SQLi
Monthly
Personnel Property Equipment System v1.0 has SQL injection in admin panel.
Simple Student Alumni System v1.0 has a third SQL injection.
Simple Student Alumni System v1.0 has SQL injection in record_search.php.
Simple Student Alumni System v1.0 has SQL injection in modal_view.php.
Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database extraction vector.
Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. [CVSS 7.2 HIGH]
Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.
SQL injection in Simple Student Alumni System v1.0's modal_edit.php endpoint allows authenticated administrators to extract sensitive database information through unauthenticated network requests. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires high-level privileges but can bypass intended access controls to read confidential data.
Simple Student Alumni System v1.0 contains a SQL injection vulnerability in the recordteacher_view.php endpoint that allows authenticated administrators to extract sensitive data from the underlying database. Public exploit code exists for this vulnerability, though a patch is currently unavailable. The attack requires high-level administrative privileges but can be executed remotely without user interaction.
A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path resulting in Blind SQL Injection.
In the "CheckUnitCodeAndKey.pl" service, the "validateOrgUnit" function is vulnerable to SQL injection.
including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions up to 7.9.0. is affected by sql injection.
SQL injection in the authentication module of CISER System SL firmware allows unauthenticated remote attackers to compromise stored configuration data by submitting crafted SQL through the login interface. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation with high confidentiality and integrity impact, though EPSS remains low at 0.36% and no public exploit identified at time of analysis. The advisory was coordinated by INCIBE-CERT (Spain).
SQL injection in itsourcecode University Management System 1.0 via the ID parameter in /admin_single_student.php allows unauthenticated remote attackers to manipulate database queries with public exploit code currently available. The vulnerability enables attackers to read, modify, or delete sensitive academic and administrative data without authentication. No patch is currently available for this PHP-based application.
SQL injection in itsourcecode University Management System 1.0 via the ID parameter in /admin_single_student_update.php allows unauthenticated remote attackers to manipulate database queries and potentially extract or modify sensitive student records. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected institutions at immediate risk.
Society Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
SQL injection in Online Art Gallery Shop 1.0 via the fname parameter in /admin/registration.php enables unauthenticated remote attackers to manipulate database queries. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected PHP installations at immediate risk of data compromise or unauthorized access.
Unauthenticated SQL injection in wpForo 2.4.14 allows remote attackers to extract sensitive data from WordPress databases through the wpfob parameter via blind boolean-based attacks. The vulnerability exploits inadequate sanitization of ORDER BY clause identifiers, enabling credential theft without authentication. No patch is currently available for affected installations.
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
SQL injection in openDCIM 23.04 (up to commit 4467e9c4) lets attackers execute arbitrary SQL through the Config::UpdateParameter routine, which the install.php and container-install.php handlers reach with unsanitized, string-interpolated input. Publicly available exploit code exists (Chocapikk PoC and write-up) demonstrating a chain from SQLi to remote code execution, though it is not listed in CISA KEV and EPSS rates real-world exploitation probability at only 0.04%. Note a data conflict: the CVSS 4.0 vector encodes PR:N (unauthenticated) while the description states an authenticated user is required.
SQL injection in Group Office email template selection endpoint allows authenticated attackers to extract sensitive data from the database through the unvalidated comparator parameter in advancedQueryData. An attacker with valid credentials can perform blind boolean-based attacks to exfiltrate password hashes from the core_auth_password table. Affected versions prior to 26.0.8, 25.0.87, and 6.8.153 require immediate patching.
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. [CVSS 8.2 HIGH]
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. [CVSS 8.2 HIGH]
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. [CVSS 8.2 HIGH]
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. [CVSS 8.2 HIGH]
Blind SQL injection in Centreon Web's Service Dependencies module allows authenticated attackers to extract sensitive database information through unsanitized array keys in deletion requests. This vulnerability affects Centreon Web versions before 25.10.8, 24.10.20, and 24.04.24 on Linux systems, requiring valid credentials but no user interaction to exploit. No patch is currently available, leaving affected deployments vulnerable to database reconnaissance and potential data exfiltration.
Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges.
SQL injection in Signum Technology application allows unauthenticated attackers to execute arbitrary SQL queries.
SQL injection in the MailArchiver WordPress plugin through version 4.5.0 allows authenticated administrators to extract sensitive database information by injecting malicious SQL commands via the 'logid' parameter due to improper input escaping. The vulnerability requires high-level privileges and administrator credentials to exploit, limiting its risk to insider threats or compromised administrative accounts. No patch is currently available for this medium-severity issue.
SQL injection in Dayneks Software allows unauthenticated attackers to manipulate database queries and extract or modify data.
SQL injection in jizhiCMS up to version 2.5.6 via the findAll function in the Model.php batch interface allows authenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The flaw requires valid user credentials but can be exploited over the network with minimal additional complexity.
SQL injection in Youlai Mall 2.0.0's product pagination endpoint allows authenticated remote attackers to manipulate the sortField parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch. Attackers with valid credentials can exploit this flaw to read or modify sensitive data within the database.
SQL injection in Phishing Club's GetOrphaned recipient endpoint allows authenticated attackers to manipulate ORDER BY clauses by injecting malicious SQL expressions through an unvalidated sortBy parameter. Public exploit code exists for this vulnerability, affecting versions prior to 1.30.2, where attackers can extract sensitive data despite the lack of direct integrity or availability impact. The vulnerability has been patched in v1.30.2 through implementation of column allowlist validation.
SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /settings/index.php allows unauthenticated remote attackers to manipulate database queries and potentially read or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running affected versions should implement access controls or upgrade immediately to mitigate the risk.
SQL injection in Discourse's private message tag filtering allows authenticated users to bypass tag restrictions and read unauthorized private message metadata. Affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 expose sensitive conversation information to users who should not have access. No patch workaround exists for unpatched installations.
SQL injection in SPIP prior to 4.4.10 enables authenticated users with low privileges to execute arbitrary SQL commands and achieve remote code execution through union-based injection combined with PHP tag processing. The vulnerability affects SPIP and PHP environments, requiring only network access and valid credentials to exploit. No patch is currently available, presenting significant risk to production SPIP installations.
Remote control vulnerability in Unitree Go2 robot dog firmware 1.1.7-1.1.11. The companion Android app allows remote attackers to take control of the robot. PoC available.
SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in "Obroty na kontach" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed.
The WP SMS plugin for WordPress through version 6.9.12 contains an SQL injection vulnerability that allows high-privileged authenticated users to manipulate database queries and extract sensitive information. An attacker with administrative credentials could exploit this to read arbitrary data from the WordPress database, potentially compromising user information and site configuration. No patch is currently available for this vulnerability.
SQL injection in Fleet device management software before version 4.80.1 allows authenticated users to manipulate the order_key parameter and inject arbitrary SQL commands through improper identifier handling in ORDER BY clauses. An attacker with valid credentials can exploit this vulnerability to perform blind SQL injection attacks, potentially extracting sensitive database information or causing denial of service through resource exhaustion. No patch is currently available for this high-severity vulnerability affecting MySQL implementations.
Authenticated users with workflow modification permissions in n8n versions prior to 2.10.1, 2.9.3, and 1.123.22 can exploit the Merge node's SQL query mode to execute arbitrary code and write files on the server. This high-severity vulnerability (CVSS 8.8) affects the AI/ML and workflow automation platform, allowing attackers with legitimate access to achieve complete system compromise. No patch is currently available, and administrators should restrict workflow permissions or disable the Merge node as temporary mitigations.
SQL injection in z-9527 admin 1.0/2.0 user controller functions (checkName, register, login, getUser, getUsers) allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. The impact includes potential unauthorized data access, modification, and service disruption with no available patch.
SQL injection in OpenEMR versions before 8.0.0 allows authenticated users to execute arbitrary database queries through the prescription listing feature due to improper input validation. An attacker with valid credentials could exploit this to read, modify, or delete sensitive medical records and patient data. Public exploit code exists for this vulnerability; administrators should upgrade to version 8.0.0 immediately.
SQL injection in OpenEMR electronic health records before fix. Authenticated users can execute arbitrary SQL through the medical records system. PoC and patch available.
SQL injection in OpenEMR's Immunization module prior to version 8.0.0 enables authenticated users to execute arbitrary database queries through unparameterized patient_id inputs. This allows attackers to exfiltrate protected health information, steal credentials, and potentially achieve remote code execution with complete database compromise. Public exploit code exists for this vulnerability; organizations should upgrade to version 8.0.0 immediately.
Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.
JWT authentication bypass in OpenSIPS 3.1 through 3.6.3 lets remote attackers impersonate arbitrary identities by exploiting a SQL injection in the auth_jwt module's jwt_db_authorize() function. The flaw affects only deployments where the module runs with db_mode enabled against a SQL database backend; the tag claim is read from the JWT and placed into a SQL query before the token signature is verified, so no valid signing key is needed. EPSS is low (0.07%, 20th percentile) and there is no public exploit identified at time of analysis, but the auth-bypass impact makes it a meaningful risk for exposed VoIP infrastructure.
SQL injection via TLS-SRP handshake. Attacker can inject SQL through the SRP username field during TLS handshake, compromising any application using TLS-SRP authentication.
Denial of Service in Red Hat Developer Hub's Orchestrator Plugin allows authenticated users to crash the entire Backstage application through malformed GraphQL queries due to insufficient input validation. An attacker can leverage this to temporarily disable platform access for all legitimate users. No patch is currently available to address this vulnerability.
Unauthenticated attackers can execute SQL injection attacks against WordPress sites running Geo Mashup plugin versions up to 1.13.17 by manipulating the 'sort' parameter, allowing unauthorized database access and extraction of sensitive information. The vulnerability stems from inadequate input validation and query preparation in the plugin code. No patch is currently available, leaving affected installations at risk until an update is released.
SQL injection in the News Portal Project 1.0 /admin/contactus.php endpoint allows unauthenticated remote attackers to manipulate the pagetitle parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable data theft, modification, or denial of service against affected installations.
SQL injection in itsourcecode Document Management System 1.0 via the Username parameter in /register.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems face potential data theft, modification, and denial of service through successful exploitation.
SQL injection in itsourcecode College Management System 1.0 via the teacher_id parameter in /admin/teacher-salary.php enables unauthenticated remote attackers to execute arbitrary database queries and manipulate sensitive payroll data. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects confidentiality, integrity, and availability of the system.
SQL injection in itsourcecode College Management System 1.0's login functionality allows remote attackers to manipulate the email parameter and execute arbitrary SQL queries without authentication. Public exploit code exists for this vulnerability, enabling immediate attack capability against unpatched systems. The flaw permits data disclosure, modification, and potential service disruption with a CVSS score of 7.3.
SQL injection in itsourcecode College Management System 1.0's teacher management interface allows authenticated attackers to manipulate the teacher_id parameter in /admin/display-teacher.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling remote exploitation by users with administrative access. The vulnerability remains unpatched and carries medium severity with potential for data confidentiality, integrity, and availability compromise.
College Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).
Simple And Nice Shopping Cart Script versions up to 1.0 contains a security vulnerability (CVSS 7.3).
SQL injection in the SPIP interface_traduction_objets plugin before version 2.2.2 allows authenticated editors to execute arbitrary database queries through unsanitized input in translation request parameters. Attackers can exploit this to read, modify, or delete database contents, or cause denial of service. A patch is available and should be applied immediately to affected installations.
Unauthenticated SQL injection in SPIP referer_spam plugin before 1.3.0 via the referrer tracking functionality. PoC and patch available.
SQL injection in itsourcecode News Portal Project 1.0 via the Category parameter in /admin/add-category.php allows unauthenticated remote attackers to manipulate database queries. Public exploit code is available for this vulnerability, and no patch has been released, leaving affected installations vulnerable to data exfiltration, modification, or deletion. The attack requires no user interaction and can be executed over the network with a CVSS score of 7.3.
SQL injection in itsourcecode News Portal Project 1.0's category editing functionality allows unauthenticated remote attackers to manipulate the Category parameter and execute arbitrary SQL queries. Public exploit code is available for this vulnerability, increasing the likelihood of active exploitation. Currently, no patch is available to remediate this issue.
SQL injection in itsourcecode Document Management System 1.0 login functionality allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires only network access with no user interaction, enabling attackers to potentially read, modify, or delete sensitive data within the application.
SQL injection in InSAT MasterSCADA BUK-TS through the main web interface. ICS/SCADA system with unauthenticated SQL injection enabling full database compromise.
Mautic's Contact Activity API endpoint is vulnerable to SQL injection due to insufficient validation of the sort direction parameter, allowing authenticated attackers to execute arbitrary SQL queries. This high-severity vulnerability (CVSS 7.6) affects multiple versions and could enable unauthorized data access or modification. No patch is currently available; users should contact security@mautic.org for mitigation guidance.
Apache Superset before version 6.0.0 contains a SQL injection vulnerability in the sqlExpression and where parameters that allows authenticated users with read access to extract sensitive data through error-based techniques. An attacker with valid credentials could exploit this to bypass query restrictions and access unauthorized database information. A patch is available in version 6.0.0 and later.
SQL injection in itsourcecode Document Management System 1.0 via the field1 parameter in /edtlbls.php enables unauthenticated remote attackers to compromise data confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network with minimal complexity.
Document Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
Pimcore is an Open Source Data & Experience Management Platform. [CVSS 4.9 MEDIUM]
SQL injection in PearProjectApi up to version 2.8.10 allows authenticated attackers to execute arbitrary SQL queries through the projectCode parameter in the dateTotalForProject function. Public exploit code exists for this vulnerability, enabling remote attacks with potential to read, modify, or delete database contents. The vendor has not released a patch despite early notification.
E-Logbook With Health Monitoring System For Covid-19 versions up to 1.0 contains a security vulnerability (CVSS 7.3).
SQL injection in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/index.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can leverage this to access, modify, or delete sensitive data with confidentiality, integrity, and availability impact.
SQL injection vulnerability in Infoticketing. This vulnerability allows an unauthenticated attacker to retrieve, create, update, and delete the database by sending a POST request using the 'code' parameter in '/components/cart/cartApplyDiscount.php'.
Authenticated SQL injection in Zohocorp ManageEngine ADSelfService Plus version 6522 and earlier allows logged-in attackers to execute arbitrary SQL queries through the search report functionality, potentially leading to unauthorized data access and modification. With no patch currently available, organizations running affected versions face significant risk of data exfiltration and system compromise by authenticated users.
SQL injection in Order Up Online Ordering System 1.0 via /api/integrations/getintegrations endpoint allows unauthenticated database compromise.
SQL injection in Jinher OA C6 through version 20260210 allows authenticated remote attackers to execute arbitrary SQL queries via the id and offsnum parameters in the OfficeSupplyTypeRight.aspx endpoint. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation could enable data exfiltration, modification, or deletion depending on database permissions.
Web Ofisi Rent a Car v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'klima' parameter. [CVSS 8.2 HIGH]
Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. [CVSS 7.5 HIGH]
Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' GET parameter. [CVSS 7.5 HIGH]
Multiple SQL injections in Web Ofisi Emlak V2. PoC available.
SQL injection in Web Ofisi Firma Rehberi v1. PoC available.
Web Ofisi Firma v13 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'oz' array parameter. [CVSS 7.5 HIGH]
SQL injection in Web Ofisi Emlak v2. PoC available.
Web Ofisi E-Ticaret v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'a' parameter. Attackers can send GET requests to with malicious 'a' parameter values to extract sensitive database information. [CVSS 7.5 HIGH]
Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. [CVSS 7.5 HIGH]
Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. [CVSS 7.5 HIGH]
Personnel Property Equipment System v1.0 has SQL injection in admin panel.
