Skip to main content

SQLi

15171 CVEs technique

Monthly

CVE-2026-32698 CRITICAL PATCH Act Now

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.

SQLi Openproject
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-32321 HIGH PATCH This Week

An authenticated time-based blind SQL injection vulnerability exists in the ClipBucket v5 open source video sharing platform, affecting versions prior to 5.5.3 #80. The vulnerability resides in the actions/ajax.php endpoint where the userid parameter lacks proper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries. This can lead to full database disclosure and potential administrative account takeover with a CVSS score of 8.8.

SQLi PHP Clipbucket V5
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33142 npm HIGH PATCH This Week

SQL injection in PostgreSQL StatementGenerator allows authenticated attackers to execute arbitrary SQL commands through unsanitized object keys in sort, select, and groupBy parameters on analytics endpoints. The vulnerability exists because column name validation was incompletely applied during a previous fix, leaving three query construction methods vulnerable to direct identifier injection. An attacker with valid credentials can exploit this to access or manipulate database contents without requiring user interaction.

PostgreSQL SQLi
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-32763 npm HIGH PATCH This Week

Kysely through version 0.28.11 contains a SQL injection vulnerability in JSON path compilation affecting MySQL and SQLite dialects. The visitJSONPathLeg() function appends user-controlled values from .key() and .at() methods directly into single-quoted JSON path string literals without escaping single quotes, enabling attackers to break out of the string context and inject arbitrary SQL. A working proof-of-concept demonstrates UNION-based data exfiltration from SQLite databases. The vulnerability has CVSS score 8.2 and patches are available from the vendor.

SQLi PostgreSQL
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-22730 Maven HIGH PATCH This Week

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter component allows authenticated attackers to bypass metadata-based access controls and execute arbitrary SQL commands due to missing input sanitization. VMware Spring AI versions 1.0.x prior to 1.0.4 and 1.1.x prior to 1.1.3 are affected. With a CVSS score of 8.8, this vulnerability enables attackers with low-level privileges to compromise confidentiality, integrity, and availability of the database system through network-based attacks with low complexity.

Java SQLi
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33058 MEDIUM PATCH This Month

An authenticated SQL injection vulnerability exists in Kanboard project management software prior to version 1.2.51. Authenticated attackers with permission to add users to a project can exploit this vulnerability to dump the entire Kanboard database, potentially exposing sensitive project data, user credentials, and application secrets. The vulnerability is confirmed under active tracking by Debian (2 releases) and Ubuntu (medium priority), with a GitHub Security Advisory published.

SQLi Ubuntu Debian Kanboard
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-67830 CRITICAL Act Now

A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS before version 10.1.14, specifically in the getQuery function's sortby parameter. An attacker can inject arbitrary SQL commands through the sortby parameter to extract, modify, or delete database contents. The vulnerability affects Mura CMS installations running versions prior to 10.1.14.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-67829 CRITICAL Act Now

A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS, specifically in the getQuery function's sortDirection parameter, affecting versions prior to 10.1.14. An attacker can inject arbitrary SQL commands through the sortDirection parameter to read, modify, or delete database contents without requiring authentication. The vulnerability is classified as SQL injection (SQLi) and patches are available in version 10.1.14 and later.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26001 HIGH This Week

SQL injection in GLPI Inventory Plugin versions before 1.6.6 allows authenticated users with sufficient privileges to execute arbitrary SQL queries through unvalidated input in report functionality. An attacker with report access can extract or modify sensitive database information, though code execution is not possible through this vector. A patch is available in version 1.6.6 and later.

SQLi Glpi Inventory Plugin
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33041 PHP MEDIUM PATCH This Month

An unauthenticated attacker can leverage an exposed password hashing endpoint in PHP applications to obtain hashed versions of arbitrary passwords, facilitating offline cracking attacks against compromised database credentials. The vulnerable `/objects/encryptPass.json.php` file accepts user-supplied passwords via request parameters and returns their encrypted equivalents without authentication, effectively disclosing the application's hashing algorithm and salt to potential adversaries. This information disclosure has a CVSS score of 5.3 and patches are available.

PHP Information Disclosure SQLi
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33038 PHP HIGH PATCH This Week

A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.

PHP RCE SQLi Authentication Bypass CSRF +1
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25936 MEDIUM PATCH This Month

GLPI versions 11.0.0 through 11.0.5 contain an authenticated SQL injection vulnerability that allows authenticated users to read sensitive database contents without modification or denial-of-service capabilities. The vulnerability affects the free Asset and IT management software package GLPI and is resolved in version 11.0.6. While the CVSS score of 6.5 reflects moderate severity, the impact is limited to confidentiality breach due to the read-only nature of the exploit and the requirement for prior authentication.

SQLi Glpi
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31891 PHP HIGH PATCH This Week

SQL injection in Cockpit CMS version 2.13.4 and earlier allows attackers with a valid read-only API key to inject arbitrary SQL through the `/api/content/aggregate/{model}` endpoint and extract unauthorized data from the SQLite database, including unpublished content. The vulnerability requires network access and low-privilege API credentials, enabling data exfiltration without administrative privileges. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-4319 MEDIUM POC This Month

SQL injection in Simple Food Order System 1.0's /routers/add-item.php endpoint allows unauthenticated remote attackers to manipulate the price parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and could lead to unauthorized data access, modification, or deletion.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4324 Ruby MEDIUM PATCH This Month

SQL injection in the Katello plugin for Red Hat Satellite 6 allows authenticated remote attackers to execute arbitrary SQL commands via the sort_by parameter in the /api/hosts/bootc_images endpoint. An attacker can exploit this flaw to trigger database errors causing denial of service or conduct blind SQL injection attacks to extract sensitive information from the database. No patch is currently available for this vulnerability.

Red Hat SQLi Denial Of Service
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-2579 HIGH This Week

Unauthenticated attackers can exploit SQL injection in the WowStore plugin for WordPress (versions up to 4.4.3) through the unescaped 'search' parameter to extract sensitive data from the underlying database. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to append malicious SQL commands without authentication. No patch is currently available for this high-severity issue affecting all users of the affected plugin versions.

SQLi WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4287 MEDIUM This Month

SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 allows unauthenticated remote attackers to manipulate the areaId parameter in the /rest/devStatus/queryResources endpoint and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Successful exploitation could result in unauthorized data access, modification, or system disruption.

SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4289 MEDIUM POC This Month

SQL injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 allows unauthenticated remote attackers to manipulate the ID parameter in the /rest/preSetTemplate/getRecByTemplateId endpoint, potentially enabling unauthorized data access, modification, or service disruption. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

SQLi Easy7 Integrated Management Platform
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4288 MEDIUM POC This Month

Tiandy Easy7 Integrated Management Platform 7.17.0 contains an SQL injection vulnerability in the /rest/devStatus/getDevDetailedInfo endpoint that allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. The vulnerability enables unauthorized access to, modification of, and disruption of sensitive data, with public exploit code already available. No patch has been released despite early vendor notification.

SQLi Easy7 Integrated Management Platform
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-32813 PHP HIGH PATCH This Week

A second-order SQL injection vulnerability exists in Admidio's MyList configuration feature, allowing authenticated users to inject arbitrary SQL commands through list column configurations that are safely stored but unsafely read back. The vulnerability enables attackers to read sensitive data including password hashes, modify database contents, or achieve full database compromise. A detailed proof-of-concept is available demonstrating exploitation requiring only standard user privileges.

CSRF SQLi PHP Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-32767 Go CRITICAL PATCH Act Now

An authorization bypass vulnerability in SiYuan Note v3.6.0 and earlier allows any authenticated user, including those with read-only 'Reader' role privileges, to execute arbitrary SQL commands through the /api/search/fullTextSearchBlock endpoint when the method parameter is set to 2. This enables attackers to read, modify, or delete all data in the application's SQLite database, completely bypassing the application's role-based access controls. A detailed proof-of-concept demonstrates how Reader-role users can execute destructive SQL operations including dropping tables.

SQLi Docker Suse
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30881 HIGH PATCH This Week

Authenticated attackers can exploit SQL injection in Chamilo LMS 1.11.34 and earlier through the statistics AJAX endpoint, where insufficient input sanitization allows bypassing of database escaping mechanisms via the date_start and date_end parameters. This vulnerability enables blind time-based SQL injection attacks to extract or manipulate sensitive data from the underlying database. Version 1.11.36 contains the patch; versions 1.11.35 and earlier remain vulnerable.

SQLi Chamilo Lms
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28430 CRITICAL PATCH Act Now

Unauthenticated SQL injection in Chamilo LMS versions prior to 1.11.34 enables remote attackers to execute arbitrary database queries through the custom_dates parameter and escalate to full administrative account takeover by exploiting a predictable password reset mechanism. This critical vulnerability exposes the entire database including personally identifiable information and system configurations without requiring any credentials or user interaction. No patch is currently available for affected installations.

SQLi Chamilo Lms
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-32750 Go MEDIUM PATCH This Month

SiYuan Note contains an unrestricted path traversal vulnerability in the POST /api/import/importStdMd endpoint that allows authenticated administrators to recursively import arbitrary files from the host filesystem into the workspace database without any validation or blocklisting. Affected versions of SiYuan (pkg:go/github.com_siyuan-note_siyuan) allow admin users to permanently store sensitive files such as /proc/, /etc/, /run/secrets/, and other system directories as searchable note content, making them accessible to other workspace users including those with limited privileges. A proof-of-concept has been published demonstrating import of /proc/1/ and /run/secrets/, and when chained with separate SQL injection vulnerabilities in the renderSprig template function, non-admin users can retrieve imported secrets without additional privileges.

Path Traversal SQLi Docker Suse
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-69768 HIGH This Week

SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32611 PyPI HIGH PATCH This Week

SQL injection in Python's Glances DuckDB export module allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting malicious data through unparameterized table and column name interpolation in DDL statements. While INSERT values use parameterized queries, identifier names are directly embedded via f-strings, enabling attackers over the network to manipulate database structure and access sensitive monitoring data. A patch is available.

Python SQLi Suse
NVD GitHub VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-62319 CRITICAL Act Now

A Boolean-based SQL injection vulnerability exists in HCL Unica that allows remote attackers to manipulate backend database queries through specially crafted input fields. The vulnerability affects HCL Unica version 25.1.1 and below, enabling unauthenticated attackers to extract sensitive data, modify database contents, or potentially compromise the entire system. With a critical CVSS score of 9.8 and network-based attack vector requiring no authentication, this represents a severe risk to organizations using affected Unica installations.

SQLi Unica
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-52646 LOW Monitor

HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries.

Information Disclosure SQLi Aion
NVD VulDB
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-4241 LOW Monitor

SQL injection in itsourcecode College Management System 1.0 allows authenticated attackers to manipulate the course_code parameter in /admin/time-table.php and execute arbitrary SQL commands remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can lead to unauthorized data access, modification, or deletion within the application database.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4238 LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0 via the course_code parameter in /admin/courses.php allows authenticated administrators to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but could enable data exfiltration or manipulation.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-52637 MEDIUM This Month

HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.

