Skip to main content

SQLi

15147 CVEs technique

Monthly

CVE-2026-59834 HIGH This Week

SQL injection in SiYuan's block-search endpoint (POST /api/search/fullTextSearchBlock) before version 3.7.1 lets an unauthenticated publish-mode visitor read documents they should not see. The endpoint concatenates attacker-controlled `paths` values directly into SQL predicates used by its non-SQL search modes, enabling a UNION SELECT that projects rows from hidden documents by spoofing an allowed visible box and path. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; CVSS is 7.5 reflecting confidentiality-only impact.

SQLi Siyuan
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55208 HIGH PATCH This Week

Time-based blind SQL injection in Pimcore Studio Backend Bundle (before 2025.4.6 and 2026.1.6) lets an authenticated low-privilege user read arbitrary database contents, including the administrator password hash, via the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints interpolate the columnFilters key field directly into SQL with manual backtick wrapping, so a backtick breaks out of quoting to append SLEEP()/IF() subqueries. No public exploit identified at time of analysis; not listed in CISA KEV and no EPSS score supplied.

SQLi
NVD GitHub
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-52775 PHP HIGH POC PATCH GHSA This Week

{idreaction} and {id} URL path parameters, which are concatenated directly into a LIKE clause. Because YesWiki permits open self-registration, the practical barrier is minimal, and the flaw grants full database read/write - including extraction of yeswiki_users password hashes and emails. Publicly available exploit code exists in the advisory (including a time-based blind variant), but there is no public exploit identified as actively used in the wild and no CISA KEV listing.

SQLi PHP
NVD GitHub
CVSS 3.1
8.8
CVE-2026-52771 PHP HIGH POC PATCH GHSA This Week

{tag} endpoint. An attacker plants a page whose tag contains a SQL-breakout payload (the INSERT escapes it but stores the literal quote), makes the page non-orphaned via an {{include}} link, then triggers deletePage(), where the stored tag is concatenated unescaped into a DELETE FROM _links WHERE to_tag='$tag' query. A detailed proof-of-concept with confirmed time-based blind extraction exists; the flaw enables reading password hashes, ACLs, and private page bodies, acting as a low-priv-to-admin escalation primitive. No public evidence of active exploitation was identified at time of analysis.

Deserialization SQLi PHP
NVD GitHub
CVSS 3.1
8.3
CVE-2026-52770 PHP HIGH POC PATCH GHSA This Week

Boolean-based blind SQL injection in YesWiki's public Bazar entry-listing API allows unauthenticated attackers to read arbitrary database contents by abusing numeric query/queries filters. Because numeric field values are escaped with mysqli_real_escape_string but inserted into the SQL statement without quotes or numeric validation, injected boolean expressions (e.g. '100 OR (SELECT COUNT(*) FROM yeswiki_users)>0') are evaluated by the database, turning the public endpoints into a data-exfiltration oracle. A detailed, self-contained proof-of-concept is published in the advisory; a vendor patch (commit f3b0dd0) is available, though the issue is not listed in CISA KEV.

PHP Oracle SQLi Docker
NVD GitHub
CVSS 3.1
7.5
CVE-2026-52763 PHP MEDIUM POC PATCH GHSA This Month

Stored SQL injection in YesWiki's `recentchanges` action enables arbitrary read of the underlying MySQL database by any user who can save a wiki page - on default installations, this includes unauthenticated visitors. The payload is persisted as wiki page content and executes on every subsequent page load, leaking rows (including admin usernames and password hashes) rendered directly into the HTML response as hyperlinks. A fully working UNION-based proof-of-concept is included in the GitHub security advisory, confirming practical exploitability with no public exploit identified at time of analysis in CISA KEV.

SQLi PHP
NVD GitHub
CVSS 3.1
6.5
CVE-2026-15190 MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows unauthenticated remote attackers to manipulate the Username parameter on /login.php, potentially bypassing authentication or extracting database contents. A publicly available proof-of-concept exploit exists, published via a GitHub issue and documented in VulDB entry 377116. No CISA KEV listing is present, but the combination of network accessibility, no authentication requirement, and a live POC makes this a practical risk for any exposed deployment.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-56292 CRITICAL Act Now

SQL injection in the AcyMailing newsletter/email-marketing extension for Joomla (all versions before 10.11.1) allows remote attackers to inject crafted database queries, resulting in unauthorized database access and data leakage. The high CVSS 4.0 score (9.2) reflects unauthenticated network reach and high confidentiality impact against the Joomla back-end database. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but a public disclosure write-up exists on mysites.guru.

SQLi Acymailing Com Acymailing Extension For Joomla
NVD
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-50644 HIGH PATCH This Week

Authenticated SQL injection in SOPlanning lets a user holding the parameters_all privilege inject SQL through the audit retention configuration form, which is stored and then executed whenever the audit functionality is loaded by that attacker or any other user. Affected installations prior to version 1.56.01 face compromise of the underlying database, including data theft and modification. No public exploit identified at time of analysis; the flaw was reported by CERT-PL and is not listed in CISA KEV.

SQLi Soplanning
NVD VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-5955 CRITICAL Act Now

SQL injection in Inrove BiEticaret e-commerce platform before v3.3.57 allows remote unauthenticated attackers to inject arbitrary SQL commands (CWE-89) through improperly neutralized input, per the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector. Successful exploitation yields full read/write access to the backing database (C:H/I:H/A:H, CVSS 9.8). This flaw was reported by TR-CERT (Turkey's national CERT); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi Bieticaret
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-14342 MEDIUM This Month

Time-based SQL injection in the Mail Mint WordPress plugin (versions ≤1.24.2) allows authenticated administrators to extract arbitrary data from the underlying database via the unsanitized 'contact_ids' parameter in the contact management API. Reported by Wordfence, the flaw is rooted in insufficient input escaping and missing prepared statements in the ContactModel and ContactController layers. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, a corrective changeset (3597255) has been committed to the WordPress plugin repository.

WordPress SQLi Mail Mint Email Marketing Newsletter Email Automation Woocommerce Emails
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-13011 MEDIUM This Month

SQL Injection in WP ERP (wedevs) versions through 1.17.5 allows authenticated HR Manager-level users to exfiltrate arbitrary data from the WordPress database via the unsanitized `orderby` parameter in the leave management module. The flaw resides in `functions-leave.php` and `LeaveRequestsListTable.php`, where user-supplied sort parameters are interpolated directly into SQL queries without escaping or prepared statements. No public exploit code is confirmed and this CVE is not listed in the CISA KEV catalog, but the confidentiality impact is high given the plugin stores HR records, payroll data, and CRM contacts.

WordPress SQLi Erp
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-15135 MEDIUM This Month

SQL injection in code-projects Online Food Order System 1.0 exposes the `/edit_food_items.php` endpoint to unauthenticated remote database manipulation via the `update` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is remotely exploitable without authentication or special conditions, with limited but confirmed impact across confidentiality, integrity, and availability. A public exploit has been released (E:P), making opportunistic targeting realistic despite the niche deployment footprint; no patch or vendor advisory has been identified.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15134 MEDIUM This Month

SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the backend database to unauthenticated remote attackers through the `email` parameter at `/SimpleOnlineLeave/index.php`. Manipulation of this parameter allows an attacker to alter SQL query logic, enabling authentication bypass, database enumeration, and data modification without any credentials or user interaction. A public proof-of-concept exploit has been disclosed via GitHub, significantly lowering the skill barrier for exploitation; the vulnerability is not currently listed in the CISA KEV catalog.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15137 MEDIUM POC This Month

SQL injection in code-projects Interview Management System 1.0 exposes the application to remote, unauthenticated database manipulation via the ID parameter in /inc/classes/View.php. An attacker with network access can read, modify, or partially disrupt data stored in the underlying database with no authentication required and no user interaction needed. A public exploit exists (referenced via GitHub at https://github.com/susususua-AI/CVE/issues/2), though no active exploitation has been confirmed by CISA KEV as of this analysis.

SQLi PHP Interview Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-39179 MEDIUM This Month

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the newPassword parameter in the password change functionality.

SQLi
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-39178 MEDIUM This Month

SQL injection in SOGo's allContactSearch endpoint permits authenticated users to inject arbitrary SQL via the unsanitized search parameter, affecting all SOGo releases before 5.12.7. An attacker with a valid SOGo account can manipulate backend SQL queries to read, alter, or partially disrupt contact database contents - confirmed by both the upstream fix commit and the vendor's 5.12.7 release announcement. EPSS sits at the 5th percentile (0.15%) and no CISA KEV listing exists, indicating no public exploit identified at time of analysis despite the straightforward CWE-89 root cause.

SQLi
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-9074 CRITICAL PATCH Act Now

Unauthenticated SQL injection in IBM API Connect's password reset functionality allows remote attackers to inject arbitrary SQL against the backing database without credentials, affecting versions 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3. With a CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and total technical impact, exploitation can lead to full compromise of confidentiality, integrity, and availability of the API management data store. No public exploit identified at time of analysis, and EPSS remains low (0.44%), but IBM has released patches and CISA's SSVC flags the flaw as automatable with total impact.

IBM SQLi Api Connect
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-15067 HIGH PATCH This Week

SQL and DDL injection in the Snowflake Terraform Provider before 2.18.0 lets an attacker who can influence pipeline workspace variables execute arbitrary SQL inside the provider's privileged Snowflake session (CWE-89), enabling data exfiltration and creation of long-lived credentials. A second flaw allows identifier-injection into user-management DDL, so accounts can be minted with attacker-controlled credentials that bypass operator-configured security controls. No public exploit identified at time of analysis; risk is authenticated/insider-driven rather than remote-unauthenticated.

Hashicorp SQLi Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-15062 CRITICAL PATCH Act Now

SQL injection in the Snowflake Snowpark Python SDK (snowpark-python) before 1.53.0 lets an authenticated low-privilege Snowflake user execute SQL beyond their authorization scope, enabling cross-tenant data theft and source-database compromise. Three distinct injection points are involved - malicious source column names via DataFrameReader.dbapi(), a crafted location parameter that redirects COPY INTO in DataFrameWriter, and a backslash-single-quote bypass of normalize_path() in DataFrame.to_csv(). Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python SQLi
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-59257 MEDIUM PATCH This Month

SQL injection in n8n's legacy MySQL v1 node (executeQuery operation) exposes the connected MySQL database to arbitrary query execution when workflow expressions interpolate attacker-controlled input without parameterization. Versions before 1.123.61 (1.x branch), 2.27.4 (2.x branch), and 2.28.1 (2.28.x branch) are affected when workflows combine the MySQL v1 node with externally-reachable triggers such as a Webhook node. No public exploit or CISA KEV listing is identified at time of analysis; however, deployments exposing such workflows to untrusted networks face high-severity database confidentiality and integrity risk.

SQLi N8n
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-8307 CRITICAL Act Now

SQL injection in Webbeyaz Web Design's Mediküm Web application (all versions through build 08072026) lets remote unauthenticated attackers inject arbitrary SQL commands, yielding full read/write control over the backend database. The CVSS 9.8 rating reflects network-reachable exploitation with no authentication or user interaction; no public exploit has been identified at time of analysis. Critically, the vendor confirmed to TR-CERT that the product is end-of-life and unsupported, so no fix will be issued.

SQLi Medik M Web
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-6854 HIGH This Week

Unauthenticated blind SQL injection in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.8) lets remote attackers inject SQL through the 'mc_auth' parameter, enabling extraction of sensitive database contents such as user credentials and secret keys. The flaw stems from unescaped user input concatenated into an unprepared query, and being reachable without authentication makes it broadly exploitable on any site running a vulnerable version. No public exploit identified at time of analysis, but the technique (time-based blind extraction) is well understood and readily automatable.

WordPress SQLi My Calendar Accessible Event Manager
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12936 MEDIUM This Month

SQL Injection in the Recurio - Ultimate Subscription for WooCommerce WordPress plugin (versions up to and including 1.1.3) exposes the full WordPress database to authenticated shop managers via an unsanitized 'data' parameter in the subscription engine. Attackers with shop manager-level credentials or higher can append arbitrary SQL clauses to existing queries, enabling extraction of sensitive records including customer PII, order history, and WordPress user data. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the high privilege requirement substantially limits the real-world attack surface.

WordPress SQLi Recurio Ultimate Subscription For Woocommerce
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-6230 HIGH This Week

SQL injection in the Tainacan WordPress plugin (versions ≤ 1.0.3) lets unauthenticated attackers exfiltrate database contents through the 'geoquery' parameter, which is concatenated into a SQL query without proper escaping or prepared-statement binding. Because the injection is time-based blind, attackers infer data character-by-character from response delays rather than direct output. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the network-reachable, no-authentication vector makes it a realistic target for automated scanning once details spread.

WordPress SQLi Tainacan
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-9700 HIGH This Week

SQL injection in the Eventer WordPress event manager plugin (all versions through 4.4.2) lets unauthenticated attackers inject arbitrary SQL through the 'code' parameter, extracting database contents such as user credentials and session data. The flaw stems from unescaped user input concatenated into an existing query, exploitable remotely without authentication (PR:N). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 7.5 reflects confidentiality-only impact via time-based blind extraction.

WordPress SQLi Eventer
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-9701 CRITICAL Act Now

Account takeover in the Eventer WordPress event-manager plugin (all versions through 4.4.2) stems from the plugin writing the password-reset key in cleartext to the `eventer_verification_code` field in `wp_usermeta`; any actor who can read that value can drive the plugin's custom reset action to set an arbitrary password for any user, including administrators. Chained with the companion SQL injection flaw CVE-2026-9700, remote attackers can extract the stored key without authentication and fully hijack accounts. There is no public exploit identified at time of analysis, and exploitation is constrained to sites running PHP 7.4 or earlier, where the reset routine functions.

WordPress SQLi PHP Eventer
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-55635 HIGH PATCH This Week

SQL injection in DataEase before 2.10.24 lets an authenticated user inject arbitrary SQL into queries run against configured datasources by supplying malicious quota (chart aggregation) or Y-axis filter values. The flaw sits in Quota2SQLObj.getYWheres(), which embeds attacker-controlled filter values directly into generated SQL while skipping the literal validation and escaping that other filter paths enforce. No public exploit identified at time of analysis, but the fixing commit and GitHub Security Advisory publicly disclose the exact vulnerable code path.

SQLi Dataease
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-55615 PyPI CRITICAL PATCH GHSA Act Now

Prompt-to-Cypher injection in Langroid's Neo4jChatAgent (pip package langroid <= 0.65.4) lets anyone who can influence the agent's prompt — directly, or indirectly through content pulled in via RAG — steer arbitrary Cypher into the Neo4j driver with no validation or opt-out gate, allowing unauthorized read, modification, and full destruction of all graph data, plus a LOAD CSV SSRF/remote-fetch primitive. When APOC or dbms.security procedures are granted to the database role, the same primitive escalates to OS-command and filesystem access, making it RCE-equivalent and matching the Critical parent issue CVE-2026-25879. No public weaponized exploit is identified at time of analysis, though the GHSA advisory documents a static grep-based reproduction; no KEV or EPSS signal is present in the source data.

SSRF SQLi
NVD GitHub
CVSS 4.0
9.2
EPSS
0.5%
CVE-2026-33734 MEDIUM PATCH This Month

SQL injection in FOSSBilling's Massmailer module exposes the application database to read access by authenticated administrators who can supply crafted filter values during mass email message updates. Affected versions span 0.6.0 through 0.7.2, with the fix shipped in version 0.8.0. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the high confidentiality impact (VC:H per CVSS 4.0) means a malicious or compromised administrator account could extract sensitive billing and client data from the underlying database.

SQLi Fossbilling
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-54760 PyPI CRITICAL PATCH GHSA Act Now

Server-side file disclosure in Langroid's SQLChatAgent (Python, pip package `langroid` <= 0.65.0) lets an attacker who can influence the agent's LLM-generated SQL bypass the `_validate_query` safety guard and execute PostgreSQL file-read functions such as `pg_read_file`. The default `allow_dangerous_operations=False` blocklist relies on a raw-text regex requiring `pg_...` names to be immediately followed by `(`, which is evaded by quoted identifiers, inline comments, or schema qualification while still parsing as a permitted SELECT. This is a bypass of the earlier CVE-2026-25879 / GHSA-pmch-g965-grmr regex fix; a working reproduction harness is published in the GHSA advisory, though there is no public exploit identified as being used in active attacks and no CISA KEV listing.

PostgreSQL SQLi Python Path Traversal
NVD GitHub
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-14471 HIGH PATCH This Week

SQL injection in the Amazon (agentic-community) mcp-gateway-registry before 1.0.13 allows an authenticated remote user to execute arbitrary SQL queries by supplying a crafted table_name that the metrics-service retention policy component interpolates directly into SQL in identifier position. Because the injection sits in an identifier (table name) position rather than a parameterizable value, it bypasses ordinary prepared-statement protections and grants broad read/write access to the metrics datastore. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; a vendor patch (v1.0.13) is available.

SQLi Mcp Gateway Registry
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-14809 HIGH This Week

SQL injection in PROG MIS's Prog Management System allows unauthenticated remote attackers to inject arbitrary SQL commands and read arbitrary database contents. The flaw carries a CVSS 4.0 base score of 8.7 (High) and requires no authentication, privileges, or user interaction, but its impact is limited to confidentiality (data disclosure) rather than data modification or service disruption. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was disclosed via Taiwan's TWCERT.

SQLi Prog Management System
NVD
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-14799 LOW POC Monitor

SQL injection in CodeAstro Ecommerce Website 1.0 exposes the `/customer/my_account.php?my_wishlist` endpoint to database manipulation via the unsanitized `delete_wishlist` parameter, allowing remote attackers with a valid customer account to read or modify backend database contents. The CVSS 4.0 vector (PR:L) confirms exploitation requires an authenticated customer session, constraining the attack surface to registered users. A public proof-of-concept exploit has been released, no public exploit identified as confirmed actively exploited (not in CISA KEV), though the low barrier to exploitation once authenticated elevates practical risk.

SQLi PHP Ecommerce Website
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14798 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the visname parameter in /apartment-visitor/visitor-entry.php. The flaw, classified as CWE-89, yields partial confidentiality, integrity, and availability impact against the vulnerable system. A publicly available proof-of-concept exploit exists on GitHub, lowering the skill bar for exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14797 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the application's database to remote authenticated attackers through the unsanitized `editid` parameter in `/apartment-visitor/edit-apartment.php`. Low-privilege authenticated users can manipulate this parameter to read, modify, or partially disrupt database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified in CISA KEV at time of analysis), making this a realistic risk for any internet-exposed deployment of this PHP application.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14796 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes backend database contents to authenticated low-privileged remote attackers via the unsanitized `fromdate` parameter in `/apartment-visitor/report.php`. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low-privilege credentials. Publicly available exploit code has been published on GitHub (github.com/lilukun337/cve/issues/7), though no active exploitation has been confirmed by CISA KEV. The injection enables read and limited write access to the underlying database, with a moderate combined impact score of 5.3.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14795 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate database queries through the `remark` parameter of `/apartment-visitor/action-visitor.php`. A low-privileged user can extract, modify, or delete underlying database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified as CISA KEV, but POC availability lowers the bar for exploitation).

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14774 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/paymentdischarge.php` endpoint to database manipulation via the unsanitized `patientid` parameter. Low-privileged authenticated attackers can exploit this remotely with no user interaction required, achieving limited read, write, and availability impact against the underlying database. No public KEV listing, but a proof-of-concept exploit is publicly disclosed on GitHub, meaningfully lowering the bar for opportunistic exploitation in any internet-exposed deployment.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14772 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the /edit_course1.php endpoint to remote, unauthenticated database manipulation via an unsanitized ID parameter. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required and the attack is trivially executable over the network. Exploit code has been publicly disclosed per VulDB submission and a GitHub issue report, with the E:P modifier in the CVSS 4.0 vector corroborating proof-of-concept availability - though no CISA KEV listing indicates confirmed active exploitation at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14773 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the /payment.php endpoint to database manipulation via an unsanitized `patientid` parameter, exploitable by any authenticated low-privilege user over the network. The CVSS 4.0 vector (PR:L, AV:N) confirms remote exploitation is feasible with only a basic account, and partial confidentiality, integrity, and availability impact is expected against the underlying database. Publicly available exploit code exists on GitHub, materially lowering the skill threshold for exploitation despite the moderate 5.3 CVSS score.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14771 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /edit_exam1.php to execute arbitrary SQL commands against the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, and the exploit has been publicly published on GitHub. Real-world impact is limited by the niche, educational-software footprint of this SourceCodester application, but any internet-exposed instance is trivially exploitable given the available POC.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14770 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized ID parameter in /edit_room.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or special conditions are required, and the E:P supplemental metric confirms public exploit code exists. An attacker can read, modify, or partially disrupt the underlying database without any prior access to the application.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14768 MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/builderHome.php` endpoint to unauthenticated remote attackers who can manipulate database queries via the unsanitized `loc` parameter. A public proof-of-concept exploit exists (referenced via GitHub), lowering the exploitation barrier to script-kiddie level. No KEV listing exists, and the product's limited real-world deployment constrains overall population risk despite the trivial attack conditions.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14767 LOW Monitor

SQL injection in CodeAstro Ecommerce Website 1.0 exposes the order confirmation endpoint to authenticated remote attackers who can manipulate the unsanitized `invoice_no` POST parameter to alter backend SQL queries. Exploitation is constrained to authenticated customer accounts (PR:L per CVSS 4.0 vector) but requires no additional configuration or user interaction. A public proof-of-concept has been released via GitHub Gist (E:P), lowering the technical bar for abuse despite a low CVSS 4.0 score of 2.1; no confirmed active exploitation or CISA KEV listing exists at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14769 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/pay.php` endpoint to remote unauthenticated attackers who can manipulate the `Bankname` parameter to execute arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote reachability, though partial CIA impact scores indicate constrained blast radius rather than full database takeover; no public confirmation of active exploitation (CISA KEV) exists at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14766 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the `/apartment-visitor/search-result.php` endpoint to remote exploitation via the `searchdata` POST parameter, allowing low-privileged authenticated attackers to read, modify, or partially disrupt underlying database contents. A public proof-of-concept exploit exists on GitHub, lowering the skill barrier for opportunistic attacks against any internet-facing deployment. No CISA KEV listing has been confirmed, and the CVSS 4.0 score of 5.3 reflects a limited partial-impact scope; however, the POC's availability meaningfully elevates real-world exploitation probability above what the score alone suggests.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14764 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the backend database via the fdetails parameter in /admin/add_event.php. The flaw is reachable over the network with no authentication required per the CVSS 4.0 vector, enabling data extraction, modification, or disruption against the application's database. A public exploit has been disclosed on GitHub; no patch has been identified at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14762 MEDIUM This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the backend database through the Room Management Page at /admin/rooms.php, where the `delete` parameter is passed unsanitized into SQL queries. Remote attackers can exploit this to read, modify, or potentially delete database records. Publicly available exploit code exists per the GitHub advisory by anubhavv106, raising the operational risk despite the moderate CVSS 4.0 score of 5.5 and absence of a CISA KEV listing.

SQLi PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14763 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the unsanitized `tour` parameter in /admin/tour_reserves.php, enabling arbitrary SQL query execution against the backend database. The CVSS 4.0 vector assigns PR:N (no privileges required), though the admin-panel endpoint raises questions about whether authentication is genuinely absent or misconfigured - a discrepancy worth verifying in deployments. A public proof-of-concept exploit has been published via GitHub, raising the practical risk despite the medium CVSS 4.0 score of 6.9 and absence of CISA KEV listing.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14756 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the reservation database to remote manipulation via the `delete_image` parameter in the admin Tour Management Page (`/admin/add_tour.php`). The CVSS 4.0 vector asserts no privileges required (PR:N), yet the vulnerable endpoint sits under an `/admin/` path - this conflict is unresolved in available data and defenders must verify whether the admin panel is publicly accessible without authentication. A public proof-of-concept is available on GitHub, elevating practical risk beyond the moderate base score, though no CISA KEV listing indicates confirmed widespread exploitation at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14754 MEDIUM This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the admin panel endpoint /admin/add_room.php to database manipulation via multiple unsanitized parameters. A proof-of-concept exploit has been publicly documented in a Medium article, lowering the barrier for opportunistic exploitation. The CVSS 4.0 vector rates this as network-reachable with no authentication required (PR:N), though this conflicts with the admin-panel location of the endpoint - a discrepancy that should be verified, as exploitation scope depends entirely on whether the admin interface enforces access controls.

SQLi PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14755 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the /admin/reservations.php endpoint to database manipulation via the unsanitized `delete` parameter. The vulnerability is reachable over the network with no confirmed complexity barriers, and a public proof-of-concept exploit has been disclosed. No vendor patch has been identified, leaving all deployments of version 1.0 exposed to database read, write, and potential full compromise of hosted reservation data.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14751 LOW POC Monitor

SQL injection in stumasy's notes search functionality exposes authenticated remote attackers to database manipulation via the unsanitized `field_name` parameter in `Notes_controller::search_scratch_data`. The affected PHP application by developer mjperpinosa has a publicly available proof-of-concept exploit filed as GitHub issue #7, and the maintainer has not responded to disclosure, leaving all users on any commit through 327d1b0f2915ba79d7ef8ebb74553e987609d9be without a remediation path. No public exploit identified at time of analysis meets the KEV threshold, but the confirmed POC and absence of vendor response meaningfully elevate operational risk.

SQLi PHP Stumasy
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14750 MEDIUM POC This Month

SQL injection in stumasy's Notes_controller grants remote unauthenticated attackers the ability to manipulate database queries through the unsanitized Password argument in the accessing_dictionary_authorization function. The affected codebase is an obscure PHP application maintained by mjperpinosa, pinned to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be as the last known vulnerable state. Publicly available exploit code exists via a GitHub issue report, and the project maintainer has not responded to disclosure, leaving no vendor-released patch at time of analysis.

SQLi PHP Stumasy
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14747 MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the application's database to remote unauthenticated manipulation via the `amen` parameter in `/addprojectsale.php`. Any attacker with network access to the PHP web application can craft a malicious HTTP request to read, modify, or partially disrupt the underlying database without authentication. No active exploitation is confirmed in CISA KEV, but a GitHub issue filed under the researcher's CVE repository suggests reproduction steps or proof-of-concept detail is publicly accessible.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-14746 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the backend database via the `amen` parameter in `/addprojectrent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no attack preconditions. A publicly available proof-of-concept exploit has been disclosed via GitHub, elevating the realistic threat beyond theoretical; however, this CVE is not currently listed in the CISA KEV catalog, and the product's limited enterprise footprint constrains broad impact.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14745 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the `id` parameter of `/single-list_rent.php` to read, modify, or corrupt backend database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction unauthenticated network exploitation against a standard installation. A public proof-of-concept exploit is available on GitHub (E:P confirmed in CVSS 4.0 supplemental metrics), raising realistic risk of opportunistic automated attacks against any internet-exposed instance; no CISA KEV listing and no patch are confirmed at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14744 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes unauthenticated remote attackers a direct path to manipulate the backend database via the `loc` parameter in `/normalHomeRent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special configuration are required against default deployments. A public proof-of-concept exploit has been released on GitHub, materially increasing opportunistic exploitation risk despite the moderate aggregate score; no CISA KEV listing has been identified at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14743 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/normalHomeSale.php` endpoint to unauthenticated remote database manipulation via the unsanitized `loc` parameter. Any internet-accessible deployment of this PHP real estate application is vulnerable to data extraction or modification without credentials. A public proof-of-concept exploit is available on GitHub, lowering the skill barrier for opportunistic attackers; however, no CISA KEV listing has been issued and no patch has been identified from the vendor.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14735 MEDIUM This Month

SQL injection in code-projects Smart Parking System 1.0 exposes the `/parkings/parkings.php` endpoint to remote unauthenticated exploitation via unsanitized `street`, `city`, and `status` parameters. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier network access with no authentication or user interaction required. A public proof-of-concept has been disclosed via a Medium article specifically documenting escalation from SQL injection to arbitrary file read, materially increasing real-world risk beyond the moderate base score of 5.5.

SQLi PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14734 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to remote, unauthenticated attackers through the unsanitized ID parameter in /edit_product.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial remote access with no prerequisites, yielding low-rated but real confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is contradicted by the description and E:P supplemental metric - a public exploit exists, elevating the practical risk above what the 5.5 base score alone suggests for any internet-exposed instance.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14737 MEDIUM POC This Month

SQL injection in Hanwang e-Face General Management Platform 6.3.5.4 exposes the /sysAuthStr/querySysAuthStr.do endpoint to unauthenticated remote database manipulation via the unsanitized `order` parameter. The endpoint handles system authorization strings, meaning successful exploitation likely targets credential or access-control records - a high-sensitivity data class despite the vendor-assigned Low impact ratings. A public proof-of-concept is documented via VulDB (no CISA KEV listing at time of analysis); no EPSS score was provided in the source intelligence.

SQLi E Face General Management Platform
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14733 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers through the unsanitized 'ID' parameter in /edit_coursea.php. The CVSS 4.0 E:P modifier and the CVE description both confirm that public exploit code exists, lowering the bar for opportunistic exploitation. Impact is assessed as limited across confidentiality, integrity, and availability (all Low), but the absence of authentication requirements makes this accessible to any network-reachable attacker.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14732 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database through the unsanitized ID parameter in /edit_exam.php, reachable by unauthenticated remote attackers. The exploit has been publicly disclosed (CVSS 4.0 E:P), allowing any actor with network access to enumerate, read, or manipulate database contents. No KEV listing is present; exploitation appears opportunistic rather than targeted, consistent with the niche deployment footprint of this product.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14731 LOW Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientreport.php` endpoint to remote manipulation via the `editid` parameter, allowing an authenticated attacker to craft arbitrary SQL statements against the backend database. The CVSS 4.0 base score is 2.1 (Low), reflecting constrained confidentiality, integrity, and availability impact, with no scope change to adjacent systems. Publicly available exploit code exists (E:P per the CVSS 4.0 threat metric), though no active exploitation has been confirmed via CISA KEV.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14730 LOW Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the patient database to authenticated low-privilege attackers via the `patientname` parameter in `/patientprofile.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L) confirms network-accessible exploitation with no attack complexity, while the E:P supplemental metric confirms publicly available proof-of-concept exploit code. No vendor patch has been released, leaving deployments reliant on compensating controls; however, real-world risk is bounded by the product's extremely limited production footprint as an educational PHP project.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14717 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows remote attackers with low-level privileges to manipulate the `loginid` parameter in `/patientlogin.php`, enabling unauthorized database read, modification, or deletion operations. The vulnerability scores 5.3 on CVSS 4.0 and is compounded by a publicly available proof-of-concept exploit published on GitHub, materially lowering the barrier to opportunistic attack. No CISA KEV listing has been identified, but the public POC and low attack complexity make any internet-exposed deployment an actionable target.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14713 MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 exposes the application to unauthenticated remote database compromise via the `id` parameter in `/admin/ajax.php?action=confirm_order`. The CVSS 4.0 vector (PR:N) indicates the vulnerable admin endpoint is reachable without authentication, compounding the severity of the unsanitized input. A publicly available exploit exists on GitHub, though the product is not listed in the CISA KEV catalog and has a very limited production deployment footprint.

SQLi PHP Pizzafy E Commerce System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14706 LOW POC Monitor

SQL injection in code-projects Online Examination 1.0 allows authenticated remote attackers to manipulate database queries through multiple unsanitized parameters in the Quiz Creation Feature. The endpoint /update.php?q=addquiz accepts user-supplied input for the name, total, right, wrong, time, tag, and desc arguments without adequate sanitization, enabling read and write access to the underlying database. A public proof-of-concept exploit exists on GitHub, though the application's extremely limited deployment footprint constrains real-world impact.

SQLi PHP Online Examination
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14705 MEDIUM POC This Month

SQL injection in code-projects Online Examination 1.0 exposes the login endpoint to unauthenticated remote attackers via the uname and password parameters in head.php. Manipulation of either parameter enables classic SQL injection, allowing database enumeration, authentication bypass, and potential data manipulation against any deployed instance. A public proof-of-concept exploit is available on GitHub (no public exploit identified as KEV), making weaponization trivial for low-skill attackers targeting this application.

SQLi PHP Online Examination
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14703 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows authenticated remote attackers to manipulate the `editid` parameter in `/patientorder.php`, potentially exposing or modifying patient order records and underlying database contents. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and that a public exploit has been disclosed via GitHub. While the base impact metrics are rated Low across confidentiality, integrity, and availability, the sensitivity of healthcare data in scope and the trivially available proof-of-concept raise practical risk above what the numeric score alone suggests.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14701 LOW POC Monitor

SQL injection in code-projects Internship Management System 1.0 exposes authenticated employer accounts to database query manipulation via the `Current` parameter in the password change endpoint (`employer/details/change_password.php`). The flaw carries a CVSS 4.0 score of 5.3, is rooted in unsanitized PHP input passed directly into SQL queries (CWE-89), and has a publicly available proof-of-concept exploit on GitHub. No public exploit identified as confirmed in CISA KEV, but the combination of low attack complexity and public PoC meaningfully raises real-world exploitation likelihood against any internet-exposed deployment.

SQLi PHP Internship Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14700 MEDIUM POC This Month

SQL injection in code-projects Internship Management System 1.0 permits unauthenticated remote attackers to manipulate the email and password parameters of employer/login.php, altering backend SQL query logic to bypass authentication or partially expose database contents. A proof-of-concept exploit has been publicly disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 score of 6.9 with PR:N and no attack complexity reflects straightforward unauthenticated access, though impact is bounded at Low across confidentiality, integrity, and availability - suggesting partial rather than full database compromise.

SQLi PHP Internship Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14695 MEDIUM POC This Month

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows unauthenticated remote attackers to manipulate backend database queries via the Name argument in the save_client function of the registration handler. The vulnerability resides in classes/Users.php and is exploitable without any prior authentication, as it targets the public-facing user registration flow. A public proof-of-concept exploit has been published on GitHub, and no KEV listing exists, though the low-friction exploitation path and public PoC elevate urgency for any live deployment of this software.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14694 LOW POC Monitor

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a remote low-privileged attacker to manipulate database queries via the `ID` POST parameter in the `cancel_order` function of `classes/Master.php`. The flaw is a classic CWE-89 unsanitized parameter passed directly into a SQL statement, enabling data extraction, modification, or potential authentication bypass within the application database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references), raising the practical risk beyond the conservative CVSS 4.0 base score of 2.1.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14692 LOW POC Monitor

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System versions 1.0 and 5.7.26 allows remote authenticated attackers to manipulate backend database queries through unsanitized POST parameters passed to the `save_shop_type` function in `classes/Master.php`. A public proof-of-concept exploit is available via GitHub, lowering the exploitation barrier for any actor who has obtained application credentials. The CVSS 4.0 score of 2.1 reflects partial confidentiality, integrity, and availability impact rather than full database compromise, and no patch has been confirmed available at time of analysis.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14689 LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 enables remote, low-privilege authenticated attackers to manipulate backend database queries via the `apartmentno` parameter in `/apartment-visitor/add-apartment.php`. The CVSS 4.0 score of 2.1 reflects a constrained impact scope (low C/I/A on the vulnerable system, no downstream system impact), but the presence of a publicly available proof-of-concept lowers the exploitation bar significantly. Real-world impact could extend beyond the CVSS score if the database user holds elevated permissions, potentially enabling unauthorized data extraction or record manipulation across the application's dataset. No public exploit identified via CISA KEV; no vendor patch identified at time of analysis.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14688 MEDIUM POC This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin login endpoint to remote unauthenticated exploitation via an unsanitized `email` parameter in `/admin/login.php`. A public proof-of-concept is available on GitHub (reflected in the CVSS 4.0 E:P metric), meaning exploitation requires minimal technical skill and is accessible to opportunistic attackers. No CISA KEV listing has been identified, but the zero-authentication barrier combined with available exploit code makes this a practical risk for any internet-exposed deployment.

SQLi PHP Online Hotel Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14660 MEDIUM POC This Month

SQL injection in code-projects Online Job Portal 1.0 exposes the login.php endpoint to remote unauthenticated exploitation via the txtUser and txtPass parameters, enabling attackers to manipulate backend SQL queries without any credentials or user interaction. A public proof-of-concept exploit is documented on GitHub, significantly lowering the barrier to attack for any internet-exposed instance. No patch has been identified from the vendor at time of analysis; the wildcard CPE suggests all versions are affected.

SQLi PHP Online Job Portal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14659 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient and appointment data to remote attackers holding low-privilege credentials via the `patiente` parameter in `/patientappointment.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation with no attack complexity, and the E:P modifier reflects a publicly disclosed proof-of-concept on GitHub. While not yet listed in CISA KEV, the combination of a live PoC, a healthcare data context, and trivial exploitation conditions makes this a credible risk for any organization running this application.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14658 LOW POC Monitor

SQL injection in code-projects Assessment Management 1.0 allows authenticated remote attackers to execute arbitrary SQL queries by manipulating the smarksrange[] array parameter in /lecturer/marking-scheme.php. The CVSS 4.0 vector (PR:L) confirms low-privilege authentication is required, limiting the attack surface to registered users such as lecturers. A public exploit proof-of-concept is available on GitHub, elevating the practical risk despite the medium CVSS 4.0 score of 5.3 and no confirmed active exploitation in the CISA KEV catalog.

SQLi PHP Assessment Management
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14657 LOW POC Monitor

SQL injection in code-projects Assessment Management 1.0 exposes database query handling in the lecturer marking-scheme feature to manipulation via the unsanitized `squestions[]` parameter at `/lecturer/marking-scheme.php`. Authenticated remote attackers with low-privilege access can alter SQL query logic to extract or modify student assessment data. A public proof-of-concept exploit is documented on GitHub, lowering the skill bar for exploitation; however, the application is not listed in CISA KEV and carries a CVSS 4.0 score of 2.1 reflecting its constrained impact and authentication prerequisite.

SQLi PHP Assessment Management
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14654 MEDIUM This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the database to remote query manipulation via the `user_id` parameter in `/admin/girlsproductdeletequery.php`. The CVSS 4.0 vector rates this as network-exploitable with no authentication required (PR:N), though the `/admin/` path location raises questions about whether authentication is enforced in practice - a discrepancy worth verifying in deployment. A publicly available exploit exists per VulDB, though the vulnerability is not listed in CISA KEV and the overall CVSS 4.0 score of 5.5 reflects limited impact across confidentiality, integrity, and availability.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14653 MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 enables remote, unauthenticated attackers to manipulate database queries through the user_id parameter in /admin/mensproductdeletequery.php, exposing partial confidentiality, integrity, and availability of the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication or special conditions are required for exploitation over the network. A public exploit has been disclosed on GitHub, elevating the practical risk above the raw score suggests - though this is not confirmed as actively exploited by CISA KEV at time of analysis.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14652 MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the admin login interface to remote unauthenticated attackers through unsanitized input in the Username parameter of /admin/login.php. The CVSS 4.0 score of 6.9 (Medium) reflects limited per-request impact (VC:L/VI:L/VA:L), but a publicly available proof-of-concept exploit (E:P) on GitHub substantially lowers the exploitation bar for opportunistic attackers. No KEV listing exists at time of analysis; however, the trivial attack complexity (AC:L, AT:N, PR:N, UI:N) combined with public exploit code makes any internet-facing deployment of this script an immediate remediation priority.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14649 MEDIUM This Month

SQL injection in code-projects Online Voting System 1.0 exposes remote unauthenticated attackers a direct path to manipulate backend database queries through four parameters in the vote submission endpoint /saveVote.php. The test_input function - intended as a sanitization layer - fails to neutralize SQL metacharacters across voterName, voterEmail, voterID, and selectedCandidate, indicating a systemic rather than isolated input-handling failure. A publicly available proof-of-concept exists on GitHub, lowering the exploitation barrier, though real-world exposure is substantially constrained by the product's near-zero production deployment footprint as an educational PHP project.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-14648 MEDIUM POC This Month

Unauthenticated SQL injection in code-projects Online Voting System 0.x-1.0 exposes the admin login endpoint to full authentication bypass and database extraction. The vulnerability resides in the `test_input` function within `/authentication.php`, where the `adminUserName` and `adminPassword` parameters are passed unsanitized into SQL queries, enabling classic injection attacks against the login form. A public proof-of-concept exploit has been published on GitHub; no vendor patch has been identified at time of analysis.

SQLi PHP Online Voting System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14642 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the database to remote unauthenticated attackers via the unvalidated ID parameter in /edit_class2.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms trivial, unauthenticated remote exploitation requiring no special conditions. Publicly available exploit code (E:P) lowers the bar to exploitation further, though the product's niche deployment footprint significantly limits real-world blast radius. No KEV listing; no patch identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14641 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_course.php` endpoint to unauthenticated remote database manipulation via a malicious `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no authentication or user interaction required, and a public proof-of-concept exploit has been disclosed on GitHub. No active exploitation is confirmed in CISA KEV, though the combination of a public POC and fully unauthenticated attack path elevates practical risk for any internet-exposed deployment.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in SiYuan's block-search endpoint (POST /api/search/fullTextSearchBlock) before version 3.7.1 lets an unauthenticated publish-mode visitor read documents they should not see. The endpoint concatenates attacker-controlled `paths` values directly into SQL predicates used by its non-SQL search modes, enabling a UNION SELECT that projects rows from hidden documents by spoofing an allowed visible box and path. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; CVSS is 7.5 reflecting confidentiality-only impact.

SQLi Siyuan
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Time-based blind SQL injection in Pimcore Studio Backend Bundle (before 2025.4.6 and 2026.1.6) lets an authenticated low-privilege user read arbitrary database contents, including the administrator password hash, via the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints interpolate the columnFilters key field directly into SQL with manual backtick wrapping, so a backtick breaks out of quoting to append SLEEP()/IF() subqueries. No public exploit identified at time of analysis; not listed in CISA KEV and no EPSS score supplied.

SQLi
NVD GitHub
CVSS 8.8
HIGH POC PATCH This Week

{idreaction} and {id} URL path parameters, which are concatenated directly into a LIKE clause. Because YesWiki permits open self-registration, the practical barrier is minimal, and the flaw grants full database read/write - including extraction of yeswiki_users password hashes and emails. Publicly available exploit code exists in the advisory (including a time-based blind variant), but there is no public exploit identified as actively used in the wild and no CISA KEV listing.

SQLi PHP
NVD GitHub
CVSS 8.3
HIGH POC PATCH This Week

{tag} endpoint. An attacker plants a page whose tag contains a SQL-breakout payload (the INSERT escapes it but stores the literal quote), makes the page non-orphaned via an {{include}} link, then triggers deletePage(), where the stored tag is concatenated unescaped into a DELETE FROM _links WHERE to_tag='$tag' query. A detailed proof-of-concept with confirmed time-based blind extraction exists; the flaw enables reading password hashes, ACLs, and private page bodies, acting as a low-priv-to-admin escalation primitive. No public evidence of active exploitation was identified at time of analysis.

Deserialization SQLi PHP
NVD GitHub
CVSS 7.5
HIGH POC PATCH This Week

Boolean-based blind SQL injection in YesWiki's public Bazar entry-listing API allows unauthenticated attackers to read arbitrary database contents by abusing numeric query/queries filters. Because numeric field values are escaped with mysqli_real_escape_string but inserted into the SQL statement without quotes or numeric validation, injected boolean expressions (e.g. '100 OR (SELECT COUNT(*) FROM yeswiki_users)>0') are evaluated by the database, turning the public endpoints into a data-exfiltration oracle. A detailed, self-contained proof-of-concept is published in the advisory; a vendor patch (commit f3b0dd0) is available, though the issue is not listed in CISA KEV.

PHP Oracle SQLi +1
NVD GitHub
CVSS 6.5
MEDIUM POC PATCH This Month

Stored SQL injection in YesWiki's `recentchanges` action enables arbitrary read of the underlying MySQL database by any user who can save a wiki page - on default installations, this includes unauthenticated visitors. The payload is persisted as wiki page content and executes on every subsequent page load, leaking rows (including admin usernames and password hashes) rendered directly into the HTML response as hyperlinks. A fully working UNION-based proof-of-concept is included in the GitHub security advisory, confirming practical exploitability with no public exploit identified at time of analysis in CISA KEV.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows unauthenticated remote attackers to manipulate the Username parameter on /login.php, potentially bypassing authentication or extracting database contents. A publicly available proof-of-concept exploit exists, published via a GitHub issue and documented in VulDB entry 377116. No CISA KEV listing is present, but the combination of network accessibility, no authentication requirement, and a live POC makes this a practical risk for any exposed deployment.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
EPSS 0% CVSS 9.2
CRITICAL Act Now

SQL injection in the AcyMailing newsletter/email-marketing extension for Joomla (all versions before 10.11.1) allows remote attackers to inject crafted database queries, resulting in unauthorized database access and data leakage. The high CVSS 4.0 score (9.2) reflects unauthenticated network reach and high confidentiality impact against the Joomla back-end database. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but a public disclosure write-up exists on mysites.guru.

SQLi Acymailing Com Acymailing Extension For Joomla
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authenticated SQL injection in SOPlanning lets a user holding the parameters_all privilege inject SQL through the audit retention configuration form, which is stored and then executed whenever the audit functionality is loaded by that attacker or any other user. Affected installations prior to version 1.56.01 face compromise of the underlying database, including data theft and modification. No public exploit identified at time of analysis; the flaw was reported by CERT-PL and is not listed in CISA KEV.

SQLi Soplanning
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in Inrove BiEticaret e-commerce platform before v3.3.57 allows remote unauthenticated attackers to inject arbitrary SQL commands (CWE-89) through improperly neutralized input, per the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector. Successful exploitation yields full read/write access to the backing database (C:H/I:H/A:H, CVSS 9.8). This flaw was reported by TR-CERT (Turkey's national CERT); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi Bieticaret
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Time-based SQL injection in the Mail Mint WordPress plugin (versions ≤1.24.2) allows authenticated administrators to extract arbitrary data from the underlying database via the unsanitized 'contact_ids' parameter in the contact management API. Reported by Wordfence, the flaw is rooted in insufficient input escaping and missing prepared statements in the ContactModel and ContactController layers. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, a corrective changeset (3597255) has been committed to the WordPress plugin repository.

WordPress SQLi Mail Mint Email Marketing Newsletter Email Automation Woocommerce Emails
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in WP ERP (wedevs) versions through 1.17.5 allows authenticated HR Manager-level users to exfiltrate arbitrary data from the WordPress database via the unsanitized `orderby` parameter in the leave management module. The flaw resides in `functions-leave.php` and `LeaveRequestsListTable.php`, where user-supplied sort parameters are interpolated directly into SQL queries without escaping or prepared statements. No public exploit code is confirmed and this CVE is not listed in the CISA KEV catalog, but the confidentiality impact is high given the plugin stores HR records, payroll data, and CRM contacts.

WordPress SQLi Erp
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Online Food Order System 1.0 exposes the `/edit_food_items.php` endpoint to unauthenticated remote database manipulation via the `update` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is remotely exploitable without authentication or special conditions, with limited but confirmed impact across confidentiality, integrity, and availability. A public exploit has been released (E:P), making opportunistic targeting realistic despite the niche deployment footprint; no patch or vendor advisory has been identified.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the backend database to unauthenticated remote attackers through the `email` parameter at `/SimpleOnlineLeave/index.php`. Manipulation of this parameter allows an attacker to alter SQL query logic, enabling authentication bypass, database enumeration, and data modification without any credentials or user interaction. A public proof-of-concept exploit has been disclosed via GitHub, significantly lowering the skill barrier for exploitation; the vulnerability is not currently listed in the CISA KEV catalog.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Interview Management System 1.0 exposes the application to remote, unauthenticated database manipulation via the ID parameter in /inc/classes/View.php. An attacker with network access can read, modify, or partially disrupt data stored in the underlying database with no authentication required and no user interaction needed. A public exploit exists (referenced via GitHub at https://github.com/susususua-AI/CVE/issues/2), though no active exploitation has been confirmed by CISA KEV as of this analysis.

SQLi PHP Interview Management System
NVD VulDB GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the newPassword parameter in the password change functionality.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

SQL injection in SOGo's allContactSearch endpoint permits authenticated users to inject arbitrary SQL via the unsanitized search parameter, affecting all SOGo releases before 5.12.7. An attacker with a valid SOGo account can manipulate backend SQL queries to read, alter, or partially disrupt contact database contents - confirmed by both the upstream fix commit and the vendor's 5.12.7 release announcement. EPSS sits at the 5th percentile (0.15%) and no CISA KEV listing exists, indicating no public exploit identified at time of analysis despite the straightforward CWE-89 root cause.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated SQL injection in IBM API Connect's password reset functionality allows remote attackers to inject arbitrary SQL against the backing database without credentials, affecting versions 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3. With a CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and total technical impact, exploitation can lead to full compromise of confidentiality, integrity, and availability of the API management data store. No public exploit identified at time of analysis, and EPSS remains low (0.44%), but IBM has released patches and CISA's SSVC flags the flaw as automatable with total impact.

IBM SQLi Api Connect
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL and DDL injection in the Snowflake Terraform Provider before 2.18.0 lets an attacker who can influence pipeline workspace variables execute arbitrary SQL inside the provider's privileged Snowflake session (CWE-89), enabling data exfiltration and creation of long-lived credentials. A second flaw allows identifier-injection into user-management DDL, so accounts can be minted with attacker-controlled credentials that bypass operator-configured security controls. No public exploit identified at time of analysis; risk is authenticated/insider-driven rather than remote-unauthenticated.

Hashicorp SQLi Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

SQL injection in the Snowflake Snowpark Python SDK (snowpark-python) before 1.53.0 lets an authenticated low-privilege Snowflake user execute SQL beyond their authorization scope, enabling cross-tenant data theft and source-database compromise. Three distinct injection points are involved - malicious source column names via DataFrameReader.dbapi(), a crafted location parameter that redirects COPY INTO in DataFrameWriter, and a backslash-single-quote bypass of normalize_path() in DataFrame.to_csv(). Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python SQLi
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

SQL injection in n8n's legacy MySQL v1 node (executeQuery operation) exposes the connected MySQL database to arbitrary query execution when workflow expressions interpolate attacker-controlled input without parameterization. Versions before 1.123.61 (1.x branch), 2.27.4 (2.x branch), and 2.28.1 (2.28.x branch) are affected when workflows combine the MySQL v1 node with externally-reachable triggers such as a Webhook node. No public exploit or CISA KEV listing is identified at time of analysis; however, deployments exposing such workflows to untrusted networks face high-severity database confidentiality and integrity risk.

SQLi N8n
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in Webbeyaz Web Design's Mediküm Web application (all versions through build 08072026) lets remote unauthenticated attackers inject arbitrary SQL commands, yielding full read/write control over the backend database. The CVSS 9.8 rating reflects network-reachable exploitation with no authentication or user interaction; no public exploit has been identified at time of analysis. Critically, the vendor confirmed to TR-CERT that the product is end-of-life and unsupported, so no fix will be issued.

SQLi Medik M Web
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated blind SQL injection in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.8) lets remote attackers inject SQL through the 'mc_auth' parameter, enabling extraction of sensitive database contents such as user credentials and secret keys. The flaw stems from unescaped user input concatenated into an unprepared query, and being reachable without authentication makes it broadly exploitable on any site running a vulnerable version. No public exploit identified at time of analysis, but the technique (time-based blind extraction) is well understood and readily automatable.

WordPress SQLi My Calendar Accessible Event Manager
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL Injection in the Recurio - Ultimate Subscription for WooCommerce WordPress plugin (versions up to and including 1.1.3) exposes the full WordPress database to authenticated shop managers via an unsanitized 'data' parameter in the subscription engine. Attackers with shop manager-level credentials or higher can append arbitrary SQL clauses to existing queries, enabling extraction of sensitive records including customer PII, order history, and WordPress user data. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the high privilege requirement substantially limits the real-world attack surface.

WordPress SQLi Recurio Ultimate Subscription For Woocommerce
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the Tainacan WordPress plugin (versions ≤ 1.0.3) lets unauthenticated attackers exfiltrate database contents through the 'geoquery' parameter, which is concatenated into a SQL query without proper escaping or prepared-statement binding. Because the injection is time-based blind, attackers infer data character-by-character from response delays rather than direct output. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the network-reachable, no-authentication vector makes it a realistic target for automated scanning once details spread.

WordPress SQLi Tainacan
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the Eventer WordPress event manager plugin (all versions through 4.4.2) lets unauthenticated attackers inject arbitrary SQL through the 'code' parameter, extracting database contents such as user credentials and session data. The flaw stems from unescaped user input concatenated into an existing query, exploitable remotely without authentication (PR:N). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 7.5 reflects confidentiality-only impact via time-based blind extraction.

WordPress SQLi Eventer
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account takeover in the Eventer WordPress event-manager plugin (all versions through 4.4.2) stems from the plugin writing the password-reset key in cleartext to the `eventer_verification_code` field in `wp_usermeta`; any actor who can read that value can drive the plugin's custom reset action to set an arbitrary password for any user, including administrators. Chained with the companion SQL injection flaw CVE-2026-9700, remote attackers can extract the stored key without authentication and fully hijack accounts. There is no public exploit identified at time of analysis, and exploitation is constrained to sites running PHP 7.4 or earlier, where the reset routine functions.

WordPress SQLi PHP +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection in DataEase before 2.10.24 lets an authenticated user inject arbitrary SQL into queries run against configured datasources by supplying malicious quota (chart aggregation) or Y-axis filter values. The flaw sits in Quota2SQLObj.getYWheres(), which embeds attacker-controlled filter values directly into generated SQL while skipping the literal validation and escaping that other filter paths enforce. No public exploit identified at time of analysis, but the fixing commit and GitHub Security Advisory publicly disclose the exact vulnerable code path.

SQLi Dataease
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Prompt-to-Cypher injection in Langroid's Neo4jChatAgent (pip package langroid <= 0.65.4) lets anyone who can influence the agent's prompt — directly, or indirectly through content pulled in via RAG — steer arbitrary Cypher into the Neo4j driver with no validation or opt-out gate, allowing unauthorized read, modification, and full destruction of all graph data, plus a LOAD CSV SSRF/remote-fetch primitive. When APOC or dbms.security procedures are granted to the database role, the same primitive escalates to OS-command and filesystem access, making it RCE-equivalent and matching the Critical parent issue CVE-2026-25879. No public weaponized exploit is identified at time of analysis, though the GHSA advisory documents a static grep-based reproduction; no KEV or EPSS signal is present in the source data.

SSRF SQLi
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

SQL injection in FOSSBilling's Massmailer module exposes the application database to read access by authenticated administrators who can supply crafted filter values during mass email message updates. Affected versions span 0.6.0 through 0.7.2, with the fix shipped in version 0.8.0. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the high confidentiality impact (VC:H per CVSS 4.0) means a malicious or compromised administrator account could extract sensitive billing and client data from the underlying database.

SQLi Fossbilling
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Server-side file disclosure in Langroid's SQLChatAgent (Python, pip package `langroid` <= 0.65.0) lets an attacker who can influence the agent's LLM-generated SQL bypass the `_validate_query` safety guard and execute PostgreSQL file-read functions such as `pg_read_file`. The default `allow_dangerous_operations=False` blocklist relies on a raw-text regex requiring `pg_...` names to be immediately followed by `(`, which is evaded by quoted identifiers, inline comments, or schema qualification while still parsing as a permitted SELECT. This is a bypass of the earlier CVE-2026-25879 / GHSA-pmch-g965-grmr regex fix; a working reproduction harness is published in the GHSA advisory, though there is no public exploit identified as being used in active attacks and no CISA KEV listing.

PostgreSQL SQLi Python +1
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

SQL injection in the Amazon (agentic-community) mcp-gateway-registry before 1.0.13 allows an authenticated remote user to execute arbitrary SQL queries by supplying a crafted table_name that the metrics-service retention policy component interpolates directly into SQL in identifier position. Because the injection sits in an identifier (table name) position rather than a parameterizable value, it bypasses ordinary prepared-statement protections and grants broad read/write access to the metrics datastore. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; a vendor patch (v1.0.13) is available.

SQLi Mcp Gateway Registry
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

SQL injection in PROG MIS's Prog Management System allows unauthenticated remote attackers to inject arbitrary SQL commands and read arbitrary database contents. The flaw carries a CVSS 4.0 base score of 8.7 (High) and requires no authentication, privileges, or user interaction, but its impact is limited to confidentiality (data disclosure) rather than data modification or service disruption. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was disclosed via Taiwan's TWCERT.

SQLi Prog Management System
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Ecommerce Website 1.0 exposes the `/customer/my_account.php?my_wishlist` endpoint to database manipulation via the unsanitized `delete_wishlist` parameter, allowing remote attackers with a valid customer account to read or modify backend database contents. The CVSS 4.0 vector (PR:L) confirms exploitation requires an authenticated customer session, constraining the attack surface to registered users. A public proof-of-concept exploit has been released, no public exploit identified as confirmed actively exploited (not in CISA KEV), though the low barrier to exploitation once authenticated elevates practical risk.

SQLi PHP Ecommerce Website
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the visname parameter in /apartment-visitor/visitor-entry.php. The flaw, classified as CWE-89, yields partial confidentiality, integrity, and availability impact against the vulnerable system. A publicly available proof-of-concept exploit exists on GitHub, lowering the skill bar for exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the application's database to remote authenticated attackers through the unsanitized `editid` parameter in `/apartment-visitor/edit-apartment.php`. Low-privilege authenticated users can manipulate this parameter to read, modify, or partially disrupt database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified in CISA KEV at time of analysis), making this a realistic risk for any internet-exposed deployment of this PHP application.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes backend database contents to authenticated low-privileged remote attackers via the unsanitized `fromdate` parameter in `/apartment-visitor/report.php`. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low-privilege credentials. Publicly available exploit code has been published on GitHub (github.com/lilukun337/cve/issues/7), though no active exploitation has been confirmed by CISA KEV. The injection enables read and limited write access to the underlying database, with a moderate combined impact score of 5.3.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate database queries through the `remark` parameter of `/apartment-visitor/action-visitor.php`. A low-privileged user can extract, modify, or delete underlying database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified as CISA KEV, but POC availability lowers the bar for exploitation).

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/paymentdischarge.php` endpoint to database manipulation via the unsanitized `patientid` parameter. Low-privileged authenticated attackers can exploit this remotely with no user interaction required, achieving limited read, write, and availability impact against the underlying database. No public KEV listing, but a proof-of-concept exploit is publicly disclosed on GitHub, meaningfully lowering the bar for opportunistic exploitation in any internet-exposed deployment.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the /edit_course1.php endpoint to remote, unauthenticated database manipulation via an unsanitized ID parameter. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required and the attack is trivially executable over the network. Exploit code has been publicly disclosed per VulDB submission and a GitHub issue report, with the E:P modifier in the CVSS 4.0 vector corroborating proof-of-concept availability - though no CISA KEV listing indicates confirmed active exploitation at time of analysis.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the /payment.php endpoint to database manipulation via an unsanitized `patientid` parameter, exploitable by any authenticated low-privilege user over the network. The CVSS 4.0 vector (PR:L, AV:N) confirms remote exploitation is feasible with only a basic account, and partial confidentiality, integrity, and availability impact is expected against the underlying database. Publicly available exploit code exists on GitHub, materially lowering the skill threshold for exploitation despite the moderate 5.3 CVSS score.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /edit_exam1.php to execute arbitrary SQL commands against the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, and the exploit has been publicly published on GitHub. Real-world impact is limited by the niche, educational-software footprint of this SourceCodester application, but any internet-exposed instance is trivially exploitable given the available POC.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized ID parameter in /edit_room.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or special conditions are required, and the E:P supplemental metric confirms public exploit code exists. An attacker can read, modify, or partially disrupt the underlying database without any prior access to the application.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/builderHome.php` endpoint to unauthenticated remote attackers who can manipulate database queries via the unsanitized `loc` parameter. A public proof-of-concept exploit exists (referenced via GitHub), lowering the exploitation barrier to script-kiddie level. No KEV listing exists, and the product's limited real-world deployment constrains overall population risk despite the trivial attack conditions.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in CodeAstro Ecommerce Website 1.0 exposes the order confirmation endpoint to authenticated remote attackers who can manipulate the unsanitized `invoice_no` POST parameter to alter backend SQL queries. Exploitation is constrained to authenticated customer accounts (PR:L per CVSS 4.0 vector) but requires no additional configuration or user interaction. A public proof-of-concept has been released via GitHub Gist (E:P), lowering the technical bar for abuse despite a low CVSS 4.0 score of 2.1; no confirmed active exploitation or CISA KEV listing exists at time of analysis.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/pay.php` endpoint to remote unauthenticated attackers who can manipulate the `Bankname` parameter to execute arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote reachability, though partial CIA impact scores indicate constrained blast radius rather than full database takeover; no public confirmation of active exploitation (CISA KEV) exists at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the `/apartment-visitor/search-result.php` endpoint to remote exploitation via the `searchdata` POST parameter, allowing low-privileged authenticated attackers to read, modify, or partially disrupt underlying database contents. A public proof-of-concept exploit exists on GitHub, lowering the skill barrier for opportunistic attacks against any internet-facing deployment. No CISA KEV listing has been confirmed, and the CVSS 4.0 score of 5.3 reflects a limited partial-impact scope; however, the POC's availability meaningfully elevates real-world exploitation probability above what the score alone suggests.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the backend database via the fdetails parameter in /admin/add_event.php. The flaw is reachable over the network with no authentication required per the CVSS 4.0 vector, enabling data extraction, modification, or disruption against the application's database. A public exploit has been disclosed on GitHub; no patch has been identified at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the backend database through the Room Management Page at /admin/rooms.php, where the `delete` parameter is passed unsanitized into SQL queries. Remote attackers can exploit this to read, modify, or potentially delete database records. Publicly available exploit code exists per the GitHub advisory by anubhavv106, raising the operational risk despite the moderate CVSS 4.0 score of 5.5 and absence of a CISA KEV listing.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the unsanitized `tour` parameter in /admin/tour_reserves.php, enabling arbitrary SQL query execution against the backend database. The CVSS 4.0 vector assigns PR:N (no privileges required), though the admin-panel endpoint raises questions about whether authentication is genuinely absent or misconfigured - a discrepancy worth verifying in deployments. A public proof-of-concept exploit has been published via GitHub, raising the practical risk despite the medium CVSS 4.0 score of 6.9 and absence of CISA KEV listing.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the reservation database to remote manipulation via the `delete_image` parameter in the admin Tour Management Page (`/admin/add_tour.php`). The CVSS 4.0 vector asserts no privileges required (PR:N), yet the vulnerable endpoint sits under an `/admin/` path - this conflict is unresolved in available data and defenders must verify whether the admin panel is publicly accessible without authentication. A public proof-of-concept is available on GitHub, elevating practical risk beyond the moderate base score, though no CISA KEV listing indicates confirmed widespread exploitation at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the admin panel endpoint /admin/add_room.php to database manipulation via multiple unsanitized parameters. A proof-of-concept exploit has been publicly documented in a Medium article, lowering the barrier for opportunistic exploitation. The CVSS 4.0 vector rates this as network-reachable with no authentication required (PR:N), though this conflicts with the admin-panel location of the endpoint - a discrepancy that should be verified, as exploitation scope depends entirely on whether the admin interface enforces access controls.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the /admin/reservations.php endpoint to database manipulation via the unsanitized `delete` parameter. The vulnerability is reachable over the network with no confirmed complexity barriers, and a public proof-of-concept exploit has been disclosed. No vendor patch has been identified, leaving all deployments of version 1.0 exposed to database read, write, and potential full compromise of hosted reservation data.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in stumasy's notes search functionality exposes authenticated remote attackers to database manipulation via the unsanitized `field_name` parameter in `Notes_controller::search_scratch_data`. The affected PHP application by developer mjperpinosa has a publicly available proof-of-concept exploit filed as GitHub issue #7, and the maintainer has not responded to disclosure, leaving all users on any commit through 327d1b0f2915ba79d7ef8ebb74553e987609d9be without a remediation path. No public exploit identified at time of analysis meets the KEV threshold, but the confirmed POC and absence of vendor response meaningfully elevate operational risk.

SQLi PHP Stumasy
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in stumasy's Notes_controller grants remote unauthenticated attackers the ability to manipulate database queries through the unsanitized Password argument in the accessing_dictionary_authorization function. The affected codebase is an obscure PHP application maintained by mjperpinosa, pinned to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be as the last known vulnerable state. Publicly available exploit code exists via a GitHub issue report, and the project maintainer has not responded to disclosure, leaving no vendor-released patch at time of analysis.

SQLi PHP Stumasy
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the application's database to remote unauthenticated manipulation via the `amen` parameter in `/addprojectsale.php`. Any attacker with network access to the PHP web application can craft a malicious HTTP request to read, modify, or partially disrupt the underlying database without authentication. No active exploitation is confirmed in CISA KEV, but a GitHub issue filed under the researcher's CVE repository suggests reproduction steps or proof-of-concept detail is publicly accessible.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the backend database via the `amen` parameter in `/addprojectrent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no attack preconditions. A publicly available proof-of-concept exploit has been disclosed via GitHub, elevating the realistic threat beyond theoretical; however, this CVE is not currently listed in the CISA KEV catalog, and the product's limited enterprise footprint constrains broad impact.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the `id` parameter of `/single-list_rent.php` to read, modify, or corrupt backend database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction unauthenticated network exploitation against a standard installation. A public proof-of-concept exploit is available on GitHub (E:P confirmed in CVSS 4.0 supplemental metrics), raising realistic risk of opportunistic automated attacks against any internet-exposed instance; no CISA KEV listing and no patch are confirmed at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes unauthenticated remote attackers a direct path to manipulate the backend database via the `loc` parameter in `/normalHomeRent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special configuration are required against default deployments. A public proof-of-concept exploit has been released on GitHub, materially increasing opportunistic exploitation risk despite the moderate aggregate score; no CISA KEV listing has been identified at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/normalHomeSale.php` endpoint to unauthenticated remote database manipulation via the unsanitized `loc` parameter. Any internet-accessible deployment of this PHP real estate application is vulnerable to data extraction or modification without credentials. A public proof-of-concept exploit is available on GitHub, lowering the skill barrier for opportunistic attackers; however, no CISA KEV listing has been issued and no patch has been identified from the vendor.

SQLi PHP Real State Services
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Smart Parking System 1.0 exposes the `/parkings/parkings.php` endpoint to remote unauthenticated exploitation via unsanitized `street`, `city`, and `status` parameters. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier network access with no authentication or user interaction required. A public proof-of-concept has been disclosed via a Medium article specifically documenting escalation from SQL injection to arbitrary file read, materially increasing real-world risk beyond the moderate base score of 5.5.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to remote, unauthenticated attackers through the unsanitized ID parameter in /edit_product.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial remote access with no prerequisites, yielding low-rated but real confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is contradicted by the description and E:P supplemental metric - a public exploit exists, elevating the practical risk above what the 5.5 base score alone suggests for any internet-exposed instance.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Hanwang e-Face General Management Platform 6.3.5.4 exposes the /sysAuthStr/querySysAuthStr.do endpoint to unauthenticated remote database manipulation via the unsanitized `order` parameter. The endpoint handles system authorization strings, meaning successful exploitation likely targets credential or access-control records - a high-sensitivity data class despite the vendor-assigned Low impact ratings. A public proof-of-concept is documented via VulDB (no CISA KEV listing at time of analysis); no EPSS score was provided in the source intelligence.

SQLi E Face General Management Platform
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers through the unsanitized 'ID' parameter in /edit_coursea.php. The CVSS 4.0 E:P modifier and the CVE description both confirm that public exploit code exists, lowering the bar for opportunistic exploitation. Impact is assessed as limited across confidentiality, integrity, and availability (all Low), but the absence of authentication requirements makes this accessible to any network-reachable attacker.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database through the unsanitized ID parameter in /edit_exam.php, reachable by unauthenticated remote attackers. The exploit has been publicly disclosed (CVSS 4.0 E:P), allowing any actor with network access to enumerate, read, or manipulate database contents. No KEV listing is present; exploitation appears opportunistic rather than targeted, consistent with the niche deployment footprint of this product.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientreport.php` endpoint to remote manipulation via the `editid` parameter, allowing an authenticated attacker to craft arbitrary SQL statements against the backend database. The CVSS 4.0 base score is 2.1 (Low), reflecting constrained confidentiality, integrity, and availability impact, with no scope change to adjacent systems. Publicly available exploit code exists (E:P per the CVSS 4.0 threat metric), though no active exploitation has been confirmed via CISA KEV.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the patient database to authenticated low-privilege attackers via the `patientname` parameter in `/patientprofile.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L) confirms network-accessible exploitation with no attack complexity, while the E:P supplemental metric confirms publicly available proof-of-concept exploit code. No vendor patch has been released, leaving deployments reliant on compensating controls; however, real-world risk is bounded by the product's extremely limited production footprint as an educational PHP project.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows remote attackers with low-level privileges to manipulate the `loginid` parameter in `/patientlogin.php`, enabling unauthorized database read, modification, or deletion operations. The vulnerability scores 5.3 on CVSS 4.0 and is compounded by a publicly available proof-of-concept exploit published on GitHub, materially lowering the barrier to opportunistic attack. No CISA KEV listing has been identified, but the public POC and low attack complexity make any internet-exposed deployment an actionable target.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 exposes the application to unauthenticated remote database compromise via the `id` parameter in `/admin/ajax.php?action=confirm_order`. The CVSS 4.0 vector (PR:N) indicates the vulnerable admin endpoint is reachable without authentication, compounding the severity of the unsanitized input. A publicly available exploit exists on GitHub, though the product is not listed in the CISA KEV catalog and has a very limited production deployment footprint.

SQLi PHP Pizzafy E Commerce System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Online Examination 1.0 allows authenticated remote attackers to manipulate database queries through multiple unsanitized parameters in the Quiz Creation Feature. The endpoint /update.php?q=addquiz accepts user-supplied input for the name, total, right, wrong, time, tag, and desc arguments without adequate sanitization, enabling read and write access to the underlying database. A public proof-of-concept exploit exists on GitHub, though the application's extremely limited deployment footprint constrains real-world impact.

SQLi PHP Online Examination
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Examination 1.0 exposes the login endpoint to unauthenticated remote attackers via the uname and password parameters in head.php. Manipulation of either parameter enables classic SQL injection, allowing database enumeration, authentication bypass, and potential data manipulation against any deployed instance. A public proof-of-concept exploit is available on GitHub (no public exploit identified as KEV), making weaponization trivial for low-skill attackers targeting this application.

SQLi PHP Online Examination
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows authenticated remote attackers to manipulate the `editid` parameter in `/patientorder.php`, potentially exposing or modifying patient order records and underlying database contents. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and that a public exploit has been disclosed via GitHub. While the base impact metrics are rated Low across confidentiality, integrity, and availability, the sensitivity of healthcare data in scope and the trivially available proof-of-concept raise practical risk above what the numeric score alone suggests.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Internship Management System 1.0 exposes authenticated employer accounts to database query manipulation via the `Current` parameter in the password change endpoint (`employer/details/change_password.php`). The flaw carries a CVSS 4.0 score of 5.3, is rooted in unsanitized PHP input passed directly into SQL queries (CWE-89), and has a publicly available proof-of-concept exploit on GitHub. No public exploit identified as confirmed in CISA KEV, but the combination of low attack complexity and public PoC meaningfully raises real-world exploitation likelihood against any internet-exposed deployment.

SQLi PHP Internship Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Internship Management System 1.0 permits unauthenticated remote attackers to manipulate the email and password parameters of employer/login.php, altering backend SQL query logic to bypass authentication or partially expose database contents. A proof-of-concept exploit has been publicly disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 score of 6.9 with PR:N and no attack complexity reflects straightforward unauthenticated access, though impact is bounded at Low across confidentiality, integrity, and availability - suggesting partial rather than full database compromise.

SQLi PHP Internship Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows unauthenticated remote attackers to manipulate backend database queries via the Name argument in the save_client function of the registration handler. The vulnerability resides in classes/Users.php and is exploitable without any prior authentication, as it targets the public-facing user registration flow. A public proof-of-concept exploit has been published on GitHub, and no KEV listing exists, though the low-friction exploitation path and public PoC elevate urgency for any live deployment of this software.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a remote low-privileged attacker to manipulate database queries via the `ID` POST parameter in the `cancel_order` function of `classes/Master.php`. The flaw is a classic CWE-89 unsanitized parameter passed directly into a SQL statement, enabling data extraction, modification, or potential authentication bypass within the application database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references), raising the practical risk beyond the conservative CVSS 4.0 base score of 2.1.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System versions 1.0 and 5.7.26 allows remote authenticated attackers to manipulate backend database queries through unsanitized POST parameters passed to the `save_shop_type` function in `classes/Master.php`. A public proof-of-concept exploit is available via GitHub, lowering the exploitation barrier for any actor who has obtained application credentials. The CVSS 4.0 score of 2.1 reflects partial confidentiality, integrity, and availability impact rather than full database compromise, and no patch has been confirmed available at time of analysis.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Apartment Visitor Management System 1.0 enables remote, low-privilege authenticated attackers to manipulate backend database queries via the `apartmentno` parameter in `/apartment-visitor/add-apartment.php`. The CVSS 4.0 score of 2.1 reflects a constrained impact scope (low C/I/A on the vulnerable system, no downstream system impact), but the presence of a publicly available proof-of-concept lowers the exploitation bar significantly. Real-world impact could extend beyond the CVSS score if the database user holds elevated permissions, potentially enabling unauthorized data extraction or record manipulation across the application's dataset. No public exploit identified via CISA KEV; no vendor patch identified at time of analysis.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin login endpoint to remote unauthenticated exploitation via an unsanitized `email` parameter in `/admin/login.php`. A public proof-of-concept is available on GitHub (reflected in the CVSS 4.0 E:P metric), meaning exploitation requires minimal technical skill and is accessible to opportunistic attackers. No CISA KEV listing has been identified, but the zero-authentication barrier combined with available exploit code makes this a practical risk for any internet-exposed deployment.

SQLi PHP Online Hotel Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Job Portal 1.0 exposes the login.php endpoint to remote unauthenticated exploitation via the txtUser and txtPass parameters, enabling attackers to manipulate backend SQL queries without any credentials or user interaction. A public proof-of-concept exploit is documented on GitHub, significantly lowering the barrier to attack for any internet-exposed instance. No patch has been identified from the vendor at time of analysis; the wildcard CPE suggests all versions are affected.

SQLi PHP Online Job Portal
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient and appointment data to remote attackers holding low-privilege credentials via the `patiente` parameter in `/patientappointment.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation with no attack complexity, and the E:P modifier reflects a publicly disclosed proof-of-concept on GitHub. While not yet listed in CISA KEV, the combination of a live PoC, a healthcare data context, and trivial exploitation conditions makes this a credible risk for any organization running this application.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Assessment Management 1.0 allows authenticated remote attackers to execute arbitrary SQL queries by manipulating the smarksrange[] array parameter in /lecturer/marking-scheme.php. The CVSS 4.0 vector (PR:L) confirms low-privilege authentication is required, limiting the attack surface to registered users such as lecturers. A public exploit proof-of-concept is available on GitHub, elevating the practical risk despite the medium CVSS 4.0 score of 5.3 and no confirmed active exploitation in the CISA KEV catalog.

SQLi PHP Assessment Management
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Assessment Management 1.0 exposes database query handling in the lecturer marking-scheme feature to manipulation via the unsanitized `squestions[]` parameter at `/lecturer/marking-scheme.php`. Authenticated remote attackers with low-privilege access can alter SQL query logic to extract or modify student assessment data. A public proof-of-concept exploit is documented on GitHub, lowering the skill bar for exploitation; however, the application is not listed in CISA KEV and carries a CVSS 4.0 score of 2.1 reflecting its constrained impact and authentication prerequisite.

SQLi PHP Assessment Management
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the database to remote query manipulation via the `user_id` parameter in `/admin/girlsproductdeletequery.php`. The CVSS 4.0 vector rates this as network-exploitable with no authentication required (PR:N), though the `/admin/` path location raises questions about whether authentication is enforced in practice - a discrepancy worth verifying in deployment. A publicly available exploit exists per VulDB, though the vulnerability is not listed in CISA KEV and the overall CVSS 4.0 score of 5.5 reflects limited impact across confidentiality, integrity, and availability.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 enables remote, unauthenticated attackers to manipulate database queries through the user_id parameter in /admin/mensproductdeletequery.php, exposing partial confidentiality, integrity, and availability of the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication or special conditions are required for exploitation over the network. A public exploit has been disclosed on GitHub, elevating the practical risk above the raw score suggests - though this is not confirmed as actively exploited by CISA KEV at time of analysis.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the admin login interface to remote unauthenticated attackers through unsanitized input in the Username parameter of /admin/login.php. The CVSS 4.0 score of 6.9 (Medium) reflects limited per-request impact (VC:L/VI:L/VA:L), but a publicly available proof-of-concept exploit (E:P) on GitHub substantially lowers the exploitation bar for opportunistic attackers. No KEV listing exists at time of analysis; however, the trivial attack complexity (AC:L, AT:N, PR:N, UI:N) combined with public exploit code makes any internet-facing deployment of this script an immediate remediation priority.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in code-projects Online Voting System 1.0 exposes remote unauthenticated attackers a direct path to manipulate backend database queries through four parameters in the vote submission endpoint /saveVote.php. The test_input function - intended as a sanitization layer - fails to neutralize SQL metacharacters across voterName, voterEmail, voterID, and selectedCandidate, indicating a systemic rather than isolated input-handling failure. A publicly available proof-of-concept exists on GitHub, lowering the exploitation barrier, though real-world exposure is substantially constrained by the product's near-zero production deployment footprint as an educational PHP project.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated SQL injection in code-projects Online Voting System 0.x-1.0 exposes the admin login endpoint to full authentication bypass and database extraction. The vulnerability resides in the `test_input` function within `/authentication.php`, where the `adminUserName` and `adminPassword` parameters are passed unsanitized into SQL queries, enabling classic injection attacks against the login form. A public proof-of-concept exploit has been published on GitHub; no vendor patch has been identified at time of analysis.

SQLi PHP Online Voting System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the database to remote unauthenticated attackers via the unvalidated ID parameter in /edit_class2.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms trivial, unauthenticated remote exploitation requiring no special conditions. Publicly available exploit code (E:P) lowers the bar to exploitation further, though the product's niche deployment footprint significantly limits real-world blast radius. No KEV listing; no patch identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_course.php` endpoint to unauthenticated remote database manipulation via a malicious `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no authentication or user interaction required, and a public proof-of-concept exploit has been disclosed on GitHub. No active exploitation is confirmed in CISA KEV, though the combination of a public POC and fully unauthenticated attack path elevates practical risk for any internet-exposed deployment.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
Prev Page 2 of 169 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy