial of service through malicious XOR-based and time-based SQL payloads injected via 'p' and 'u' parameters in GET requests to portalLogin.php. Public exploit code demonstrates the attack (Exploit-DB 46593), though EPSS scoring indicates low probability of widespread exploitation (0.06%, 19th percentile). No vendor patch has been identified, and the vendor website reference provides no security advisory, leaving deployments at continued risk.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Meeplace Business Review Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Zeeways Matrimony Cms
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.5
HIGH This Week

The JetEngine plugin for WordPress contains a SQL injection vulnerability in the listing_load_more AJAX action that allows unauthenticated attackers to extract sensitive database information. All versions up to and including 3.8.6.1 are affected. The vulnerability exists on sites using JetEngine Listing Grid with Load More functionality enabled and SQL Query Builder queries, with a CVSS score of 7.5 indicating high severity for confidentiality impact.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the Name parameter in /sms/user/index.php?view=add, potentially enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SourceCodester Online Admission System 1.0 contains a SQL injection vulnerability in the /programmes.php file's program parameter that allows unauthenticated remote attackers to execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The flaw enables attackers to potentially read, modify, or delete sensitive admission system data.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Online Library Management System 1.0 allows unauthenticated remote attackers to manipulate the searchField parameter in /home.php, enabling data exfiltration, modification, and potential service disruption. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

The LearnDash LMS plugin for WordPress contains a blind time-based SQL injection vulnerability in the 'filters[orderby_order]' parameter of the 'learndash_propanel_template' AJAX action, affecting all versions up to and including 5.0.3. Authenticated attackers with Contributor-level access or higher can exploit insufficient input escaping and lack of prepared statements to extract sensitive database information through time-based SQL injection techniques. While the CVSS score of 6.5 reflects medium severity with high confidentiality impact, the requirement for authentication and low network complexity means this poses a real but contained risk, particularly in multi-user WordPress environments where contributor accounts are common.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Online Catering Reservation 1.0 via the rcode parameter in /search.php allows unauthenticated remote attackers to manipulate database queries with no user interaction required. The vulnerability enables attackers to read, modify, or delete sensitive data, and public exploit code is readily available. PHP-based deployments of this catering reservation system are actively targeted due to the ease of exploitation and lack of available patches.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in the Parameter Handler of itsourcecode sanitize or validate this input 1.0 allows authenticated remote attackers to manipulate the subject_code argument in /admin/subjects.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the password reset function of ESICLivre v0.2.2 and earlier allows unauthenticated attackers to extract sensitive data by manipulating the cpfcnpj parameter. The vulnerability requires no user interaction and can be exploited remotely over the network, though no patch is currently available.

SQLi PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester E-Commerce Site 1.0 through the Search parameter in /products.php enables unauthenticated remote attackers to read, modify, and delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available, putting all installations at immediate risk.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

The WP Job Portal plugin for WordPress contains an unauthenticated SQL injection vulnerability in the 'radius' parameter affecting all versions up to and including 2.4.8. Unauthenticated remote attackers can exploit this flaw to extract sensitive information from the database, including user credentials, personal data, and other confidential information stored in WordPress tables. The vulnerability has a CVSS score of 7.5 indicating high severity with no authentication required for exploitation.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

The Quiz and Survey Master (QSM) WordPress plugin versions up to 10.3.5 contains a SQL injection vulnerability in the 'merged_question' parameter that allows authenticated attackers with Contributor-level access or higher to extract sensitive database information. The vulnerability exists because the plugin uses sanitize_text_field() which does not prevent SQL metacharacters from being injected into an SQL IN() clause, and the resulting query is not properly parameterized using $wpdb->prepare() or integer casting. With a CVSS score of 6.5 and network-based attack vector requiring only low privileges, this represents a moderate but real threat to WordPress installations using this plugin.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Free Hotel Reservation System 1.0 admin panel allows unauthenticated remote attackers to manipulate the account_id parameter and execute arbitrary SQL queries with potential for data theft, modification, and system disruption. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in the Stream Proxy Query Handler component of wvp-GB28181-pro up to version 2.7.4 allows authenticated remote attackers to execute arbitrary SQL queries and potentially read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The affected Java application processes unsanitized input in the selectAll function without proper parameterized queries.

SQLi Java
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

WWBN AVideo, an open source video platform, contains a SQL injection vulnerability in the Subscribe::save() method that allows authenticated attackers to execute arbitrary SQL queries. Versions up to and including 26.0 are affected, with the vulnerability stemming from unsanitized user input from the $_POST['user_id'] parameter being concatenated directly into INSERT queries. An attacker with low-level authentication can extract sensitive data including password hashes, API keys, and encryption salts from the database, representing a significant information disclosure risk.

PHP Information Disclosure SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

SQL injection in WWBN AVideo up to version 26.0 allows authenticated users to extract arbitrary database contents through time-based blind SQL injection via the remindMe.json.php endpoint. The vulnerability stems from insufficient input sanitization of the live_schedule_id parameter, which is concatenated directly into a SQL LIKE clause despite partial validation in intermediate functions. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Erupt up to version 1.13.3 allows unauthenticated remote attackers to execute arbitrary SQL queries through the sort.field parameter in the HQL query builder. Public exploit code exists for this vulnerability, and no patch is currently available. Affected Java applications using vulnerable versions of Erupt are at risk of data exfiltration and manipulation.

SQLi Java
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Erupt's MCP Tool Interface allows authenticated attackers to manipulate database queries through the EruptDataQuery component, potentially exposing or modifying sensitive data. The vulnerability affects Java-based Erupt deployments version 1.13.3 and has public exploit code available. No patch is currently available from the vendor, who has not responded to disclosure efforts.

Java SQLi
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

A SQL injection vulnerability exists in Sinturno that allows unauthenticated or low-privileged attackers to execute arbitrary SQL commands through the 'client' parameter in the '/_adm/scripts/modalReport_data.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, updating, and deletion of database objects. The vulnerability was reported by INCIBE and affects all versions of Sinturno; no CVSS score, EPSS data, or KEV status has been published, but the ability to perform CRUD operations on databases represents critical severity regardless of formal scoring.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

A SQL injection vulnerability exists in Cuantis that allows unauthenticated attackers to execute arbitrary SQL commands through the 'search' parameter in the '/search.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, modification, and deletion of database contents. A patch is available from the vendor, and exploitation requires only network access to the affected application with no special privileges or user interaction.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

A pre-authentication blind SQL injection vulnerability exists in the userinfo endpoint's authentication method, allowing unauthenticated remote attackers to extract sensitive data from backend databases without any credentials. Affected products include MB Connect Line's mbCONNECT24 and mymbCONNECT24 industrial remote access solutions, as well as Helmholz's myREX24v2 and myREX24v2.virtual platforms used in industrial automation environments. With a CVSS score of 7.5 and complete loss of confidentiality, this represents a significant risk to industrial control systems, though no active exploitation (KEV) or public POC has been reported yet.

SQLi Mb Connect Line Mbconnect24 Mymbconnect24 +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0's /checklogin.php parameter handler allows unauthenticated remote attackers to manipulate the Username field and execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, leaving affected PHP installations vulnerable to data theft and unauthorized access.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0's /checkupdatestatus.php parameter handler allows unauthenticated remote attackers to manipulate the serviceId argument and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available, creating immediate risk for affected deployments.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 through the serviceId parameter in /viewdetail.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can exploit this to read or modify sensitive database information.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Simple E-learning System 1.0's user profile update functionality allows authenticated remote attackers to manipulate the firstName parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read or modify sensitive database information. No patch is currently available.

SQLi Simple E Learning System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Simple E-learning System 1.0 allows authenticated attackers to manipulate the post_id parameter in the delete_post.php endpoint, enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the searchtxt parameter in /view_product.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows remote authenticated attackers to manipulate the searchtxt parameter in /view_payments.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed with low complexity over the network.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_customers.php endpoint where the searchtxt parameter is insufficiently sanitized, allowing authenticated attackers to execute arbitrary SQL queries and manipulate database contents. The vulnerability requires valid credentials but can be exploited remotely over the network, and public exploit code is available. No patch is currently available for this vulnerability.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_category.php endpoint's searchtxt parameter that allows authenticated attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and there is currently no available patch. The attack requires valid credentials but can be executed remotely over the network.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_supplier.php allows authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

A time-based SQL injection vulnerability exists in the WP Maps - Store Locator plugin for WordPress through version 4.9.1, allowing unauthenticated attackers to extract sensitive database information via the insufficiently sanitized 'orderby' parameter. With a CVSS score of 7.5 (High), this vulnerability requires no privileges or user interaction and can be exploited remotely over the network. No KEV listing or EPSS data is provided, but the vulnerability has been publicly disclosed by Wordfence with technical details and code references available.

WordPress SQLi Google
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in Simple Gym Management System up to version 1.0 allows remote attackers with high privileges to manipulate the Trainer_id and fname parameters in /gym/func.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in projectworlds Online Notes Sharing System 1.0 allows unauthenticated remote attackers to manipulate the Benutzer parameter in /login.php, enabling unauthorized data access, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to manipulate the Status parameter in all-tickets.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete database contents. The affected PHP application currently lacks a security patch.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

SQL injection in apconw Aix-DB through the terminology_retriever.py module allows local attackers to manipulate the Description argument and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected versions include Aix-DB up to 1.2.3.

SQLi Aix Db
NVD VulDB GitHub
EPSS 0% CVSS 8.2
HIGH POC This Week

i-doit CMDB 1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the objGroupID parameter. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Doit Cmdb
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload SQLi PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Path Traversal PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Kepler Wallpaper Script 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the category parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kepler Wallpaper Script
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

SimplePress CMS 1.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'p' and 's' parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Simplepress Cms
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in vanna-ai vanna versions up to 2.0.2 allows authenticated remote attackers to manipulate the ask function in vanna/legacy/base/base.py, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

SQLi Vanna
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

The ElementCamp plugin for WordPress contains a time-based SQL injection vulnerability in the 'tcg_select2_search_post' AJAX action through improper validation of the 'meta_query[compare]' parameter. Authenticated attackers with Author-level privileges or higher can inject arbitrary SQL operators to extract sensitive database information, as the vulnerable code places user-supplied comparison operators directly into SQL queries without allowlist validation, rendering esc_sql() ineffective for operator-level payloads. The CVSS score of 6.5 reflects moderate severity with high confidentiality impact but no integrity or availability impact, limited to authenticated users with elevated privileges.

WordPress SQLi
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the Pre* Party Resource Hints WordPress plugin up to version 1.8.20 allows authenticated users with Subscriber-level permissions or higher to execute arbitrary database queries through the unescaped 'hint_ids' parameter in the pprh_update_hints AJAX action. An attacker can exploit this to extract sensitive information from the WordPress database without user interaction. No patch is currently available for this vulnerability.

WordPress SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

The Quentn WP plugin for WordPress contains an SQL Injection vulnerability that allows unauthenticated attackers to extract sensitive database information through a malicious 'qntn_wp_access' cookie value. All versions up to and including 1.2.12 are affected. With a CVSS score of 7.5 and requiring no authentication or user interaction, this represents a significant risk for WordPress sites using this plugin, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.

WordPress SQLi
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Fonts Manager | Custom Fonts plugin for WordPress contains a time-based SQL injection vulnerability in versions up to and including 1.2. Unauthenticated attackers can exploit the vulnerable 'fmcfIdSelectedFnt' parameter to extract sensitive database information without requiring any privileges or user interaction. The vulnerability has a CVSS score of 7.5, indicating high confidentiality impact, though no KEV listing or EPSS score is provided in the available data.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The CMS Commander plugin for WordPress contains an SQL Injection vulnerability in all versions up to and including 2.288. Authenticated attackers with API key access can exploit the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in the restore workflow to append malicious SQL queries and extract sensitive database information. With a CVSS score of 8.8, this represents a high-severity vulnerability requiring low attack complexity and low privileges, though no active exploitation (KEV) or public POC has been reported at this time.

WordPress SQLi
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

The myLinksDump plugin for WordPress contains a SQL injection vulnerability in the 'sort_by' and 'sort_order' parameters affecting all versions up to and including 1.6. Authenticated attackers with administrator-level access can exploit insufficient input escaping and inadequate SQL query preparation to append malicious SQL queries and extract sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 7.2 with high impact to confidentiality, integrity, and availability.

WordPress SQLi
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in PbootCMS versions up to 3.2.12 allows unauthenticated remote attackers to manipulate the Username parameter in the Member Login function, potentially enabling unauthorized database access and data manipulation. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Mindinventory MindSQL versions up to 0.2.1 allows authenticated remote attackers to execute arbitrary SQL commands through the ask_db function. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure attempts. Attackers with valid credentials can manipulate database queries to access, modify, or delete sensitive data.

SQLi Mindsql
NVD VulDB GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Ory Keto, an open-source authorization service, contains a SQL injection vulnerability in its GetRelationships API due to insecure pagination token handling. Attackers who know or can exploit the default hard-coded pagination encryption secret can craft malicious tokens to execute arbitrary SQL queries. The CVSS score of 7.2 reflects high privileges required (PR:H), though the actual risk is elevated when default secrets remain unchanged in production deployments.

SQLi OpenSSL Suse
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Ory Hydra, an OAuth 2.0 and OpenID Connect provider, contains a SQL injection vulnerability in three admin APIs (listOAuth2Clients, listOAuth2ConsentSessions, listTrustedOAuth2JwtGrantIssuers) due to insecure pagination token handling. Attackers who know the pagination secret can craft malicious encrypted tokens to execute arbitrary SQL queries. The CVSS score of 7.2 requires high privileges (PR:H), but successful exploitation grants full database access with high confidentiality, integrity, and availability impact.

SQLi OpenSSL Suse
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Ory Kratos, an open-source identity and user management system, contains a SQL injection vulnerability in its ListCourierMessages Admin API through malicious pagination tokens. Attackers who know or can exploit the default pagination encryption secret can craft tokens to execute arbitrary SQL queries against the backend database. The vulnerability requires high privileges (PR:H) but is network-exploitable (AV:N) with low complexity (AC:L), scoring CVSS 7.2.

SQLi OpenSSL Suse
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Kysely, a TypeScript SQL query builder for Node.js, contains a SQL injection vulnerability in its MySQL dialect due to incomplete string escaping in the DefaultQueryCompiler.sanitizeStringLiteral() method. Applications using kysely (npm package) with MySQL that pass user-controlled input to CreateIndexBuilder.where() or CreateViewBuilder.as() methods are vulnerable to SQL injection attacks that can lead to data exfiltration, modification, or authentication bypass. A proof-of-concept exploit is publicly available demonstrating how backslash-escaped single quotes bypass the sanitization logic when NO_BACKSLASH_ESCAPES is disabled (MySQL default).

SQLi Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

SQL injection in PostgreSQL via unsafe backslash handling in Kysely's query compiler allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting backslashes into JSON path string literals that bypass quote escaping. The vulnerability affects systems using the default BACKSLASH_ESCAPES SQL mode, where attackers can break out of sanitized JSON path expressions through specially crafted input. No patch is currently available.

SQLi PostgreSQL
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

An unauthenticated SQL injection vulnerability exists in the AVideo platform's RTMP on_publish callback, allowing remote attackers to extract the entire database via time-based blind SQL injection. The vulnerability affects the wwbn_avideo composer package and can be exploited without authentication to steal user password hashes, email addresses, and API keys. A detailed proof-of-concept is publicly available in the GitHub Security Advisory, and the vulnerability has a CVSS score of 7.5 (High) with network attack vector and low complexity.

SQLi PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in eosphoros-ai db-gpt versions up to 0.7.5 allows unauthenticated remote attackers to manipulate the /api/v1/editor/ endpoint and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. This vulnerability impacts confidentiality, integrity, and availability of affected systems.

SQLi Db Gpt
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unauthorized code or commands through SQL injection techniques. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires an attacker to first obtain legitimate administrator credentials on the affected device. While no CVSS score or EPSS data is currently published, the SQL injection classification (CWE-89) combined with code execution impact represents a critical risk for compromised administrator accounts.

SQLi Qurouter
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in the College Management System 1.0 admin search_student.php endpoint allows authenticated attackers to manipulate the Search parameter and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to potentially extract, modify, or delete sensitive student data. The vulnerability affects PHP-based installations and currently lacks an available patch.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

WeGIA, a web manager for charitable institutions, contains an authenticated SQL injection vulnerability in versions 3.6.5 and below via the id_producto parameter in the restaurar_produto.php endpoint. An authenticated attacker can execute arbitrary SQL commands to fully compromise the database, extracting sensitive donor information, beneficiary records, and administrative credentials. No evidence of active exploitation (not in CISA KEV) is currently available, though proof-of-concept details are publicly disclosed in the GitHub security advisory.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

WeGIA versions 3.6.5 and 3.6.6 contain an unauthenticated SQL injection vulnerability in the loadBackupDB() function that fails to validate SQL content within uploaded backup archives. An attacker can craft a malicious backup file to execute arbitrary SQL statements, including creation of rogue administrator accounts, password modification, or complete database compromise. The vulnerability was introduced in commit 370104c and patched in version 3.6.7; no active exploitation in the wild has been confirmed, but the simplicity of the attack vector and availability of proof-of-concept references via GitHub advisory suggest moderate real-world risk.

SQLi Wegia
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in itsourcecode Online Doctor Appointment System 1.0 allows remote attackers with high privileges to manipulate the appointment_id parameter in /admin/appointment_action.php, potentially compromising data confidentiality and integrity. Public exploit code exists for this vulnerability, though no patch is currently available for PHP-based deployments.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated remote attackers to manipulate the Supplier_Name parameter in /admin/admin_edit_supplier.php, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated administrators to manipulate the First_Name parameter in /admin/admin_edit_employee.php, enabling remote database compromise. Public exploit code exists for this vulnerability, which requires high-level privileges but carries low complexity for exploitation. The affected system currently lacks an available patch.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high privileges to manipulate the product_name parameter in /admin/admin_edit_menu.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The affected PHP application currently lacks an available patch.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high-level privileges to manipulate the product_name parameter in /admin/admin_edit_menu_action.php, potentially exposing or modifying sensitive database information. Public exploit code for this vulnerability exists, though no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Unauthenticated SQL injection in AVideo versions before 8.0 allows authenticated attackers to manipulate database queries through unsanitized sort parameters in POST requests, potentially leading to unauthorized data access or modification. The vulnerability stems from improper use of real_escape_string() on SQL identifiers rather than string literals, rendering the escaping mechanism ineffective. Affected organizations should upgrade to version 8.0 or implement WAF rules restricting sort parameter characters to alphanumeric and underscore values.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

A blind SQL injection vulnerability exists in ERPNext, a free and open-source Enterprise Resource Planning system, affecting versions prior to 15.100.0 and beta versions 16.0.0-beta.1 through 16.7.x. The vulnerability allows authenticated attackers with low-level privileges to perform time-based and boolean-based blind SQL injection attacks through insufficiently validated parameters on certain endpoints, enabling them to infer and extract sensitive database information. This is tagged as an SQLi vulnerability and has been assigned EUVD-2026-13547 by ENISA, with patches available in versions 15.100.0 and 16.8.0.

SQLi Erpnext
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.

SQLi RCE PostgreSQL +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Open Source Point of Sale (opensourcepos) contains a critical SQL Injection vulnerability in the Items search functionality when custom attribute search is enabled. An authenticated attacker with basic item search permissions can execute arbitrary SQL queries by manipulating the search GET parameter, which is directly interpolated into a HAVING clause without sanitization. The vulnerability affects all versions up to and including 3.4.1, carries a CVSS score of 8.8 (High), and had no patch available at the time of publication.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected, with no patch currently available.

Privilege Escalation SQLi Suitecrm
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to execute arbitrary SQL queries through improper input validation in the EmailUIAjax module's retrieve() function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete sensitive database records without restrictions. The vulnerability requires authentication but has no patch currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A second-order SQL injection vulnerability exists in the Reports module of SuiteCRM, allowing authenticated users with reporting privileges to execute arbitrary SQL queries when viewing reports. The vulnerability affects SuiteCRM versions before 7.15.1 and 8.9.3, enabling attackers to extract sensitive database contents including password hashes, API tokens, and configuration values, with potential for remote code execution on MySQL installations with FILE privileges. While no public exploits or active exploitation have been reported, the vulnerability has a high CVSS score of 8.1 due to the potential for both data theft and system compromise.

SQLi Suitecrm
NVD GitHub VulDB
EPSS 10% CVSS 9.8
CRITICAL PATCH Act Now

An unauthenticated SQL injection vulnerability in AVideo allows remote attackers to execute arbitrary SQL queries through the doNotShowCats parameter in the getAllCategories() method. The vulnerability bypasses quote-stripping sanitization using backslash escape techniques, enabling attackers to extract sensitive data including user credentials, modify database contents, or potentially achieve remote code execution. No active exploitation has been reported in KEV, but proof-of-concept exploitation details are publicly available in the GitHub advisory.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated attackers can execute arbitrary SQL queries in Devome GRR v4.5.0 through injection vulnerabilities in the referer and user-agent parameters within include/session.inc.php, enabling full database compromise including data exfiltration, modification, and potential remote code execution. The vulnerability carries a CVSS score of 8.8 (High) with low attack complexity requiring only low-level privileges and no user interaction. EPSS probability of exploitation is extremely low at 0.01% (2nd percentile), and no public exploit identified at time of analysis beyond technical disclosure and audit documentation.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can exploit SQL injection in the Simply Schedule Appointments Booking Plugin for WordPress (versions up to 1.6.10.0) through the 'fields' parameter to extract sensitive database information including usernames, email addresses, and password hashes. The vulnerability stems from insufficient input escaping and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Profile Builder Pro WordPress plugin versions up to 3.13.9 allows remote unauthenticated attackers to extract database contents and cause service degradation. The vulnerability exploits improper input sanitization in SQL queries, enabling attackers to manipulate database commands without authentication. CVSS score of 9.3 (Critical) reflects network-accessible attack surface with no authentication barrier, though EPSS score of 0.03% (8th percentile) indicates minimal observed exploitation attempts. Patchstack database confirms vulnerability details; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.

SQLi Profile Builder Pro
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.

SQLi Openproject
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

An authenticated time-based blind SQL injection vulnerability exists in the ClipBucket v5 open source video sharing platform, affecting versions prior to 5.5.3 #80. The vulnerability resides in the actions/ajax.php endpoint where the userid parameter lacks proper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries. This can lead to full database disclosure and potential administrative account takeover with a CVSS score of 8.8.

SQLi PHP Clipbucket V5
NVD GitHub VulDB
Prev Page 18 of 169 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy