SQLi

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the oid parameter in /cancelorder.php, potentially enabling unauthorized data access or modification. Publicly available exploit code exists for this vulnerability, which affects the parameter handler component and carries a CVSS score of 5.3 with confirmed exploitation feasibility.

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL commands via the cid parameter in /categorywise-products.php. Publicly available exploit code exists for this vulnerability, which affects the parameter handler component. The attack requires valid user credentials but carries low impact, affecting confidentiality, integrity, and availability of data at limited scope.

SQL injection in projectworlds Car Rental Project 1.0 allows remote attackers to execute arbitrary SQL queries via the fname parameter in /book_car.php, enabling unauthenticated database manipulation with potential confidentiality and integrity impact. The vulnerability has publicly available exploit code and a moderate CVSS score of 6.9, indicating practical exploitability despite low attack complexity.

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Home parameter in /borrowed_equip_report.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and demonstrates low attack complexity with network-based delivery requiring valid credentials.

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the orderid parameter in /order-details.php, enabling data exfiltration and database manipulation. CVSS 6.3 reflects authenticated access requirement and limited scope; no public exploit code or active KEV status confirmed at time of analysis.

SQL injection in griptape-ai griptape 0.19.4 SqlTool allows authenticated remote attackers to manipulate SQL queries via the griptape/tools/sql/tool.py component, potentially accessing or modifying database contents. The exploit is publicly available, and the vendor has not responded to early disclosure notification.

SQL injection in zhongyu09 openchatbi up to version 0.2.1 allows authenticated remote attackers to manipulate the keywords argument in the Multi-stage Text2SQL Workflow component, leading to unauthorized database access with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

SQL injection in wbbeyourself MAC-SQL via the _execute_sql function in core/agents.py (Refiner Agent component) allows authenticated remote attackers to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability affects all versions up to commit 31a9df5e0d520be4769be57a4b9022e5e34a14f4, with publicly available exploit code and CVSS 6.3 (medium severity). The vendor has not responded to early disclosure attempts, and the product uses rolling releases making version tracking difficult.

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the fullname parameter in /my-profile.php. The vulnerability has a publicly disclosed exploit and CVSS 5.3 score reflecting low confidentiality and integrity impact; however, the moderate real-world risk is elevated by public exploit availability and the authentication-required nature suggesting insider or credential-based attack scenarios.

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the fname parameter in the /OnlineClassroom/updatedetailsfromfaculty.php endpoint. The vulnerability has been publicly disclosed with exploit code available, presenting moderate real-world risk due to required authentication (PR:L) but low technical impact (VC:L, VI:L, VA:L) per CVSS 4.0 scoring.

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the videotitle parameter in /OnlineClassroom/addvideos.php. Publicly available exploit code exists, enabling database manipulation with low complexity. CVSS 6.3 (Medium) reflects authentication requirement and limited scope, though exploitation is straightforward and could lead to unauthorized data access or modification.

SQL injection in CodeAstro Online Classroom 1.0 via the deleteid parameter in /OnlineClassroom/addassessment.php allows authenticated remote attackers to manipulate database queries with low impact to confidentiality, integrity, and availability. Public exploit code is available, increasing practical risk despite the moderate CVSS 5.3 score. The vulnerability requires valid authentication (PR:L) but uses a common attack vector (AV:N, AC:L) typical of parameter validation flaws in PHP web applications.

SQL injection in Song-Li cross_browser application allows remote code execution via unsanitized ID parameter in the details endpoint of flask/uniquemachine_app.py. The vulnerability affects all versions up to commit ca690f0fe6954fd9bcda36d071b68ed8682a786a, requires no authentication, and has publicly available exploit code. The vendor has not responded to disclosure attempts, and the product's rolling-release model means no traditional patched version has been released.

SQL injection in SourceCodester jkev Record Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter in the Login component (index.php) to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. The exploit code is publicly available, and the vulnerability carries a CVSS 4.0 base score of 6.9 with low confidentiality, integrity, and availability impact.

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the userid parameter in /delmemberinfo.php. The vulnerability has publicly available exploit code (GitHub POC) and CVSS 7.3 severity with network-accessible attack vector requiring low complexity and no privileges. No vendor-released patch identified at time of analysis. EPSS data not provided, but public exploit availability increases likelihood of opportunistic scanning and exploitation.

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the searchServiceId parameter in /searchguest.php. CVSS 7.3 reflects network-accessible attack with low complexity requiring no privileges. Publicly available exploit code exists (GitHub PoC published), significantly lowering exploitation barrier. No vendor-released patch identified at time of analysis. EPSS data unavailable, but combination of remotely exploitable SQLi with public PoC against an unmaintained open-source project indicates elevated real-world risk for installations exposed to untrusted networks.

SQL injection in AutohomeCorp Frostmourne up to version 1.0 allows authenticated remote attackers to execute arbitrary SQL queries through the /api/monitor-api/alarm/previewData endpoint's httpTest function, potentially leading to unauthorized data access, modification, or system compromise. Publicly available exploit code exists, elevating real-world risk despite the CVSS 6.3 (medium) rating.

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to manipulate the paymethod parameter in /payment-method.php, enabling database query execution with limited confidentiality, integrity, and availability impact. The vulnerability is publicly documented with exploit code available, presenting moderate real-world risk despite the CVSS 6.3 score, as exploitation requires valid authentication credentials.

SQL injection in PHPGurukul Online Shopping Portal Project up to version 2.1 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /pending-orders.php, potentially leading to unauthorized data access or modification. The vulnerability has a published proof-of-concept exploit available and carries a CVSS score of 5.3 with moderate real-world impact due to authentication requirements.

SQL injection in code-projects Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Email parameter in login.php. The vulnerability is trivially exploitable (CVSS AC:L, PR:N) with publicly available exploit code demonstrating the attack path. EPSS data not available, but the combination of remote exploitation without authentication, public POC, and database compromise capabilities indicates moderate real-world risk for internet-exposed instances.

SQL injection in Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'searching' parameter in process_search.php. Publicly available exploit code exists (GitHub), enabling immediate weaponization. CVSS 7.3 reflects network-accessible attack with no complexity barriers, though EPSS data unavailable. Not confirmed as actively exploited (no CISA KEV listing), but POC publication significantly lowers exploitation threshold for opportunistic attackers targeting exposed instances.

SQL injection in itsourcecode Online Cellphone System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /cp/available.php, potentially compromising confidentiality, integrity, and availability of the application database. Publicly available exploit code exists and the vulnerability has moderate exploitability signals (CVSS 6.3, EPSS evidence of public tools), though no CISA KEV confirmation of active exploitation is present.

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the pid parameter in /sub-category.php, enabling information disclosure and potential data modification. Publicly available exploit code exists for this vulnerability, which carries a CVSS score of 6.3 with confirmed exploitation feasibility.

SQL injection in itsourcecode Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'email' parameter in /hotel/admin/login.php. The vulnerability is remotely exploitable with low attack complexity and no user interaction required. Publicly available exploit code exists (confirmed POC on GitHub), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of unauthenticated remote access, public exploit, and impact on confidentiality, integrity, and availability creates moderate-to-high real-world risk for exposed instances.

SQL injection in PHPGurukul User Registration & Login and User Management System 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/yesterday-reg-users.php, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists; CVSS 6.3 reflects moderate impact with low attack complexity and authenticated access requirement.

SQL injection in Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the firstName parameter in /modifymember.php. Publicly available exploit code exists (GitHub POC), enabling attackers to extract, modify, or delete database contents without authentication. CVSS 7.3 reflects network-based attack with low complexity and no privilege requirements. Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC availability.

SQL injection in halex CourseSEL up to version 1.1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the seid parameter in the HTTP GET request handler, potentially leading to unauthorized data access, modification, and denial of service. The vulnerability affects the check_sel function in IndexController.class.php and has publicly available exploit code; the vendor has not responded to early disclosure notifications.

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate database queries via the USERID parameter in /sms/user/index.php. The CVSS 7.3 score reflects network-accessible exploitation with low complexity requiring no privileges. Publicly available exploit code exists on GitHub, elevating immediate risk. CVSS impact ratings indicate potential for limited confidentiality, integrity, and availability compromise across the database layer.

SQL injection in Kestra orchestration platform's flow search endpoint (GET /api/v1/main/flows/search) enables remote code execution on the underlying PostgreSQL host. Authenticated users can trigger the vulnerability by visiting a malicious link, exploiting PostgreSQL's COPY TO PROGRAM feature to execute arbitrary OS commands on the Docker container host. Affects Kestra versions prior to 1.3.7 in default docker-compose deployments. With CVSS 9.9 (Critical) and low attack complexity requiring only low-privilege authentication, this represents a severe risk for container escape and host compromise scenarios.

SQL injection in Emlog tag management allows authenticated administrators to execute arbitrary SQL queries through the updateTagName() function in include/model/tag_model.php. Versions 2.6.2 and prior are affected. An attacker with administrative privileges can exploit this via direct SQL manipulation to modify or exfiltrate database contents. No public exploit code or active exploitation has been confirmed; patch status remains unavailable as of publication.

SQL injection in OpenSTAManager 2.10.1 and prior allows authenticated users to extract database contents including bcrypt password hashes, customer records, and financial data via unsanitized GET parameters across six vulnerable PHP modules. The righe parameter in confronta_righe.php files is directly concatenated into IN() clauses without parameterization. CVSS 8.8 (High) with network attack vector, low complexity, and low privilege requirement. Vendor-released patch available in version 2.10.2. Exploit reproduction demonstrated via EXTRACTVALUE-based error injection extracting MySQL version, database user, and admin credentials. Confirmed publicly available exploit code exists (GitHub advisory GHSA-mmm5-3g4x-qw39).

SQL injection in Piwigo's Activity List API endpoint allows authenticated administrators to extract sensitive database contents including user credentials and email addresses. This vulnerability affects Piwigo versions prior to 16.3.0 and requires high-level privileges (administrator access) to exploit. CVSS score of 7.2 reflects the network-accessible attack vector with low complexity, though exploitation requires prior administrative authentication. No public exploit code or active exploitation (CISA KEV) identified at time of analysis. The vendor has released version 16.3.0 addressing this issue.

SQL injection in Piwigo photo gallery application allows authenticated administrators to execute arbitrary SQL commands via the pwg.users.getList Web Service API method. Piwigo versions prior to 16.3.0 are affected due to improper sanitization of the filter parameter, which is directly concatenated into database queries. Vendor-released patch version 16.3.0 addresses this vulnerability. EPSS data not provided; no public exploit identified at time of analysis. Authentication requirements (PR:H) significantly limit attack surface to users with administrative privileges.

SQL injection in Piwigo photo gallery application versions prior to 16.3.0 allows unauthenticated remote attackers to extract the entire database, including user password hashes, via unsanitized date filter parameters in the ws_std_image_sql_filter() function. The vulnerability stems from direct SQL concatenation of four date parameters without input validation or escaping. Vendor-released patch available in version 16.3.0. EPSS and KEV data not provided, but the combination of unauthenticated access, low attack complexity, and full database disclosure represents critical risk for internet-facing Piwigo installations.

Second-order SQL injection in Focalboard 8.0 category reordering functionality enables authenticated attackers to exfiltrate sensitive data including password hashes via time-based blind injection. The vulnerability stems from unsanitized category IDs stored in the database and later executed in dynamic SQL statements. Focalboard is no longer maintained as a standalone product, and Mattermost confirmed no patch will be issued. No public exploit identified at time of analysis. CVSS 8.1 (High) reflects network-accessible attack requiring only low-privilege authentication.

SQL injection in OpenProject reporting module allows authenticated users to execute arbitrary SQL commands with escalated privileges. The vulnerable =n operator in the reporting library (modules/reporting/lib/report/operator.rb:177) concatenates user-controlled input directly into WHERE clauses without parameterization. Affects all OpenProject versions prior to 17.2.3. With CVSS 9.9 (Critical) and scope change (S:C), attackers with low-privilege authenticated access can achieve high integrity and availability impact across security boundaries. EPSS data not available; no public exploit identified at time of analysis, though the technical details in the GitHub Security Advisory may facilitate rapid weaponization.

SQL injection in projectworlds Car Rental Project 1.0 login.php allows unauthenticated remote attackers to bypass authentication, extract sensitive database contents, and potentially modify or delete data via the 'uname' parameter. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network-accessible attack vector, no authentication requirement, and public exploit makes this a practical threat for internet-facing deployments of this vulnerable application.

SQL injection in itsourcecode Online Enrollment System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the deptid parameter in /enrollment/index.php?view=edit&id=3, potentially enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS score of 6.9. The vulnerability affects the Parameter Handler component's SQL query construction logic.

Arbitrary SQL execution in OpenSTAManager's database conflict resolution module allows authenticated attackers with access to the Aggiornamenti (Updates) feature to execute unrestricted SQL commands. Affecting versions prior to 2.10.2, attackers can submit JSON arrays of SQL statements that execute directly against the MySQL database with foreign key checks disabled, enabling complete database compromise including data exfiltration, modification, deletion, and schema manipulation. No public exploit identified at time of analysis, though EPSS data not available; authentication requirement (PR:L) and low attack complexity (AC:L) indicate straightforward exploitation for internal threats or compromised accounts.

SQL injection in shsuishang modulithshop allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the sidx/sort parameter in the ProductItemDao Interface listItem function, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability affects the rolling-release product across an unspecified version range; publicly available exploit code exists. CVSS 6.3 with exploitation probability noted (E:P), and a patch is available via upstream commit 42bcb9463425d1be906c3b290cf29885eb5a2324.

Blind SQL injection in MB Connect Line mbCONNECT24 and mymbCONNECT24 allows unauthenticated remote attackers to extract sensitive database contents via the mb24api endpoint. The vulnerability enables complete confidentiality breach through crafted SQL SELECT commands with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis. Vendor advisory published by CERT@VDE with remediation guidance.

SQL injection in MB Connect Line's mbCONNECT24 and mymbCONNECT24 platforms allows unauthenticated remote attackers to execute arbitrary SQL commands via the setinfo endpoint, potentially destroying database integrity and causing complete service disruption. The vulnerability stems from insufficient input validation in SQL UPDATE operations. With CVSS 9.1 (Critical), CVSS vector PR:N confirms no authentication required, and attack complexity is low (AC:L), making this trivially exploitable. No public exploit identified at time of analysis, though the technical details disclosed in CERT@VDE advisory provide sufficient information for rapid weaponization.

SQL injection in MB Connect Line's mbCONNECT24 and mymbCONNECT24 products allows unauthenticated remote attackers to extract sensitive data through the getinfo endpoint. The vulnerability permits direct database queries without authentication, enabling complete confidentiality breach of stored information. EPSS and KEV data not provided; exploitation status unknown beyond technical disclosure by CERT@VDE.

SQL injection in AlejandroArciniegas mcp-data-vis MCP Handler allows remote unauthenticated attackers to manipulate database queries via the Request function in src/servers/database/server.js. Publicly available exploit code exists. CVSS 7.3 (High) with low attack complexity enables unauthorized data access, modification, and partial availability disruption. The vendor did not respond to disclosure, and the product uses a rolling release model without fixed version tracking, complicating patch verification (EPSS data not provided).

SQL injection in NocoBase plugin-workflow-sql through version 2.0.8 allows authenticated workflow users to execute arbitrary database queries. The vulnerable SQLInstruction class performs unparameterized string substitution of template variables (e.g., {{$context.data.fieldName}}) directly into raw SQL statements, enabling attackers to break out of string literals and inject malicious SQL commands. Publicly available exploit code exists demonstrating UNION-based injection to extract database credentials and system information. With default Docker deployments granting superuser database privileges, attackers gain full read/write access to the database including credential extraction, data modification, and table deletion capabilities.

SQL injection in PraisonAI's thread listing function allows unauthenticated remote attackers to execute arbitrary SQL queries and achieve complete database compromise. The vulnerability exists in sql_alchemy.py where thread IDs stored via update_thread are concatenated into raw SQL queries using f-strings without sanitization. Attackers inject malicious SQL through thread_id parameters, which execute when get_all_user_threads loads the thread list. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no authentication or user interaction. No public exploit confirmed beyond the GitHub security advisory POC, though EPSS data unavailable. Immediate patching required for all PraisonAI Python package installations.

SQL injection in Payload CMS versions prior to 3.79.1 allows authenticated attackers to manipulate database queries and exfiltrate or modify collection data. The vulnerability stems from inadequate input validation on request parameters, enabling low-privilege users to craft malicious SQL queries with low attack complexity over the network. No public exploit identified at time of analysis. EPSS risk data not available, but the CVSS score of 8.5 with scope change (S:C) indicates potential for significant impact beyond the vulnerable component.

SQL injection in Hi.Events open-source event management platform (versions 0.8.0-beta.1 through 1.7.0-beta) allows remote unauthenticated attackers to execute arbitrary SQL queries via unsanitized sort_by parameters passed to Eloquent's orderBy() method. The PostgreSQL backend supports stacked queries, enabling multi-statement injection. While CVSS 8.7 reflects high confidentiality impact and no authentication requirement, no public exploit code or CISA KEV listing exists at time of analysis. Vendor-released patch available in version 1.7.1-beta.

Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires initial admin credentials to inject malicious serialized objects via SQL injection, then triggers via anonymous GET request. Vendor-released patch available in v2.10.2. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though detailed proof-of-concept included in advisory with working Python exploit scripts.

Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the `options[stato]` GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working proof-of-concept code demonstrating 10-second SLEEP delays and successful extraction of admin username, bcrypt password hashes, and MySQL version. Vendor-released patches are available in version 2.10.2 via commits 50b9089 and 679c40f. No public exploit identified at time of analysis beyond researcher PoC, with CVSS 8.8 (High) reflecting network accessibility, low complexity, and complete confidentiality/integrity/availability impact.

SQL injection in Joomla CMS articles webservice endpoint allows remote attackers to execute arbitrary SQL queries through improperly constructed ORDER BY clauses, affecting all versions of Joomla CMS. The vulnerability exists in the com_content component's webservice endpoint and permits unauthenticated query manipulation. No CVSS score or patch version information is available at time of analysis, limiting severity quantification.

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to manipulate the userid parameter in /delstaffinfo.php, enabling arbitrary SQL query execution with limited data confidentiality and integrity impact. Public exploit code is available, increasing real-world risk despite the moderate CVSS score of 6.9.

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to manipulate the firstName parameter in /modify.php, enabling arbitrary database queries and potential data exfiltration or modification. The vulnerability affects the Parameter Handler component through CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Publicly available exploit code exists, and the CVSS 6.9 score reflects moderate impact with low attack complexity and no authentication requirement.

SQL injection in IBM Storage Protect Server 8.2.0 and Storage Protect Plus Server allows authenticated remote attackers to execute arbitrary SQL commands against the back-end database, enabling unauthorized data access, modification, or deletion. The vulnerability requires low attack complexity and low-level privileges (CVSS 7.6, PR:L), making it exploitable by any authenticated user. No public exploit identified at time of analysis, though SQL injection techniques are well-documented. EPSS data not provided, but SQL injection vulnerabilities historically see moderate exploitation rates when authentication barriers are low.

SQL injection in itsourcecode Payroll Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via manipulation of the ID parameter in /view_employee.php. The vulnerability has a CVSS score of 6.9 and publicly available exploit code exists, enabling potential data extraction, modification, or authentication bypass without requiring user interaction.

SQL injection in Booking for Appointments and Events Calendar - Amelia WordPress plugin (versions up to 2.1.2) allows authenticated Manager-level users to extract sensitive database information via the `sort` parameter in the payments listing endpoint. The vulnerability exists because the sort field is interpolated directly into an ORDER BY clause without sanitization, bypassing PDO prepared statement protections which do not cover column names. GET requests also bypass Amelia's nonce validation, enabling time-based blind SQL injection attacks by authenticated users with Manager access or higher.

SQL injection in pandas-ai v3.0.0 allows remote code execution through the pandasai.agent.base._execute_sql_query component, enabling attackers to manipulate SQL queries and potentially access, modify, or exfiltrate database contents. No CVSS score, EPSS data, or KEV status is available; however, the vulnerability affects a widely-used data analysis library and publicly available proof-of-concept code exists, elevating real-world risk despite incomplete severity metrics.

SQL injection in itsourcecode Payroll Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /manage_user.php, enabling arbitrary SQL query execution with confidentiality and integrity impact. The vulnerability has a publicly available exploit, making it immediately actionable for threat actors despite the moderate CVSS score.

SQL injection in Alerta's Query string search API (q= parameter) allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying PostgreSQL database. The vulnerability stems from unsafe f-string interpolation of user-supplied search terms directly into SQL WHERE clauses without parameterization. Alerta versions prior to 9.1.0 are affected; the vulnerability has been patched in version 9.1.0 with no public exploit code identified at time of analysis.

SQL injection in code-projects Simple Gym Management System 1.0 Payment Handler allows authenticated remote attackers to manipulate Payment_id, Amount, customer_id, payment_type, and customer_name parameters to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. Publicly available exploit code exists for this vulnerability; patch status from vendor remains unconfirmed.

SQL injection in code-projects Student Membership System 1.0 admin login allows unauthenticated remote attackers to bypass authentication and access sensitive data via crafted username/password parameters at /admin/index.php. Publicly available exploit code exists (VulDB 354296, GitHub POC), enabling trivial exploitation with no attack complexity. CVSS 7.3 reflects network-accessible attack with low confidentiality/integrity/availability impact. No vendor-released patch identified at time of analysis.

SQL injection in code-projects Student Membership System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /delete_user.php, enabling unauthorized data exfiltration or manipulation. The vulnerability has CVSS score 5.3 (medium severity) with publicly available exploit code, though it requires authenticated access (PR:L) and carries low confidentiality, integrity, and availability impact per CVSS v4.0 assessment.

SQL injection in Umami Software's web analytics application allows authenticated attackers with low privileges to execute arbitrary SQL commands via unsanitized timezone parameter. The vulnerability affects raw query implementations (prisma.rawQuery, $queryRawUnsafe, ClickHouse raw queries) with CVSS 9.3 severity. Successful exploitation enables database compromise and execution of dangerous functions. Patch available per vendor advisory; no public exploit identified at time of analysis, though the straightforward attack vector (network-accessible, low complexity, low privileges required) presents significant risk for deployments with untrusted authenticated users.

SQL injection in code-projects Student Membership System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /delete_member.php, resulting in limited confidentiality and integrity impact. Publicly available exploit code exists, and the vulnerability has been disclosed; however, active exploitation has not been confirmed by CISA. The attack requires valid authentication credentials but can be initiated over the network with minimal complexity.

SQL injection in code-projects Student Membership System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the User Registration Handler component. The vulnerability has a CVSS score of 7.3 with network-based attack vector and low complexity, requiring no privileges or user interaction. EPSS data not available; no CISA KEV listing indicates confirmed actively exploited status is unknown. Publicly available exploit code exists per researcher disclosure on GitHub, elevating real-world risk for organizations running this application.

SQL injection in SourceCodester Teacher Record System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'searchteacher' parameter in the Parameter Handler component. The vulnerability has a publicly available exploit (GitHub POC published), enabling extraction of sensitive data, modification of database records, or potential system compromise. CVSS 7.3 (High severity) with low attack complexity and no authentication required indicates significant exploitation risk.

SQL injection in SourceCodester Simple Doctors Appointment System 1.0 allows unauthenticated remote attackers to compromise confidentiality, integrity, and availability via the /admin/ajax.php login endpoint. Attackers manipulate the 'email' parameter to execute arbitrary SQL commands. Publicly available exploit code exists (GitHub POC published), significantly lowering the attack barrier. The CVSS score of 7.3 reflects network-based exploitation requiring low complexity and no privileges, with partial impact across all CIA triad elements. No CISA KEV listing at time of analysis, but the combination of public exploit and authentication bypass capability makes this a realistic threat to internet-facing instances.

SQL injection in SourceCodester Simple Doctors Appointment System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the Username parameter in /admin/login.php. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation with no authentication required. CVSS 7.3 reflects low attack complexity and network accessibility. EPSS data unavailable, but public POC significantly elevates real-world risk for internet-facing installations.

SQL injection in SciTokens Python library allows unauthenticated remote code execution against the local SQLite database. The KeyCache class improperly uses str.format() to construct SQL queries with attacker-controlled issuer and key_id parameters, enabling arbitrary SQL command execution. Affects all versions prior to 1.9.6. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No CISA KEV listing indicates no confirmed active exploitation at time of analysis, though the straightforward nature of SQL injection and public patch details increase exploitation risk.

SQL injection in baserCMS prior to version 5.2.3 allows unauthenticated remote attackers to execute arbitrary SQL queries through unvalidated input in blog post functionality. The vulnerability affects all versions before 5.2.3 and has been patched; no public exploit code or active exploitation has been confirmed at the time of analysis.

Blind SQL injection in SourceCodester Loan Management System v1.0 allows authenticated attackers to inject malicious SQL commands via the borrower_id parameter in the ajax.php save_loan action. The vulnerability requires valid authentication to exploit and publicly available proof-of-concept code exists, making this a moderate-risk issue for organizations using this open-source application despite the lack of CVSS scoring.

Remote SQL injection in code-projects Accounting System 1.0 allows unauthenticated attackers to execute arbitrary SQL queries via the cos_id parameter in the /viewin_costumer.php file. The vulnerability has a CVSS score of 6.9 with a public exploit available, enabling attackers to read sensitive data from the database with minimal attack complexity. This is a network-accessible PHP application flaw affecting confidentiality with confirmed public disclosure.

SQL injection in YunaiV yudao-cloud up to version 2026.01 allows authenticated remote attackers to execute arbitrary SQL queries via the toMail parameter in the /admin-api/system/mail-log/page endpoint, enabling data exfiltration and potential database manipulation. The vulnerability carries a CVSS score of 5.1 with moderate confidentiality and integrity impact. Public exploit code is available, and the vendor has not responded to early disclosure efforts, leaving organizations dependent on self-patching or workarounds.

Remote SQL injection in YunaiV yudao-cloud up to version 2026.01 allows unauthenticated attackers to execute arbitrary SQL queries via the Website parameter in the /admin-api/system/tenant/get-by-website endpoint. The vulnerability has a CVSS score of 6.9 with public exploit code available, enabling remote compromise of database confidentiality and integrity without authentication or user interaction. The vendor has not responded to early disclosure notification.

SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the mysqlColumnAsInsert function located in plugins/mysql/lib/column.go. The vulnerability affects the MySQL plugin component and enables attackers to manipulate database queries, potentially leading to unauthorized data access, modification, or deletion. Public proof-of-concept code is available, and CVSS/EPSS data are not yet assigned by NVD.

SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the columnAsInsert function within the PostgreSQL plugin, potentially compromising database integrity and confidentiality. Public exploit documentation is available, indicating proof-of-concept code exists. CVSS and EPSS data are unavailable, limiting formal severity quantification.

Prototype pollution in MikroORM's Utils.merge function allows attackers to modify JavaScript object prototypes when applications pass untrusted user input into ORM operations. Affects @mikro-orm/core npm package, enabling denial of service and potentially SQL injection when polluted properties influence query construction. No public exploit identified at time of analysis, though GitHub security advisory published by the project maintainers confirms the vulnerability class (CWE-1321).

SQL injection in MikroORM JavaScript ORM (versions ≤6.6.9 and ≤7.0.5) allows attackers to execute arbitrary SQL commands when specially crafted user-controlled objects are passed to query construction APIs. The vulnerability stems from duck-typed detection of internal ORM markers that attackers can replicate in malicious input objects. Applications passing unsanitized user input directly to write APIs like wrap().assign(), em.nativeUpdate(), em.nativeInsert(), or em.create() are exploitable. No public exploit identified at time of analysis, though the attack technique is straightforward for environments accepting untrusted JSON/object input.

SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the en_id parameter in /view_work.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code is available, increasing practical exploitation risk despite the moderate CVSS score of 6.9.

SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the cos_id parameter in /edit_costumer.php. The vulnerability has a CVSS 4.0 score of 6.9 with low impact to confidentiality, integrity, and availability. Publicly available exploit code exists, elevating real-world risk despite moderate CVSS severity.

SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the cos_id parameter in /view_costumer.php. Publicly available exploit code exists (GitHub POC published), enabling trivial exploitation with no authentication required. CVSS 7.3 reflects high exploitability (AV:N/AC:L/PR:N) with partial impact across confidentiality, integrity, and availability. No vendor-released patch identified at time of analysis.

SQL injection in code-projects Simple Food Order System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Status parameter in all-orders.php. The vulnerability has a publicly available exploit and requires no authentication or user interaction (CVSS 7.3, AV:N/AC:L/PR:N). No vendor-released patch identified at time of analysis, representing elevated risk for installations of this PHP-based food ordering application.

SQL injection in code-projects Simple Food Order System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'Name' parameter in register-router.php. The vulnerability permits unauthorized database access with confirmed publicly available exploit code (EPSS and CVSS both indicate medium-severity risk). Attack complexity is low with no user interaction required, enabling automated exploitation. No vendor-released patch identified at time of analysis, and exploitation requires no authentication (CVSS PR:N).

SQL injection in Simple Food Order System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Status parameter in /all-tickets.php. The vulnerability is trivially exploitable with low attack complexity and requires no user interaction. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no active exploitation has been confirmed by CISA KEV at time of analysis.

SQL injection in Sinaptik AI PandasAI versions up to 0.1.4 allows unauthenticated remote attackers to manipulate database operations through the pandasai-lancedb extension. Six functions (delete_question_and_answers, delete_docs, update_question_answer, update_docs, get_relevant_question_answers_by_id, get_relevant_docs_by_id) in lancedb.py are vulnerable to SQL injection attacks. Publicly available exploit code exists (CVSS 7.3, EPSS data not provided). The vendor has not responded to disclosure attempts.

SQL injection in WeGIA charitable institution management software allows authenticated remote attackers to execute arbitrary database queries with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe use of extract($_REQUEST) combined with unsanitized SQL concatenation in the tag deletion module (deletar_tag.php), affecting all versions prior to 3.6.7. No public exploit identified at time of analysis, with EPSS probability data not available for this recent CVE.

SQL injection in Fleet device management software versions prior to 4.81.0 allows authenticated Team Admin or Global Admin users to execute arbitrary SQL queries against the Fleet database via the MDM bootstrap package configuration API endpoint. Attackers with these privileges can exfiltrate sensitive data, modify arbitrary team configurations, and inject malicious content into team settings. The vulnerability requires authentication but poses significant risk to multi-tenant Fleet deployments where administrative credentials may be compromised or where insider threats exist.

SQL injection in Fleet's Apple MDM profile delivery pipeline before version 4.81.0 allows authenticated attackers with valid MDM enrollment certificates to exfiltrate or modify database contents, including user credentials, API tokens, and device enrollment secrets. This second-order SQL injection vulnerability affects the cpe:2.3:a:fleetdm:fleet product line and requires valid MDM enrollment credentials to exploit, limiting the attack surface to adversaries who have already established trust within the MDM enrollment process. No public exploit code or active exploitation has been identified at the time of this analysis.

SQL injection in code-projects Social Networking Site 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in delete_photos.php, potentially enabling unauthorized data access, modification, or deletion. The vulnerability affects an unknown function in the Endpoint component and has publicly available exploit code, increasing the likelihood of active abuse despite the moderate CVSS 5.3 score.

SQL injection in WWBN AVideo versions up to 26.0 allows unauthenticated remote attackers to extract sensitive database contents and modify data through the RTMP publish authentication stream key validation mechanism. The vulnerability (CVSS 9.1 Critical) arises from unsanitized string interpolation in Live_schedule::keyExists() fallback logic, affecting the open-source video platform's live streaming infrastructure. No vendor-released patch identified at time of analysis, and no public exploit identified at time of analysis.