Simple Student Alumni System v1.0 has a third SQL injection.
Simple Student Alumni System v1.0 has SQL injection in record_search.php.
Simple Student Alumni System v1.0 has SQL injection in modal_view.php.
Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database extraction vector.
Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. [CVSS 7.2 HIGH]
Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.
SQL injection in Simple Student Alumni System v1.0's modal_edit.php endpoint allows authenticated administrators to extract sensitive database information through unauthenticated network requests. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires high-level privileges but can bypass intended access controls to read confidential data.
Simple Student Alumni System v1.0 contains a SQL injection vulnerability in the recordteacher_view.php endpoint that allows authenticated administrators to extract sensitive data from the underlying database. Public exploit code exists for this vulnerability, though a patch is currently unavailable. The attack requires high-level administrative privileges but can be executed remotely without user interaction.
A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path resulting in Blind SQL Injection.
In the "CheckUnitCodeAndKey.pl" service, the "validateOrgUnit" function is vulnerable to SQL injection.
including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions up to 7.9.0. is affected by sql injection.
SQL injection in the authentication module of CISER System SL firmware allows unauthenticated remote attackers to compromise stored configuration data by submitting crafted SQL through the login interface. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation with high confidentiality and integrity impact, though EPSS remains low at 0.36% and no public exploit identified at time of analysis. The advisory was coordinated by INCIBE-CERT (Spain).
SQL injection in itsourcecode University Management System 1.0 via the ID parameter in /admin_single_student.php allows unauthenticated remote attackers to manipulate database queries with public exploit code currently available. The vulnerability enables attackers to read, modify, or delete sensitive academic and administrative data without authentication. No patch is currently available for this PHP-based application.
SQL injection in itsourcecode University Management System 1.0 via the ID parameter in /admin_single_student_update.php allows unauthenticated remote attackers to manipulate database queries and potentially extract or modify sensitive student records. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected institutions at immediate risk.
Society Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
SQL injection in Online Art Gallery Shop 1.0 via the fname parameter in /admin/registration.php enables unauthenticated remote attackers to manipulate database queries. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected PHP installations at immediate risk of data compromise or unauthorized access.
Unauthenticated SQL injection in wpForo 2.4.14 allows remote attackers to extract sensitive data from WordPress databases through the wpfob parameter via blind boolean-based attacks. The vulnerability exploits inadequate sanitization of ORDER BY clause identifiers, enabling credential theft without authentication. No patch is currently available for affected installations.
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
SQL injection in openDCIM 23.04 (up to commit 4467e9c4) lets attackers execute arbitrary SQL through the Config::UpdateParameter routine, which the install.php and container-install.php handlers reach with unsanitized, string-interpolated input. Publicly available exploit code exists (Chocapikk PoC and write-up) demonstrating a chain from SQLi to remote code execution, though it is not listed in CISA KEV and EPSS rates real-world exploitation probability at only 0.04%. Note a data conflict: the CVSS 4.0 vector encodes PR:N (unauthenticated) while the description states an authenticated user is required.
SQL injection in Group Office email template selection endpoint allows authenticated attackers to extract sensitive data from the database through the unvalidated comparator parameter in advancedQueryData. An attacker with valid credentials can perform blind boolean-based attacks to exfiltrate password hashes from the core_auth_password table. Affected versions prior to 26.0.8, 25.0.87, and 6.8.153 require immediate patching.
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. [CVSS 8.2 HIGH]
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. [CVSS 8.2 HIGH]
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. [CVSS 8.2 HIGH]
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. [CVSS 8.2 HIGH]
Blind SQL injection in Centreon Web's Service Dependencies module allows authenticated attackers to extract sensitive database information through unsanitized array keys in deletion requests. This vulnerability affects Centreon Web versions before 25.10.8, 24.10.20, and 24.04.24 on Linux systems, requiring valid credentials but no user interaction to exploit. No patch is currently available, leaving affected deployments vulnerable to database reconnaissance and potential data exfiltration.
Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges.
SQL injection in Signum Technology application allows unauthenticated attackers to execute arbitrary SQL queries.
SQL injection in the MailArchiver WordPress plugin through version 4.5.0 allows authenticated administrators to extract sensitive database information by injecting malicious SQL commands via the 'logid' parameter due to improper input escaping. The vulnerability requires high-level privileges and administrator credentials to exploit, limiting its risk to insider threats or compromised administrative accounts. No patch is currently available for this medium-severity issue.
SQL injection in Dayneks Software allows unauthenticated attackers to manipulate database queries and extract or modify data.
SQL injection in jizhiCMS up to version 2.5.6 via the findAll function in the Model.php batch interface allows authenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The flaw requires valid user credentials but can be exploited over the network with minimal additional complexity.
SQL injection in Youlai Mall 2.0.0's product pagination endpoint allows authenticated remote attackers to manipulate the sortField parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch. Attackers with valid credentials can exploit this flaw to read or modify sensitive data within the database.
SQL injection in Phishing Club's GetOrphaned recipient endpoint allows authenticated attackers to manipulate ORDER BY clauses by injecting malicious SQL expressions through an unvalidated sortBy parameter. Public exploit code exists for this vulnerability, affecting versions prior to 1.30.2, where attackers can extract sensitive data despite the lack of direct integrity or availability impact. The vulnerability has been patched in v1.30.2 through implementation of column allowlist validation.
SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /settings/index.php allows unauthenticated remote attackers to manipulate database queries and potentially read or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running affected versions should implement access controls or upgrade immediately to mitigate the risk.
SQL injection in Discourse's private message tag filtering allows authenticated users to bypass tag restrictions and read unauthorized private message metadata. Affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 expose sensitive conversation information to users who should not have access. No patch workaround exists for unpatched installations.
SQL injection in SPIP prior to 4.4.10 enables authenticated users with low privileges to execute arbitrary SQL commands and achieve remote code execution through union-based injection combined with PHP tag processing. The vulnerability affects SPIP and PHP environments, requiring only network access and valid credentials to exploit. No patch is currently available, presenting significant risk to production SPIP installations.
Remote control vulnerability in Unitree Go2 robot dog firmware 1.1.7-1.1.11. The companion Android app allows remote attackers to take control of the robot. PoC available.
SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in "Obroty na kontach" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed.
The WP SMS plugin for WordPress through version 6.9.12 contains an SQL injection vulnerability that allows high-privileged authenticated users to manipulate database queries and extract sensitive information. An attacker with administrative credentials could exploit this to read arbitrary data from the WordPress database, potentially compromising user information and site configuration. No patch is currently available for this vulnerability.
SQL injection in Fleet device management software before version 4.80.1 allows authenticated users to manipulate the order_key parameter and inject arbitrary SQL commands through improper identifier handling in ORDER BY clauses. An attacker with valid credentials can exploit this vulnerability to perform blind SQL injection attacks, potentially extracting sensitive database information or causing denial of service through resource exhaustion. No patch is currently available for this high-severity vulnerability affecting MySQL implementations.
Authenticated users with workflow modification permissions in n8n versions prior to 2.10.1, 2.9.3, and 1.123.22 can exploit the Merge node's SQL query mode to execute arbitrary code and write files on the server. This high-severity vulnerability (CVSS 8.8) affects the AI/ML and workflow automation platform, allowing attackers with legitimate access to achieve complete system compromise. No patch is currently available, and administrators should restrict workflow permissions or disable the Merge node as temporary mitigations.
SQL injection in z-9527 admin 1.0/2.0 user controller functions (checkName, register, login, getUser, getUsers) allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. The impact includes potential unauthorized data access, modification, and service disruption with no available patch.
SQL injection in OpenEMR versions before 8.0.0 allows authenticated users to execute arbitrary database queries through the prescription listing feature due to improper input validation. An attacker with valid credentials could exploit this to read, modify, or delete sensitive medical records and patient data. Public exploit code exists for this vulnerability; administrators should upgrade to version 8.0.0 immediately.
SQL injection in OpenEMR electronic health records before fix. Authenticated users can execute arbitrary SQL through the medical records system. PoC and patch available.
SQL injection in OpenEMR's Immunization module prior to version 8.0.0 enables authenticated users to execute arbitrary database queries through unparameterized patient_id inputs. This allows attackers to exfiltrate protected health information, steal credentials, and potentially achieve remote code execution with complete database compromise. Public exploit code exists for this vulnerability; organizations should upgrade to version 8.0.0 immediately.
Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.
JWT authentication bypass in OpenSIPS 3.1 through 3.6.3 lets remote attackers impersonate arbitrary identities by exploiting a SQL injection in the auth_jwt module's jwt_db_authorize() function. The flaw affects only deployments where the module runs with db_mode enabled against a SQL database backend; the tag claim is read from the JWT and placed into a SQL query before the token signature is verified, so no valid signing key is needed. EPSS is low (0.07%, 20th percentile) and there is no public exploit identified at time of analysis, but the auth-bypass impact makes it a meaningful risk for exposed VoIP infrastructure.
SQL injection via TLS-SRP handshake. Attacker can inject SQL through the SRP username field during TLS handshake, compromising any application using TLS-SRP authentication.
Denial of Service in Red Hat Developer Hub's Orchestrator Plugin allows authenticated users to crash the entire Backstage application through malformed GraphQL queries due to insufficient input validation. An attacker can leverage this to temporarily disable platform access for all legitimate users. No patch is currently available to address this vulnerability.
Unauthenticated attackers can execute SQL injection attacks against WordPress sites running Geo Mashup plugin versions up to 1.13.17 by manipulating the 'sort' parameter, allowing unauthorized database access and extraction of sensitive information. The vulnerability stems from inadequate input validation and query preparation in the plugin code. No patch is currently available, leaving affected installations at risk until an update is released.
SQL injection in the News Portal Project 1.0 /admin/contactus.php endpoint allows unauthenticated remote attackers to manipulate the pagetitle parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable data theft, modification, or denial of service against affected installations.
SQL injection in itsourcecode Document Management System 1.0 via the Username parameter in /register.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems face potential data theft, modification, and denial of service through successful exploitation.
SQL injection in itsourcecode College Management System 1.0 via the teacher_id parameter in /admin/teacher-salary.php enables unauthenticated remote attackers to execute arbitrary database queries and manipulate sensitive payroll data. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects confidentiality, integrity, and availability of the system.
SQL injection in itsourcecode College Management System 1.0's login functionality allows remote attackers to manipulate the email parameter and execute arbitrary SQL queries without authentication. Public exploit code exists for this vulnerability, enabling immediate attack capability against unpatched systems. The flaw permits data disclosure, modification, and potential service disruption with a CVSS score of 7.3.
SQL injection in itsourcecode College Management System 1.0's teacher management interface allows authenticated attackers to manipulate the teacher_id parameter in /admin/display-teacher.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling remote exploitation by users with administrative access. The vulnerability remains unpatched and carries medium severity with potential for data confidentiality, integrity, and availability compromise.
College Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).
Simple And Nice Shopping Cart Script versions up to 1.0 contains a security vulnerability (CVSS 7.3).
SQL injection in the SPIP interface_traduction_objets plugin before version 2.2.2 allows authenticated editors to execute arbitrary database queries through unsanitized input in translation request parameters. Attackers can exploit this to read, modify, or delete database contents, or cause denial of service. A patch is available and should be applied immediately to affected installations.
Unauthenticated SQL injection in SPIP referer_spam plugin before 1.3.0 via the referrer tracking functionality. PoC and patch available.
SQL injection in itsourcecode News Portal Project 1.0 via the Category parameter in /admin/add-category.php allows unauthenticated remote attackers to manipulate database queries. Public exploit code is available for this vulnerability, and no patch has been released, leaving affected installations vulnerable to data exfiltration, modification, or deletion. The attack requires no user interaction and can be executed over the network with a CVSS score of 7.3.
SQL injection in itsourcecode News Portal Project 1.0's category editing functionality allows unauthenticated remote attackers to manipulate the Category parameter and execute arbitrary SQL queries. Public exploit code is available for this vulnerability, increasing the likelihood of active exploitation. Currently, no patch is available to remediate this issue.
SQL injection in itsourcecode Document Management System 1.0 login functionality allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires only network access with no user interaction, enabling attackers to potentially read, modify, or delete sensitive data within the application.
SQL injection in InSAT MasterSCADA BUK-TS through the main web interface. ICS/SCADA system with unauthenticated SQL injection enabling full database compromise.
Mautic's Contact Activity API endpoint is vulnerable to SQL injection due to insufficient validation of the sort direction parameter, allowing authenticated attackers to execute arbitrary SQL queries. This high-severity vulnerability (CVSS 7.6) affects multiple versions and could enable unauthorized data access or modification. No patch is currently available; users should contact security@mautic.org for mitigation guidance.
Apache Superset before version 6.0.0 contains a SQL injection vulnerability in the sqlExpression and where parameters that allows authenticated users with read access to extract sensitive data through error-based techniques. An attacker with valid credentials could exploit this to bypass query restrictions and access unauthorized database information. A patch is available in version 6.0.0 and later.
SQL injection in itsourcecode Document Management System 1.0 via the field1 parameter in /edtlbls.php enables unauthenticated remote attackers to compromise data confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network with minimal complexity.
Document Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
Pimcore is an Open Source Data & Experience Management Platform. [CVSS 4.9 MEDIUM]
SQL injection in PearProjectApi up to version 2.8.10 allows authenticated attackers to execute arbitrary SQL queries through the projectCode parameter in the dateTotalForProject function. Public exploit code exists for this vulnerability, enabling remote attacks with potential to read, modify, or delete database contents. The vendor has not released a patch despite early notification.
E-Logbook With Health Monitoring System For Covid-19 versions up to 1.0 contains a security vulnerability (CVSS 7.3).
SQL injection in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/index.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can leverage this to access, modify, or delete sensitive data with confidentiality, integrity, and availability impact.
SQL injection vulnerability in Infoticketing. This vulnerability allows an unauthenticated attacker to retrieve, create, update, and delete the database by sending a POST request using the 'code' parameter in '/components/cart/cartApplyDiscount.php'.
Authenticated SQL injection in Zohocorp ManageEngine ADSelfService Plus version 6522 and earlier allows logged-in attackers to execute arbitrary SQL queries through the search report functionality, potentially leading to unauthorized data access and modification. With no patch currently available, organizations running affected versions face significant risk of data exfiltration and system compromise by authenticated users.
SQL injection in Order Up Online Ordering System 1.0 via /api/integrations/getintegrations endpoint allows unauthenticated database compromise.
SQL injection in Jinher OA C6 through version 20260210 allows authenticated remote attackers to execute arbitrary SQL queries via the id and offsnum parameters in the OfficeSupplyTypeRight.aspx endpoint. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation could enable data exfiltration, modification, or deletion depending on database permissions.
Web Ofisi Rent a Car v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'klima' parameter. [CVSS 8.2 HIGH]
Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. [CVSS 7.5 HIGH]
Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' GET parameter. [CVSS 7.5 HIGH]
Multiple SQL injections in Web Ofisi Emlak V2. PoC available.
SQL injection in Web Ofisi Firma Rehberi v1. PoC available.
Web Ofisi Firma v13 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'oz' array parameter. [CVSS 7.5 HIGH]
SQL injection in Web Ofisi Emlak v2. PoC available.
Web Ofisi E-Ticaret v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'a' parameter. Attackers can send GET requests to with malicious 'a' parameter values to extract sensitive database information. [CVSS 7.5 HIGH]
Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. [CVSS 7.5 HIGH]
Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. [CVSS 7.5 HIGH]