Information Disclosure SQLi Aion
NVD VulDB
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-4237 MEDIUM POC This Month

SQL injection in Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to manipulate the Home parameter in /hotel/admin/mod_reports/index.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems running the vulnerable PHP application are at immediate risk of data theft and database compromise.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4236 MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate parameters in the enrollment module via the txtsearch, deptname, or name arguments. Public exploit code exists for this vulnerability, which enables attackers to read, modify, or delete database contents. No patch is currently available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4235 MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the user_email parameter in /sms/login.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to read, modify, or delete sensitive enrollment data without authentication. No patch is currently available.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4234 LOW POC Monitor

SQL injection in SSCMS 7.4.0 via the tableHandWrite parameter in SitesAddController.Submit.cs allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

SQLi Sscms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3023 MEDIUM PATCH This Month

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application's 'vets.wakyma.com/pets/print-tags' endpoint that allows authenticated users to inject NoSQL commands via manipulated POST requests. An attacker with valid credentials can exploit this vulnerability to extract sensitive information including pet names and owner names from the backend database. With a CVSS score of 5.3 and low attack complexity, this represents a moderate confidentiality risk requiring prompt remediation despite the requirement for authentication.

SQLi Wakyma Application Web
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-3022 HIGH PATCH This Week

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in the hospitalization summary generation endpoint at vets.wakyma.com. Authenticated users with low privileges can inject NoSQL commands into POST requests to exfiltrate customer reports containing sensitive veterinary and pet owner data. The vulnerability has a high CVSS score of 7.1 but requires authentication, limiting the attack surface to users with valid credentials.

SQLi Wakyma Application Web
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-3021 MEDIUM PATCH This Month

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.com/centro/equipo/empleado' that allows authenticated users to inject NoSQL commands and enumerate sensitive employee data. The vulnerability has a CVSS 4.0 score of 7.1 (High) with network attack vector requiring low privileges. No proof-of-concept code, EPSS data, or KEV listing information is currently available for this vulnerability.

SQLi Nosql Injection Wakyma Application Web
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4232 MEDIUM POC This Month

SQL injection in Tiandy Integrated Management Platform 7.17.0 via the /rest/user/getAuthorityByUserId endpoint allows unauthenticated remote attackers to manipulate the userId parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation could enable unauthorized data access, modification, or system disruption.

SQLi Integrated Management Platform
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4230 LOW POC Monitor

SQL injection in Vanna up to version 2.0.2 allows authenticated remote attackers to execute arbitrary SQL queries through the update_sql endpoint function. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An authenticated attacker can leverage this to read, modify, or delete database contents depending on the application's database permissions.

Python SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4229 PyPI MEDIUM POC This Month

SQL injection in Vanna AI's BigQuery integration (versions up to 2.0.2) allows unauthenticated remote attackers to manipulate the remove_training_data function through unsanitized ID parameters. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation enables attackers to read, modify, or delete database contents with limited impact on confidentiality, integrity, and availability.

Google SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4223 MEDIUM POC This Month

SQL injection in itsourcecode Payroll Management System 1.0 via the ID parameter in /manage_employee.php allows unauthenticated remote attackers to execute arbitrary SQL queries and access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running this system should implement network-level protections and consider upgrading to a patched version once released.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4190 MEDIUM POC This Month

SQL injection in the User.getAll function of node-api-postgres up to version 2.5 allows remote attackers to manipulate the sort parameter and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. Affected deployments using PostgreSQL with the vulnerable Node.js API library face risks of unauthorized data access, modification, and potential service disruption.

SQLi PostgreSQL
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4189 LOW POC Monitor

SQL injection in phpIPAM versions up to 1.7.4 allows authenticated administrators to manipulate the subnetOrdering parameter in the Section Handler component, enabling remote database compromise. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

SQLi PHP
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2015-20120 HIGH POC This Week

Multiple time-based blind SQL injection vulnerabilities in RealtyScript 4.0.2 allow unauthenticated remote attackers to extract database information by injecting malicious SQL queries with time-delay payloads. Attackers can infer database contents character by character based on response timing differences. A public proof-of-concept exploit is available on Exploit-DB, significantly increasing the risk of exploitation.

SQLi Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2015-20121 HIGH POC This Week

SQL injection vulnerabilities in RealtyScript 4.0.2 allow unauthenticated remote attackers to manipulate database queries through vulnerable parameters in admin panel files (/admin/users.php and /admin/mailer.php). Attackers can extract sensitive database information using time-based blind SQL injection or cause denial of service. A public proof-of-concept exploit is available on Exploit-DB, though the vulnerability is not currently in CISA's KEV catalog.

Denial Of Service SQLi PHP Realtyscripts
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-4173 LOW POC Monitor

CodePhiliaX Chat2DB versions up to 0.3.7 contain a SQL injection vulnerability in the Database Export Handler component (DMDBManage.java) affecting multiple export functions. An authenticated attacker with low privileges can remotely exploit this vulnerability to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts.

SQLi Java
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-32628 HIGH This Week

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.

SQLi PostgreSQL MySQL MSSQL Information Disclosure +2
NVD GitHub
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-32306 npm CRITICAL PATCH Act Now

SQL injection in OneUptime telemetry API before 10.0.23.

RCE SQLi Oneuptime
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-25076 HIGH This Week

CVE-2026-25076 is an SQL injection vulnerability in the GraphQL Reports API of Anchore Enterprise versions before 5.25.1, allowing authenticated attackers to execute arbitrary SQL commands and modify database contents. With a CVSS score of 7.3 and low EPSS score (0.02%), this vulnerability requires authentication and adjacent network access, making it a moderate priority for organizations using Anchore Enterprise in their container security infrastructure.

SQLi
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-36368 MEDIUM PATCH This Month

SQL injection vulnerability in IBM Sterling B2B Integrator and Sterling File Gateway that allows authenticated administrative users to execute arbitrary SQL commands against the backend database. An attacker with admin privileges can view, add, modify, or delete sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 6.5 (Medium) due to high impact on confidentiality and integrity; no active exploitation in the wild or public POC has been reported at this time.

IBM SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32459 HIGH This Week

Blind SQL injection in UpsellWP checkout plugin versions 2.2.4 and earlier allows authenticated attackers to execute arbitrary SQL queries with network access and without user interaction. The vulnerability affects the checkout-upsell-and-order-bumps functionality and could enable data exfiltration or database manipulation. No patch is currently available for this high-severity flaw.

SQLi Upsellwp
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-32458 HIGH This Week

SQL injection vulnerability in the RealMag777 WOLF bulk-editor WordPress plugin (versions up to 1.0.8.7) that allows authenticated administrators to execute blind SQL injection attacks. With a low EPSS score of 0.02% and no KEV listing, this vulnerability requires high privileges to exploit and is not currently being actively exploited in the wild.

SQLi Wolf
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-32433 HIGH This Week

CP Contact Form with Paypal through version 1.3.61 contains a blind SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries with network access. An attacker with user-level privileges can exploit this flaw to extract sensitive database information, though no patch is currently available.

SQLi Cp Contact Form With Paypal
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-32422 HIGH This Week

WP EasyCart versions 5.8.13 and earlier are vulnerable to blind SQL injection, allowing authenticated attackers to execute arbitrary SQL queries through improper input sanitization. This vulnerability could enable attackers to extract or manipulate sensitive database information, though code execution is not possible. No patch is currently available for this high-severity vulnerability (CVSS 8.5).

SQLi Wp Easycart
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-32418 HIGH This Week

Blind SQL injection in Meow Gallery up to version 5.4.4 allows high-privileged attackers to extract sensitive data from the application database through specially crafted SQL queries. An authenticated administrator with high privileges can exploit this vulnerability without user interaction to perform unauthorized database queries, potentially exposing confidential information. No patch is currently available for affected installations.

SQLi Meow Gallery
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-32399 HIGH This Week

Blind SQL injection in Media Library Assistant through version 3.32 allows authenticated attackers to execute arbitrary SQL queries over the network, potentially leading to unauthorized data access and service disruption. The vulnerability requires valid user credentials but no user interaction, making it exploitable by internal or compromised accounts with minimal effort. No patch is currently available for affected installations.

SQLi Media Library Assistant
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-32368 HIGH This Week

Blind SQL injection in Geo to Lat versions up to 1.0.19 allows authenticated attackers to execute arbitrary SQL queries over the network with no user interaction required. An attacker with valid credentials can exploit this vulnerability to extract or manipulate database contents, potentially leading to unauthorized data access and system disruption. No patch is currently available for this vulnerability.

SQLi Geo To Lat
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-32366 HIGH This Week

A blind SQL injection vulnerability exists in the WordPress Collapsing Categories plugin (versions up to 3.0.9) that allows authenticated attackers with low privileges to execute arbitrary SQL queries against the database. The vulnerability enables extraction of sensitive data including user credentials, though it does not allow direct data modification. With a CVSS score of 8.5 and no current exploitation in the wild (not in KEV), this represents a serious but not critical risk for WordPress sites using this plugin.

SQLi Collapsing Categories
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-32365 HIGH This Week

Blind SQL injection in Collapsing Archives versions up to 3.0.7 allows authenticated attackers to execute arbitrary SQL queries through improper input sanitization. An attacker with user-level access can exploit this vulnerability to extract sensitive data from the database, though the impact is partially mitigated by the requirement for prior authentication. No patch is currently available for this vulnerability.

SQLi Collapsing Archives
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-32358 HIGH This Week

Booking Calendar versions 10.14.15 and earlier contain a blind SQL injection vulnerability in database query handling that allows high-privileged authenticated users to execute arbitrary SQL commands. An attacker with administrative credentials could exploit this to extract sensitive database information and potentially disrupt service availability. A patch is not currently available, requiring users to implement alternative mitigations or limit administrative access.

SQLi Booking Calendar
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-31922 HIGH This Week

Fox LMS versions 1.0.6.3 and earlier are vulnerable to blind SQL injection attacks through improper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries and potentially exfiltrate sensitive database information. The vulnerability requires user authentication but can be exploited remotely with no user interaction needed, and carries a high CVSS score of 8.5. No patch is currently available for affected organizations.

SQLi Fox Lms
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-31917 HIGH This Week

SQL injection vulnerability in the weDevs WP ERP WordPress plugin affecting all versions up to and including 1.16.10, allowing authenticated attackers with low privileges to extract sensitive database information. With an EPSS score of 0.02% (5th percentile), this vulnerability has a very low probability of real-world exploitation and is not listed in CISA KEV, indicating it's not actively exploited in the wild.

SQLi Wp Erp
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-22193 HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information.

SQLi Wpdiscuz
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-32137 HIGH This Week

Dataease is an open source data visualization analysis tool. versions up to 2.10.20 is affected by sql injection.

SQLi Dataease
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-26794 HIGH This Week

SQL injection in GL-iNet GL-AR300M16 firmware v4.3.11 allows authenticated attackers to execute arbitrary database commands through the add_group() function via crafted HTTP requests. The vulnerability affects all installations of the affected firmware version and requires valid credentials to exploit. No patch is currently available to remediate this high-severity flaw.

SQLi Ar300m16 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-21708 CRITICAL Act Now

Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.

PostgreSQL RCE SQLi
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2019-25543 HIGH POC This Week

Netartmedia Real Estate Portal 5.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the page parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Real Estate Portal
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25542 HIGH POC This Week

Netartmedia Real Estate Portal 5.0 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_email parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Real Estate Portal
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25541 HIGH POC This Week

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through unvalidated parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25540 HIGH POC This Week

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25539 HIGH POC This Week

202CMS v10 beta contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. [CVSS 8.2 HIGH]

PHP SQLi 202cms
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25538 HIGH POC This Week

202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. [CVSS 8.2 HIGH]

SQLi 202cms
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25537 HIGH POC This Week

Netartmedia Event Portal 2.0 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25536 HIGH POC This Week

Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25535 HIGH POC This Week

Netartmedia PHP Dating Site contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25534 HIGH POC This Week

Netartmedia PHP Car Dealer contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25533 HIGH POC This Week

Netartmedia PHP Business Directory 4.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25532 HIGH POC This Week

Netartmedia Jobs Portal 6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25531 HIGH POC This Week

Netartmedia Deals Portal contains an SQL injection vulnerability in the Email parameter of loginaction.php that allows unauthenticated attackers to manipulate database queries. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25530 HIGH POC This Week

uHotelBooking System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the system_page GET parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25529 HIGH POC This Week

Placeto CMS Alpha rv.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'page' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25528 HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the property1 parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25527 HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the numguest parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25526 HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the location parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25525 HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the guests parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25524 HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2019-25523 HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25522 HIGH POC This Week

XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25521 HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
CVSS 3.1
8.2
EPSS
0.1%
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.

SQLi Openproject
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

An authenticated time-based blind SQL injection vulnerability exists in the ClipBucket v5 open source video sharing platform, affecting versions prior to 5.5.3 #80. The vulnerability resides in the actions/ajax.php endpoint where the userid parameter lacks proper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries. This can lead to full database disclosure and potential administrative account takeover with a CVSS score of 8.8.

SQLi PHP Clipbucket V5
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

SQL injection in PostgreSQL StatementGenerator allows authenticated attackers to execute arbitrary SQL commands through unsanitized object keys in sort, select, and groupBy parameters on analytics endpoints. The vulnerability exists because column name validation was incompletely applied during a previous fix, leaving three query construction methods vulnerable to direct identifier injection. An attacker with valid credentials can exploit this to access or manipulate database contents without requiring user interaction.

PostgreSQL SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Kysely through version 0.28.11 contains a SQL injection vulnerability in JSON path compilation affecting MySQL and SQLite dialects. The visitJSONPathLeg() function appends user-controlled values from .key() and .at() methods directly into single-quoted JSON path string literals without escaping single quotes, enabling attackers to break out of the string context and inject arbitrary SQL. A working proof-of-concept demonstrates UNION-based data exfiltration from SQLite databases. The vulnerability has CVSS score 8.2 and patches are available from the vendor.

SQLi PostgreSQL
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter component allows authenticated attackers to bypass metadata-based access controls and execute arbitrary SQL commands due to missing input sanitization. VMware Spring AI versions 1.0.x prior to 1.0.4 and 1.1.x prior to 1.1.3 are affected. With a CVSS score of 8.8, this vulnerability enables attackers with low-level privileges to compromise confidentiality, integrity, and availability of the database system through network-based attacks with low complexity.

Java SQLi
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

An authenticated SQL injection vulnerability exists in Kanboard project management software prior to version 1.2.51. Authenticated attackers with permission to add users to a project can exploit this vulnerability to dump the entire Kanboard database, potentially exposing sensitive project data, user credentials, and application secrets. The vulnerability is confirmed under active tracking by Debian (2 releases) and Ubuntu (medium priority), with a GitHub Security Advisory published.

SQLi Ubuntu Debian +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS before version 10.1.14, specifically in the getQuery function's sortby parameter. An attacker can inject arbitrary SQL commands through the sortby parameter to extract, modify, or delete database contents. The vulnerability affects Mura CMS installations running versions prior to 10.1.14.

SQLi
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS, specifically in the getQuery function's sortDirection parameter, affecting versions prior to 10.1.14. An attacker can inject arbitrary SQL commands through the sortDirection parameter to read, modify, or delete database contents without requiring authentication. The vulnerability is classified as SQL injection (SQLi) and patches are available in version 10.1.14 and later.

SQLi
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

SQL injection in GLPI Inventory Plugin versions before 1.6.6 allows authenticated users with sufficient privileges to execute arbitrary SQL queries through unvalidated input in report functionality. An attacker with report access can extract or modify sensitive database information, though code execution is not possible through this vector. A patch is available in version 1.6.6 and later.

SQLi Glpi Inventory Plugin
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

An unauthenticated attacker can leverage an exposed password hashing endpoint in PHP applications to obtain hashed versions of arbitrary passwords, facilitating offline cracking attacks against compromised database credentials. The vulnerable `/objects/encryptPass.json.php` file accepts user-supplied passwords via request parameters and returns their encrypted equivalents without authentication, effectively disclosing the application's hashing algorithm and salt to potential adversaries. This information disclosure has a CVSS score of 5.3 and patches are available.

PHP Information Disclosure SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.

PHP RCE SQLi +3
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

GLPI versions 11.0.0 through 11.0.5 contain an authenticated SQL injection vulnerability that allows authenticated users to read sensitive database contents without modification or denial-of-service capabilities. The vulnerability affects the free Asset and IT management software package GLPI and is resolved in version 11.0.6. While the CVSS score of 6.5 reflects moderate severity, the impact is limited to confidentiality breach due to the read-only nature of the exploit and the requirement for prior authentication.

SQLi Glpi
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

SQL injection in Cockpit CMS version 2.13.4 and earlier allows attackers with a valid read-only API key to inject arbitrary SQL through the `/api/content/aggregate/{model}` endpoint and extract unauthorized data from the SQLite database, including unpublished content. The vulnerability requires network access and low-privilege API credentials, enabling data exfiltration without administrative privileges. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Food Order System 1.0's /routers/add-item.php endpoint allows unauthenticated remote attackers to manipulate the price parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and could lead to unauthorized data access, modification, or deletion.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

SQL injection in the Katello plugin for Red Hat Satellite 6 allows authenticated remote attackers to execute arbitrary SQL commands via the sort_by parameter in the /api/hosts/bootc_images endpoint. An attacker can exploit this flaw to trigger database errors causing denial of service or conduct blind SQL injection attacks to extract sensitive information from the database. No patch is currently available for this vulnerability.

Red Hat SQLi Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can exploit SQL injection in the WowStore plugin for WordPress (versions up to 4.4.3) through the unescaped 'search' parameter to extract sensitive data from the underlying database. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to append malicious SQL commands without authentication. No patch is currently available for this high-severity issue affecting all users of the affected plugin versions.

SQLi WordPress
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 allows unauthenticated remote attackers to manipulate the areaId parameter in the /rest/devStatus/queryResources endpoint and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Successful exploitation could result in unauthorized data access, modification, or system disruption.

SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 allows unauthenticated remote attackers to manipulate the ID parameter in the /rest/preSetTemplate/getRecByTemplateId endpoint, potentially enabling unauthorized data access, modification, or service disruption. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

SQLi Easy7 Integrated Management Platform
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Tiandy Easy7 Integrated Management Platform 7.17.0 contains an SQL injection vulnerability in the /rest/devStatus/getDevDetailedInfo endpoint that allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. The vulnerability enables unauthorized access to, modification of, and disruption of sensitive data, with public exploit code already available. No patch has been released despite early vendor notification.

SQLi Easy7 Integrated Management Platform
NVD VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

A second-order SQL injection vulnerability exists in Admidio's MyList configuration feature, allowing authenticated users to inject arbitrary SQL commands through list column configurations that are safely stored but unsafely read back. The vulnerability enables attackers to read sensitive data including password hashes, modify database contents, or achieve full database compromise. A detailed proof-of-concept is available demonstrating exploitation requiring only standard user privileges.

CSRF SQLi PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

An authorization bypass vulnerability in SiYuan Note v3.6.0 and earlier allows any authenticated user, including those with read-only 'Reader' role privileges, to execute arbitrary SQL commands through the /api/search/fullTextSearchBlock endpoint when the method parameter is set to 2. This enables attackers to read, modify, or delete all data in the application's SQLite database, completely bypassing the application's role-based access controls. A detailed proof-of-concept demonstrates how Reader-role users can execute destructive SQL operations including dropping tables.

SQLi Docker Suse
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authenticated attackers can exploit SQL injection in Chamilo LMS 1.11.34 and earlier through the statistics AJAX endpoint, where insufficient input sanitization allows bypassing of database escaping mechanisms via the date_start and date_end parameters. This vulnerability enables blind time-based SQL injection attacks to extract or manipulate sensitive data from the underlying database. Version 1.11.36 contains the patch; versions 1.11.35 and earlier remain vulnerable.

SQLi Chamilo Lms
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated SQL injection in Chamilo LMS versions prior to 1.11.34 enables remote attackers to execute arbitrary database queries through the custom_dates parameter and escalate to full administrative account takeover by exploiting a predictable password reset mechanism. This critical vulnerability exposes the entire database including personally identifiable information and system configurations without requiring any credentials or user interaction. No patch is currently available for affected installations.

SQLi Chamilo Lms
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

SiYuan Note contains an unrestricted path traversal vulnerability in the POST /api/import/importStdMd endpoint that allows authenticated administrators to recursively import arbitrary files from the host filesystem into the workspace database without any validation or blocklisting. Affected versions of SiYuan (pkg:go/github.com_siyuan-note_siyuan) allow admin users to permanently store sensitive files such as /proc/, /etc/, /run/secrets/, and other system directories as searchable note content, making them accessible to other workspace users including those with limited privileges. A proof-of-concept has been published demonstrating import of /proc/1/ and /run/secrets/, and when chained with separate SQL injection vulnerabilities in the renderSprig template function, non-admin users can retrieve imported secrets without additional privileges.

Path Traversal SQLi Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

SQL injection in Python's Glances DuckDB export module allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting malicious data through unparameterized table and column name interpolation in DDL statements. While INSERT values use parameterized queries, identifier names are directly embedded via f-strings, enabling attackers over the network to manipulate database structure and access sensitive monitoring data. A patch is available.

Python SQLi Suse
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

A Boolean-based SQL injection vulnerability exists in HCL Unica that allows remote attackers to manipulate backend database queries through specially crafted input fields. The vulnerability affects HCL Unica version 25.1.1 and below, enabling unauthenticated attackers to extract sensitive data, modify database contents, or potentially compromise the entire system. With a critical CVSS score of 9.8 and network-based attack vector requiring no authentication, this represents a severe risk to organizations using affected Unica installations.

SQLi Unica
NVD VulDB
EPSS 0% CVSS 2.2
LOW Monitor

HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries.

Information Disclosure SQLi Aion
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode College Management System 1.0 allows authenticated attackers to manipulate the course_code parameter in /admin/time-table.php and execute arbitrary SQL commands remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can lead to unauthorized data access, modification, or deletion within the application database.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0 via the course_code parameter in /admin/courses.php allows authenticated administrators to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but could enable data exfiltration or manipulation.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 4.5
MEDIUM This Month

HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.

Information Disclosure SQLi Aion
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to manipulate the Home parameter in /hotel/admin/mod_reports/index.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems running the vulnerable PHP application are at immediate risk of data theft and database compromise.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate parameters in the enrollment module via the txtsearch, deptname, or name arguments. Public exploit code exists for this vulnerability, which enables attackers to read, modify, or delete database contents. No patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the user_email parameter in /sms/login.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to read, modify, or delete sensitive enrollment data without authentication. No patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SSCMS 7.4.0 via the tableHandWrite parameter in SitesAddController.Submit.cs allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

SQLi Sscms
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application's 'vets.wakyma.com/pets/print-tags' endpoint that allows authenticated users to inject NoSQL commands via manipulated POST requests. An attacker with valid credentials can exploit this vulnerability to extract sensitive information including pet names and owner names from the backend database. With a CVSS score of 5.3 and low attack complexity, this represents a moderate confidentiality risk requiring prompt remediation despite the requirement for authentication.

SQLi Wakyma Application Web
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in the hospitalization summary generation endpoint at vets.wakyma.com. Authenticated users with low privileges can inject NoSQL commands into POST requests to exfiltrate customer reports containing sensitive veterinary and pet owner data. The vulnerability has a high CVSS score of 7.1 but requires authentication, limiting the attack surface to users with valid credentials.

SQLi Wakyma Application Web
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.com/centro/equipo/empleado' that allows authenticated users to inject NoSQL commands and enumerate sensitive employee data. The vulnerability has a CVSS 4.0 score of 7.1 (High) with network attack vector requiring low privileges. No proof-of-concept code, EPSS data, or KEV listing information is currently available for this vulnerability.

SQLi Nosql Injection Wakyma Application Web
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Tiandy Integrated Management Platform 7.17.0 via the /rest/user/getAuthorityByUserId endpoint allows unauthenticated remote attackers to manipulate the userId parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation could enable unauthorized data access, modification, or system disruption.

SQLi Integrated Management Platform
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Vanna up to version 2.0.2 allows authenticated remote attackers to execute arbitrary SQL queries through the update_sql endpoint function. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An authenticated attacker can leverage this to read, modify, or delete database contents depending on the application's database permissions.

Python SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Vanna AI's BigQuery integration (versions up to 2.0.2) allows unauthenticated remote attackers to manipulate the remove_training_data function through unsanitized ID parameters. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation enables attackers to read, modify, or delete database contents with limited impact on confidentiality, integrity, and availability.

Google SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Payroll Management System 1.0 via the ID parameter in /manage_employee.php allows unauthenticated remote attackers to execute arbitrary SQL queries and access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running this system should implement network-level protections and consider upgrading to a patched version once released.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the User.getAll function of node-api-postgres up to version 2.5 allows remote attackers to manipulate the sort parameter and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. Affected deployments using PostgreSQL with the vulnerable Node.js API library face risks of unauthorized data access, modification, and potential service disruption.

SQLi PostgreSQL
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in phpIPAM versions up to 1.7.4 allows authenticated administrators to manipulate the subnetOrdering parameter in the Section Handler component, enabling remote database compromise. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Multiple time-based blind SQL injection vulnerabilities in RealtyScript 4.0.2 allow unauthenticated remote attackers to extract database information by injecting malicious SQL queries with time-delay payloads. Attackers can infer database contents character by character based on response timing differences. A public proof-of-concept exploit is available on Exploit-DB, significantly increasing the risk of exploitation.

SQLi Realtyscript
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

SQL injection vulnerabilities in RealtyScript 4.0.2 allow unauthenticated remote attackers to manipulate database queries through vulnerable parameters in admin panel files (/admin/users.php and /admin/mailer.php). Attackers can extract sensitive database information using time-based blind SQL injection or cause denial of service. A public proof-of-concept exploit is available on Exploit-DB, though the vulnerability is not currently in CISA's KEV catalog.

Denial Of Service SQLi PHP +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

CodePhiliaX Chat2DB versions up to 0.3.7 contain a SQL injection vulnerability in the Database Export Handler component (DMDBManage.java) affecting multiple export functions. An authenticated attacker with low privileges can remotely exploit this vulnerability to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts.

SQLi Java
NVD VulDB GitHub
EPSS 0% CVSS 7.7
HIGH This Week

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.

SQLi PostgreSQL MySQL +4
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

SQL injection in OneUptime telemetry API before 10.0.23.

RCE SQLi Oneuptime
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH This Week

CVE-2026-25076 is an SQL injection vulnerability in the GraphQL Reports API of Anchore Enterprise versions before 5.25.1, allowing authenticated attackers to execute arbitrary SQL commands and modify database contents. With a CVSS score of 7.3 and low EPSS score (0.02%), this vulnerability requires authentication and adjacent network access, making it a moderate priority for organizations using Anchore Enterprise in their container security infrastructure.

SQLi
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

SQL injection vulnerability in IBM Sterling B2B Integrator and Sterling File Gateway that allows authenticated administrative users to execute arbitrary SQL commands against the backend database. An attacker with admin privileges can view, add, modify, or delete sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 6.5 (Medium) due to high impact on confidentiality and integrity; no active exploitation in the wild or public POC has been reported at this time.

IBM SQLi
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Blind SQL injection in UpsellWP checkout plugin versions 2.2.4 and earlier allows authenticated attackers to execute arbitrary SQL queries with network access and without user interaction. The vulnerability affects the checkout-upsell-and-order-bumps functionality and could enable data exfiltration or database manipulation. No patch is currently available for this high-severity flaw.

SQLi Upsellwp
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

SQL injection vulnerability in the RealMag777 WOLF bulk-editor WordPress plugin (versions up to 1.0.8.7) that allows authenticated administrators to execute blind SQL injection attacks. With a low EPSS score of 0.02% and no KEV listing, this vulnerability requires high privileges to exploit and is not currently being actively exploited in the wild.

SQLi Wolf
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

CP Contact Form with Paypal through version 1.3.61 contains a blind SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries with network access. An attacker with user-level privileges can exploit this flaw to extract sensitive database information, though no patch is currently available.

SQLi Cp Contact Form With Paypal
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

WP EasyCart versions 5.8.13 and earlier are vulnerable to blind SQL injection, allowing authenticated attackers to execute arbitrary SQL queries through improper input sanitization. This vulnerability could enable attackers to extract or manipulate sensitive database information, though code execution is not possible. No patch is currently available for this high-severity vulnerability (CVSS 8.5).

SQLi Wp Easycart
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Blind SQL injection in Meow Gallery up to version 5.4.4 allows high-privileged attackers to extract sensitive data from the application database through specially crafted SQL queries. An authenticated administrator with high privileges can exploit this vulnerability without user interaction to perform unauthorized database queries, potentially exposing confidential information. No patch is currently available for affected installations.

SQLi Meow Gallery
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in Media Library Assistant through version 3.32 allows authenticated attackers to execute arbitrary SQL queries over the network, potentially leading to unauthorized data access and service disruption. The vulnerability requires valid user credentials but no user interaction, making it exploitable by internal or compromised accounts with minimal effort. No patch is currently available for affected installations.

SQLi Media Library Assistant
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in Geo to Lat versions up to 1.0.19 allows authenticated attackers to execute arbitrary SQL queries over the network with no user interaction required. An attacker with valid credentials can exploit this vulnerability to extract or manipulate database contents, potentially leading to unauthorized data access and system disruption. No patch is currently available for this vulnerability.

SQLi Geo To Lat
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

A blind SQL injection vulnerability exists in the WordPress Collapsing Categories plugin (versions up to 3.0.9) that allows authenticated attackers with low privileges to execute arbitrary SQL queries against the database. The vulnerability enables extraction of sensitive data including user credentials, though it does not allow direct data modification. With a CVSS score of 8.5 and no current exploitation in the wild (not in KEV), this represents a serious but not critical risk for WordPress sites using this plugin.

SQLi Collapsing Categories
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in Collapsing Archives versions up to 3.0.7 allows authenticated attackers to execute arbitrary SQL queries through improper input sanitization. An attacker with user-level access can exploit this vulnerability to extract sensitive data from the database, though the impact is partially mitigated by the requirement for prior authentication. No patch is currently available for this vulnerability.

SQLi Collapsing Archives
NVD VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Booking Calendar versions 10.14.15 and earlier contain a blind SQL injection vulnerability in database query handling that allows high-privileged authenticated users to execute arbitrary SQL commands. An attacker with administrative credentials could exploit this to extract sensitive database information and potentially disrupt service availability. A patch is not currently available, requiring users to implement alternative mitigations or limit administrative access.

SQLi Booking Calendar
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Fox LMS versions 1.0.6.3 and earlier are vulnerable to blind SQL injection attacks through improper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries and potentially exfiltrate sensitive database information. The vulnerability requires user authentication but can be exploited remotely with no user interaction needed, and carries a high CVSS score of 8.5. No patch is currently available for affected organizations.

SQLi Fox Lms
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection vulnerability in the weDevs WP ERP WordPress plugin affecting all versions up to and including 1.16.10, allowing authenticated attackers with low privileges to extract sensitive database information. With an EPSS score of 0.02% (5th percentile), this vulnerability has a very low probability of real-world exploitation and is not listed in CISA KEV, indicating it's not actively exploited in the wild.

SQLi Wp Erp
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information.

SQLi Wpdiscuz
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Dataease is an open source data visualization analysis tool. versions up to 2.10.20 is affected by sql injection.

SQLi Dataease
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection in GL-iNet GL-AR300M16 firmware v4.3.11 allows authenticated attackers to execute arbitrary database commands through the add_group() function via crafted HTTP requests. The vulnerability affects all installations of the affected firmware version and requires valid credentials to exploit. No patch is currently available to remediate this high-severity flaw.

SQLi Ar300m16 Firmware
NVD GitHub VulDB
EPSS 1% CVSS 9.9
CRITICAL Act Now

Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.

PostgreSQL RCE SQLi
NVD VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Netartmedia Real Estate Portal 5.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the page parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure +1
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Netartmedia Real Estate Portal 5.0 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_email parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure +1
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through unvalidated parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

202CMS v10 beta contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. [CVSS 8.2 HIGH]

PHP SQLi 202cms
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. [CVSS 8.2 HIGH]

SQLi 202cms
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia Event Portal 2.0 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia PHP Dating Site contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia PHP Car Dealer contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia PHP Business Directory 4.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia Jobs Portal 6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Netartmedia Deals Portal contains an SQL injection vulnerability in the Email parameter of loginaction.php that allows unauthenticated attackers to manipulate database queries. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

uHotelBooking System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the system_page GET parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Placeto CMS Alpha rv.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'page' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the property1 parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the numguest parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the location parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the guests parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB VulDB
Prev Page 19 of 169 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy