Skip to main content

SQLi

15171 CVEs technique

Monthly

CVE-2019-25446 HIGH POC This Week

DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25443 HIGH POC This Week

Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25442 HIGH POC This Week

Web Wiz Forums 12.01 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the PF parameter. Attackers can send GET requests to member_profile.asp with malicious PF values to extract sensitive database information. [CVSS 7.5 HIGH]

SQLi Web Wiz Forums
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2019-25440 HIGH POC This Week

WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25439 HIGH POC This Week

NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. [CVSS 8.2 HIGH]

SQLi Denial Of Service
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25433 HIGH POC This Week

XOOPS CMS 2.5.9 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25391 HIGH POC This Week

Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2019-25366 HIGH POC This Week

microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-2912 MEDIUM POC This Month

SQL injection in Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the test_id parameter in the student results view functionality, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2867 MEDIUM This Month

Vehicle Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2865 MEDIUM POC This Month

SQL injection in the Agri Trading Online Shopping System 1.0 admin panel allows unauthenticated remote attackers to manipulate product parameters and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects the HTTP POST request handler in admin/productcontroller.php and enables data exfiltration, modification, and potential denial of service.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-27470 HIGH POC This Week

SQL injection in ZoneMinder's status.php getNearEvents() function allows authenticated users with event management permissions to execute arbitrary database queries through improperly sanitized Event Name and Cause fields in versions 1.36.37 and below or 1.37.61 through 1.38.0. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker could extract sensitive data, modify database contents, or potentially achieve code execution depending on database permissions and configuration.

PHP SQLi Zoneminder
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2019-25438 HIGH POC This Week

LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. [CVSS 7.5 HIGH]

PHP SQLi Labcollector
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2019-25431 HIGH POC This Week

delpino73 Blue-Smiley-Organizer 1.32 contains an SQL injection vulnerability in the datetime parameter that allows unauthenticated attackers to manipulate database queries. [CVSS 8.2 HIGH]

SQLi
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25444 CRITICAL POC Act Now

SQL injection in Fiverr Clone Script 1.2.2. PoC available.

SQLi Fiverr Clone Script
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-2848 MEDIUM POC This Month

SQL injection in SourceCodester Simple Responsive Tourism Website 1.0 allows unauthenticated remote attackers to manipulate the Username parameter during registration, potentially enabling data exfiltration, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-26745 MEDIUM POC This Month

OpenSourcePOS 3.4.1 allows authenticated attackers to execute arbitrary SQL commands through unsanitized concatenation of the currency_symbol configuration parameter into dynamic database queries. An attacker with administrative privileges can exploit this second-order SQL injection to access or manipulate sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi Open Source Point Of Sale
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24959 HIGH This Week

Blind SQL injection in JoomSky JS Help Desk through version 3.0.1 enables authenticated attackers to execute arbitrary SQL queries with network access and no user interaction required. The vulnerability affects database confidentiality and system availability, though integrity is not compromised. No patch is currently available for this high-severity flaw.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-24956 CRITICAL Act Now

Blind SQL injection in Download Manager Addons for Elementor (download-manager-addons-for-elementor) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69366 CRITICAL Act Now

Blind SQL injection in Emerce Core (emerce-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69365 CRITICAL Act Now

Blind SQL injection in Uroan Core (uroan-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69337 CRITICAL Act Now

Blind SQL injection in Wolmart Core (wolmart-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69310 CRITICAL Act Now

Blind SQL injection in Woodly Core (woodly-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69309 CRITICAL Act Now

Blind SQL injection in Saasplate Core (saasplate-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69308 CRITICAL Act Now

Blind SQL injection in Nestbyte Core (nestbyte-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69307 CRITICAL Act Now

Blind SQL injection in Medinik Core (medinik-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69306 CRITICAL Act Now

Blind SQL injection in Electio Core (electio-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69305 CRITICAL Act Now

Blind SQL injection in Crete Core (crete-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69304 CRITICAL Act Now

Blind SQL injection in Allmart (allmart-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69295 CRITICAL Act Now

Blind SQL injection in Coven Core (coven-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-67987 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.3.1. [CVSS 8.5 HIGH]

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-10970 CRITICAL Act Now

SQL injection in Kolay Software Talentics.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2822 LOW POC Monitor

SQL injection in JeecgBoot versions up to 3.9.1 allows authenticated remote attackers to manipulate the keyword parameter in the dictionary loading endpoint, potentially enabling unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed over the network with low complexity.

SQLi Jeecg Boot
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2821 MEDIUM POC This Month

A weakness has been identified in Fujian Smart Integrated Management Platform System versions up to 7.5. contains a security vulnerability (CVSS 7.3).

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2820 MEDIUM POC This Month

SQL injection in Fujitsu Smart Integrated Management Platform System version 7.5 and earlier allows unauthenticated remote attackers to execute arbitrary SQL queries via the DeviceIDS parameter in the XAccessPermissionPlus.ashx endpoint. Public exploit code exists for this vulnerability, enabling potential database compromise and unauthorized data access. No patch is currently available.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-26990 PHP HIGH POC PATCH This Week

SQL injection in LibreNMS versions 25.12.0 and below allows authenticated users to extract sensitive database information through time-based blind SQL injection in the address-search function. An attacker with valid credentials can manipulate the subnet prefix parameter to bypass query logic and infer data through conditional timing responses. Public exploit code exists for this vulnerability; upgrade to version 26.2.0 or later to remediate.

PHP MySQL SNMP SQLi Librenms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-26988 PHP CRITICAL POC PATCH Act Now

SQL injection in LibreNMS 25.12.0 and below. PoC and patch available.

PHP MySQL SNMP SQLi Librenms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-26980 npm CRITICAL POC PATCH GHSA Act Now

SQL injection in Ghost CMS versions 3.24.0 through 6.19.0 allows unauthenticated attackers to read arbitrary database data. Patch available.

Node.js SQLi
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-2435 MEDIUM This Month

Tanium addressed a SQL injection vulnerability in Asset. [CVSS 6.3 MEDIUM]

SQLi Asset
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-2409 This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.This issue affects Cloud Suite: before 25.2 HF1.

SQLi
NVD
EPSS
0.0%
CVE-2026-2232 HIGH This Week

Product Table and List Builder for WooCommerce Lite (WordPress plugin) is affected by sql injection (CVSS 7.5).

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1581 HIGH POC This Week

Unauthenticated attackers can exploit time-based SQL injection in wpForo Forum plugin for WordPress versions up to 2.4.14 through the 'wpfob' parameter to extract sensitive database information. The vulnerability stems from insufficient input sanitization and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9953 CRITICAL Act Now

Authorization bypass via user-controlled SQL primary key in Databank Accreditation Software.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-15560 HIGH This Week

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. [CVSS 8.8 HIGH]

MSSQL SQLi Worktime
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25418 HIGH This Week

SQL injection in Bit Form through version 2.21.10 enables authenticated attackers with high privileges to execute arbitrary database queries, potentially exposing sensitive data. The vulnerability requires administrative credentials but has no available patch, leaving affected installations at risk until an update is released.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-25378 HIGH This Week

Blind SQL injection in Nelio AB Testing plugin version 8.2.4 and earlier enables authenticated attackers with high privileges to execute arbitrary SQL queries against the database. An attacker with administrative access could exploit this vulnerability to extract sensitive data or manipulate database contents, though availability impact is limited. No patch is currently available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-23805 HIGH This Week

SQL injection in Yoren Chang Media Search Enhanced through version 0.9.1 enables unauthenticated remote attackers to execute arbitrary SQL queries and extract sensitive data from the underlying database. With high privileges required for exploitation, an authenticated attacker with administrative access can manipulate SQL commands to compromise data confidentiality while causing minor service disruption. No patch is currently available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-2706 LOW POC Monitor

SQL injection in Patient Record Management System 1.0 via the comp_id parameter in /fecalysis_not.php enables authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but no user interaction.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2691 MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/manage_register.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for unpatched deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2690 MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0's admin login endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to potentially extract sensitive data or compromise system integrity. No patch is currently available for affected PHP installations.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2689 MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0's booking management interface allows unauthenticated remote attackers to manipulate database queries via the ID parameter in /admin/manage_booking.php. Public exploit code exists for this vulnerability, enabling potential unauthorized data access and modification. No patch is currently available to address this high-severity flaw affecting PHP-based deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-0722 MEDIUM This Month

The Shield Security plugin for WordPress versions up to 21.0.8 contains a CSRF vulnerability that allows attackers to bypass nonce verification through a manipulated parameter, enabling SQL injection attacks to extract database contents. An unauthenticated attacker can exploit this by tricking a site administrator into clicking a malicious link, potentially compromising sensitive information stored in the WordPress database. No patch is currently available for affected installations.

WordPress SQLi CSRF
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-12707 HIGH This Week

The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-15585 This Week

Fileflows versions before 25.05.2 are affected by an authenticated SQL injection vulnerability in the library-file search function. Successful exploitation requires the system to use MySQL as the underlying database and could result in privilege escalation or data exfiltration.

MySQL SQLi Privilege Escalation
NVD
EPSS
0.0%
CVE-2026-2682 LOW POC Monitor

SQL injection in Tsinghua Unigroup Electronic Archives System versions up to 3.2.210802 allows authenticated remote attackers to manipulate the comid parameter via the /mine/PublicReport/prinReport.html endpoint, potentially leading to unauthorized data access or modification. Public exploit code is available for this vulnerability, and the vendor has not provided a patch despite early notification.

SQLi Electronic Archives System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12812 This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Delinea Inc. Cloud Suite and Privileged Access Service.

SQLi
NVD
EPSS
0.0%
CVE-2026-27179 HIGH POC This Week

Unauthenticated SQL injection in MajorDoMo's commands module allows remote attackers to extract database contents including unsalted MD5 password hashes without authentication, enabling credential compromise and admin panel access. The vulnerability stems from unsanitized $_GET parameters in SQL queries accessible via the /objects/?module=commands endpoint, and public exploit code is available. Affected versions lack a patch and impact both MajorDoMo and PHP installations running this software.

PHP SQLi Majordomo
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25359 HIGH POC This Week

SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL statements through POST parameters 'idtyp' and 'idgremium'. [CVSS 8.2 HIGH]

.NET SQLi Information Disclosure
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-2663 LOW Monitor

SQL injection in Alixhan xh-admin-backend versions up to 1.7.0 allows authenticated attackers to manipulate the prop parameter in the /frontend-api/system-service/api/system/role/query endpoint and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure efforts. Affected organizations running vulnerable versions should immediately restrict access to this endpoint or upgrade if available.

SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-70152 CRITICAL POC Act Now

SQL injection in code-projects Community Project Scholars Tracking System 1.0 admin user management. Allows database compromise via admin panel. PoC available.

PHP SQLi Scholars Tracking System
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-70149 CRITICAL POC Act Now

SQL injection in CodeAstro Membership Management System 1.0 via ID parameter in print_membership_card.php enables unauthenticated database access. PoC available.

PHP SQLi Membership Management System
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-59920 This Week

When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection.

SQLi
NVD
EPSS
0.0%
CVE-2026-1317 MEDIUM This Month

SQL injection in the WP Import - Ultimate CSV Importer plugin for WordPress (versions up to 7.37) allows authenticated subscribers and higher-privileged users to inject malicious SQL commands through specially crafted filenames during file uploads. When the Single Import/Export feature is enabled on PHP versions below 8.0, attackers can extract sensitive database information by exploiting insufficient input validation. The vulnerability requires valid WordPress credentials but poses a medium risk due to its direct access to database contents.

WordPress PHP SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-8781 MEDIUM This Month

The Bookster - WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-2495 HIGH This Week

Unauthenticated attackers can exploit SQL injection in the WPNakama WordPress plugin (versions up to 0.6.5) through the 'order' parameter in the REST API /wp-json/WPNakama/v1/boards endpoint due to insufficient input escaping. This allows unauthorized extraction of sensitive database information from any WordPress installation running the vulnerable plugin. No patch is currently available.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1639 MEDIUM This Month

SQL injection in the Taskbuilder WordPress plugin through unescaped 'order' and 'sort_by' parameters allows authenticated users with subscriber-level privileges to extract sensitive database information via time-based blind SQL injection attacks. The vulnerability affects all versions up to 5.0.2 and has no available patch. Attackers can craft malicious queries to systematically retrieve confidential data from the WordPress database.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2576 HIGH This Week

Unauthenticated attackers can exploit time-based SQL injection in the Business Directory Plugin for WordPress (versions up to 6.4.2) through an unescaped 'payment' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to append arbitrary SQL commands to existing queries without authentication. No patch is currently available.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2621 MEDIUM This Month

SQL injection in Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0 via the PGUID parameter in AsyncTreeProxy.aspx allows unauthenticated remote attackers to read, modify, and delete database contents. Public exploit code exists for this vulnerability and no patch is currently available from the vendor.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2620 MEDIUM This Month

SQL injection in Huace Monitoring and Early Warning System 2.2 via the ID parameter in /Web/SysManage/ProjectRole.aspx allows unauthenticated remote attackers to manipulate database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. An attacker can exploit this to read, modify, or delete sensitive data from the affected system.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-67102 HIGH This Week

A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter. [CVSS 7.6 HIGH]

SQLi Jorani
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2024-55270 HIGH POC This Week

phpgurukul Student Management System 1.0 is vulnerable to SQL Injection in studentms/admin/search.php via the searchdata parameter. [CVSS 8.8 HIGH]

PHP SQLi Student Management System
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-70397 HIGH POC This Week

jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter. [CVSS 7.2 HIGH]

SQLi Jizhicms
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-2247 This Week

SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL generated after downloading the student's report card in the ‘Day-to-day’ section from the mobile application.

SQLi
NVD
EPSS
0.1%
CVE-2025-7631 HIGH This Week

Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. Co. Tumeva Prime News Software is affected by sql injection (CVSS 8.6).

SQLi
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-2553 LOW Monitor

SQL injection in the Hotel-Management-System /home.php POST handler allows authenticated remote attackers to manipulate Name/Email parameters and execute arbitrary database queries. Public exploit code exists for this vulnerability, which affects PHP-based deployments with no available patch. An attacker with login credentials can leverage this flaw to read or modify sensitive database records.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1258 MEDIUM This Month

SQL injection in Mail Mint plugin for WordPress (versions up to 1.19.2) allows authenticated administrators to execute arbitrary SQL queries through improperly sanitized parameters in multiple API endpoints. An attacker with admin-level access could exploit insufficient input escaping on 'order-by', 'order-type', and 'selectedCourses' parameters to extract sensitive data from the WordPress database. No patch is currently available for this vulnerability.

WordPress SQLi
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-2024 HIGH This Week

Unauthenticated attackers can exploit SQL injection in the PhotoStack Gallery plugin for WordPress (versions up to 0.4.1) through the unescaped 'postid' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and unprepared SQL queries, allowing attackers to inject arbitrary SQL commands without authentication. With no patch currently available, all WordPress installations using this plugin are at risk of data exposure.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69633 CRITICAL Act Now

SQL injection in Advanced Popup Creator PrestaShop module 1.1.26-1.2.6. Fixed in 1.2.7.

PHP SQLi
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2019-25325 HIGH POC This Week

Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.3%
CVE-2019-25347 HIGH POC This Week

thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 to the username field to gain unauthorized access to user accounts. [CVSS 7.5 HIGH]

SQLi Authentication Bypass Password Management Application
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2019-25346 HIGH POC This Week

TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 to retrieve unauthorized database records and potentially access sensitive system information. [CVSS 7.5 HIGH]

SQLi Authentication Bypass Password Management Application
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-22821 MEDIUM PATCH This Month

The More Reporting GLPI plugin versions prior to 1.9.4 contain a SQL injection vulnerability in date change functionality that allows authenticated users with high privileges to execute arbitrary SQL queries and extract sensitive data. An attacker with administrative credentials could exploit this network-accessible vulnerability to read confidential information from the database. A patch is available in version 1.9.4 and later.

SQLi More Reporting
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-70981 CRITICAL POC Act Now

SQL injection in CordysCRM 1.4.1 employee list query via departmentIds parameter. PoC available.

SQLi Cordys Crm
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-10969 CRITICAL Act Now

SQL injection in Farktor E-Commerce platform allows full database access.

SQLi E Commerce Package
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2250 HIGH This Week

METIS WIC devices expose an unauthenticated /dbviewer/ endpoint that permits remote attackers to directly access and export internal SQLite databases containing sensitive operational telemetry. The affected Golang and Django applications run with debug mode enabled, causing error responses to leak backend source code, local file paths, and system configuration details. No patch is currently available.

Golang Django SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-13431 MEDIUM This Month

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress Industrial SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25993 CRITICAL PATCH Act Now

SQL injection in EverShop e-commerce platform during category update/deletion event handling. Path/request_path values injected unsanitized into SQL. Patch available.

SQLi Evershop
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25947 HIGH POC PATCH This Week

Worklenz is a project management tool. [CVSS 8.8 HIGH]

SQLi Worklenz
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1602 MEDIUM This Month

Authenticated attackers can exploit SQL injection in Ivanti Endpoint Manager prior to version 2024 SU5 to extract sensitive data from the underlying database. This network-accessible vulnerability requires valid credentials but allows unauthorized information disclosure with no user interaction needed. No patch is currently available for affected systems.

Ivanti SQLi Endpoint Manager
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-7636 HIGH This Week

Ergosis Security Systems Computer Industry and Trade Inc. ZEUS PDKS is affected by sql injection (CVSS 8.8).

SQLi
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
EPSS 0% CVSS 8.2
HIGH POC This Week

DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH POC This Week

Web Wiz Forums 12.01 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the PF parameter. Attackers can send GET requests to member_profile.asp with malicious PF values to extract sensitive database information. [CVSS 7.5 HIGH]

SQLi Web Wiz Forums
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. [CVSS 8.2 HIGH]

SQLi Denial Of Service
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

XOOPS CMS 2.5.9 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the test_id parameter in the student results view functionality, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Vehicle Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Agri Trading Online Shopping System 1.0 admin panel allows unauthenticated remote attackers to manipulate product parameters and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects the HTTP POST request handler in admin/productcontroller.php and enables data exfiltration, modification, and potential denial of service.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection in ZoneMinder's status.php getNearEvents() function allows authenticated users with event management permissions to execute arbitrary database queries through improperly sanitized Event Name and Cause fields in versions 1.36.37 and below or 1.37.61 through 1.38.0. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker could extract sensitive data, modify database contents, or potentially achieve code execution depending on database permissions and configuration.

PHP SQLi Zoneminder
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. [CVSS 7.5 HIGH]

PHP SQLi Labcollector
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

delpino73 Blue-Smiley-Organizer 1.32 contains an SQL injection vulnerability in the datetime parameter that allows unauthenticated attackers to manipulate database queries. [CVSS 8.2 HIGH]

SQLi
NVD GitHub Exploit-DB
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

SQL injection in Fiverr Clone Script 1.2.2. PoC available.

SQLi Fiverr Clone Script
NVD Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Simple Responsive Tourism Website 1.0 allows unauthenticated remote attackers to manipulate the Username parameter during registration, potentially enabling data exfiltration, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

OpenSourcePOS 3.4.1 allows authenticated attackers to execute arbitrary SQL commands through unsanitized concatenation of the currency_symbol configuration parameter into dynamic database queries. An attacker with administrative privileges can exploit this second-order SQL injection to access or manipulate sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi Open Source Point Of Sale
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in JoomSky JS Help Desk through version 3.0.1 enables authenticated attackers to execute arbitrary SQL queries with network access and no user interaction required. The vulnerability affects database confidentiality and system availability, though integrity is not compromised. No patch is currently available for this high-severity flaw.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Download Manager Addons for Elementor (download-manager-addons-for-elementor) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Emerce Core (emerce-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Uroan Core (uroan-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Wolmart Core (wolmart-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Woodly Core (woodly-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Saasplate Core (saasplate-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Nestbyte Core (nestbyte-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Medinik Core (medinik-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Electio Core (electio-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Crete Core (crete-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Allmart (allmart-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Coven Core (coven-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.3.1. [CVSS 8.5 HIGH]

SQLi
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in Kolay Software Talentics.

SQLi
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in JeecgBoot versions up to 3.9.1 allows authenticated remote attackers to manipulate the keyword parameter in the dictionary loading endpoint, potentially enabling unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed over the network with low complexity.

SQLi Jeecg Boot
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A weakness has been identified in Fujian Smart Integrated Management Platform System versions up to 7.5. contains a security vulnerability (CVSS 7.3).

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Fujitsu Smart Integrated Management Platform System version 7.5 and earlier allows unauthenticated remote attackers to execute arbitrary SQL queries via the DeviceIDS parameter in the XAccessPermissionPlus.ashx endpoint. Public exploit code exists for this vulnerability, enabling potential database compromise and unauthorized data access. No patch is currently available.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

SQL injection in LibreNMS versions 25.12.0 and below allows authenticated users to extract sensitive database information through time-based blind SQL injection in the address-search function. An attacker with valid credentials can manipulate the subnet prefix parameter to bypass query logic and infer data through conditional timing responses. Public exploit code exists for this vulnerability; upgrade to version 26.2.0 or later to remediate.

PHP MySQL SNMP +2
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

SQL injection in LibreNMS 25.12.0 and below. PoC and patch available.

PHP MySQL SNMP +2
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL POC PATCH Act Now

SQL injection in Ghost CMS versions 3.24.0 through 6.19.0 allows unauthenticated attackers to read arbitrary database data. Patch available.

Node.js SQLi
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Tanium addressed a SQL injection vulnerability in Asset. [CVSS 6.3 MEDIUM]

SQLi Asset
NVD
EPSS 0%
This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.This issue affects Cloud Suite: before 25.2 HF1.

SQLi
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Product Table and List Builder for WooCommerce Lite (WordPress plugin) is affected by sql injection (CVSS 7.5).

WordPress SQLi
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Unauthenticated attackers can exploit time-based SQL injection in wpForo Forum plugin for WordPress versions up to 2.4.14 through the 'wpfob' parameter to extract sensitive database information. The vulnerability stems from insufficient input sanitization and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.

WordPress SQLi
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authorization bypass via user-controlled SQL primary key in Databank Accreditation Software.

SQLi
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. [CVSS 8.8 HIGH]

MSSQL SQLi Worktime
NVD
EPSS 0% CVSS 7.6
HIGH This Week

SQL injection in Bit Form through version 2.21.10 enables authenticated attackers with high privileges to execute arbitrary database queries, potentially exposing sensitive data. The vulnerability requires administrative credentials but has no available patch, leaving affected installations at risk until an update is released.

SQLi
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Blind SQL injection in Nelio AB Testing plugin version 8.2.4 and earlier enables authenticated attackers with high privileges to execute arbitrary SQL queries against the database. An attacker with administrative access could exploit this vulnerability to extract sensitive data or manipulate database contents, though availability impact is limited. No patch is currently available.

SQLi
NVD
EPSS 0% CVSS 7.6
HIGH This Week

SQL injection in Yoren Chang Media Search Enhanced through version 0.9.1 enables unauthenticated remote attackers to execute arbitrary SQL queries and extract sensitive data from the underlying database. With high privileges required for exploitation, an authenticated attacker with administrative access can manipulate SQL commands to compromise data confidentiality while causing minor service disruption. No patch is currently available.

SQLi
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Patient Record Management System 1.0 via the comp_id parameter in /fecalysis_not.php enables authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but no user interaction.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/manage_register.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for unpatched deployments.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0's admin login endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to potentially extract sensitive data or compromise system integrity. No patch is currently available for affected PHP installations.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0's booking management interface allows unauthenticated remote attackers to manipulate database queries via the ID parameter in /admin/manage_booking.php. Public exploit code exists for this vulnerability, enabling potential unauthorized data access and modification. No patch is currently available to address this high-severity flaw affecting PHP-based deployments.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

The Shield Security plugin for WordPress versions up to 21.0.8 contains a CSRF vulnerability that allows attackers to bypass nonce verification through a manipulated parameter, enabling SQL injection attacks to extract database contents. An unauthenticated attacker can exploit this by tricking a site administrator into clicking a malicious link, potentially compromising sensitive information stored in the WordPress database. No patch is currently available for affected installations.

WordPress SQLi CSRF
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
EPSS 0%
This Week

Fileflows versions before 25.05.2 are affected by an authenticated SQL injection vulnerability in the library-file search function. Successful exploitation requires the system to use MySQL as the underlying database and could result in privilege escalation or data exfiltration.

MySQL SQLi Privilege Escalation
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Tsinghua Unigroup Electronic Archives System versions up to 3.2.210802 allows authenticated remote attackers to manipulate the comid parameter via the /mine/PublicReport/prinReport.html endpoint, potentially leading to unauthorized data access or modification. Public exploit code is available for this vulnerability, and the vendor has not provided a patch despite early notification.

SQLi Electronic Archives System
NVD GitHub VulDB
EPSS 0%
This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Delinea Inc. Cloud Suite and Privileged Access Service.

SQLi
NVD
EPSS 0% CVSS 8.2
HIGH POC This Week

Unauthenticated SQL injection in MajorDoMo's commands module allows remote attackers to extract database contents including unsalted MD5 password hashes without authentication, enabling credential compromise and admin panel access. The vulnerability stems from unsanitized $_GET parameters in SQL queries accessible via the /objects/?module=commands endpoint, and public exploit code is available. Affected versions lack a patch and impact both MajorDoMo and PHP installations running this software.

PHP SQLi Majordomo
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC This Week

SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL statements through POST parameters 'idtyp' and 'idgremium'. [CVSS 8.2 HIGH]

.NET SQLi Information Disclosure
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in Alixhan xh-admin-backend versions up to 1.7.0 allows authenticated attackers to manipulate the prop parameter in the /frontend-api/system-service/api/system/role/query endpoint and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure efforts. Affected organizations running vulnerable versions should immediately restrict access to this endpoint or upgrade if available.

SQLi
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in code-projects Community Project Scholars Tracking System 1.0 admin user management. Allows database compromise via admin panel. PoC available.

PHP SQLi Scholars Tracking System
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in CodeAstro Membership Management System 1.0 via ID parameter in print_membership_card.php enables unauthenticated database access. PoC available.

PHP SQLi Membership Management System
NVD
EPSS 0%
This Week

When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection.

SQLi
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the WP Import - Ultimate CSV Importer plugin for WordPress (versions up to 7.37) allows authenticated subscribers and higher-privileged users to inject malicious SQL commands through specially crafted filenames during file uploads. When the Single Import/Export feature is enabled on PHP versions below 8.0, attackers can extract sensitive database information by exploiting insufficient input validation. The vulnerability requires valid WordPress credentials but poses a medium risk due to its direct access to database contents.

WordPress PHP SQLi
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

The Bookster - WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can exploit SQL injection in the WPNakama WordPress plugin (versions up to 0.6.5) through the 'order' parameter in the REST API /wp-json/WPNakama/v1/boards endpoint due to insufficient input escaping. This allows unauthorized extraction of sensitive database information from any WordPress installation running the vulnerable plugin. No patch is currently available.

WordPress SQLi
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the Taskbuilder WordPress plugin through unescaped 'order' and 'sort_by' parameters allows authenticated users with subscriber-level privileges to extract sensitive database information via time-based blind SQL injection attacks. The vulnerability affects all versions up to 5.0.2 and has no available patch. Attackers can craft malicious queries to systematically retrieve confidential data from the WordPress database.

WordPress SQLi
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can exploit time-based SQL injection in the Business Directory Plugin for WordPress (versions up to 6.4.2) through an unescaped 'payment' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to append arbitrary SQL commands to existing queries without authentication. No patch is currently available.

WordPress SQLi
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0 via the PGUID parameter in AsyncTreeProxy.aspx allows unauthenticated remote attackers to read, modify, and delete database contents. Public exploit code exists for this vulnerability and no patch is currently available from the vendor.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in Huace Monitoring and Early Warning System 2.2 via the ID parameter in /Web/SysManage/ProjectRole.aspx allows unauthenticated remote attackers to manipulate database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. An attacker can exploit this to read, modify, or delete sensitive data from the affected system.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter. [CVSS 7.6 HIGH]

SQLi Jorani
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

phpgurukul Student Management System 1.0 is vulnerable to SQL Injection in studentms/admin/search.php via the searchdata parameter. [CVSS 8.8 HIGH]

PHP SQLi Student Management System
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC This Week

jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter. [CVSS 7.2 HIGH]

SQLi Jizhicms
NVD
EPSS 0%
This Week

SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL generated after downloading the student's report card in the ‘Day-to-day’ section from the mobile application.

SQLi
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. Co. Tumeva Prime News Software is affected by sql injection (CVSS 8.6).

SQLi
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in the Hotel-Management-System /home.php POST handler allows authenticated remote attackers to manipulate Name/Email parameters and execute arbitrary database queries. Public exploit code exists for this vulnerability, which affects PHP-based deployments with no available patch. An attacker with login credentials can leverage this flaw to read or modify sensitive database records.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in Mail Mint plugin for WordPress (versions up to 1.19.2) allows authenticated administrators to execute arbitrary SQL queries through improperly sanitized parameters in multiple API endpoints. An attacker with admin-level access could exploit insufficient input escaping on 'order-by', 'order-type', and 'selectedCourses' parameters to extract sensitive data from the WordPress database. No patch is currently available for this vulnerability.

WordPress SQLi
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can exploit SQL injection in the PhotoStack Gallery plugin for WordPress (versions up to 0.4.1) through the unescaped 'postid' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and unprepared SQL queries, allowing attackers to inject arbitrary SQL commands without authentication. With no patch currently available, all WordPress installations using this plugin are at risk of data exposure.

WordPress SQLi
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in Advanced Popup Creator PrestaShop module 1.1.26-1.2.6. Fixed in 1.2.7.

PHP SQLi
NVD
EPSS 0% CVSS 8.2
HIGH POC This Week

Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH POC This Week

thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 to the username field to gain unauthorized access to user accounts. [CVSS 7.5 HIGH]

SQLi Authentication Bypass Password Management Application
NVD GitHub Exploit-DB
EPSS 0% CVSS 7.5
HIGH POC This Week

TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 to retrieve unauthorized database records and potentially access sensitive system information. [CVSS 7.5 HIGH]

SQLi Authentication Bypass Password Management Application
NVD GitHub Exploit-DB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

The More Reporting GLPI plugin versions prior to 1.9.4 contain a SQL injection vulnerability in date change functionality that allows authenticated users with high privileges to execute arbitrary SQL queries and extract sensitive data. An attacker with administrative credentials could exploit this network-accessible vulnerability to read confidential information from the database. A patch is available in version 1.9.4 and later.

SQLi More Reporting
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in CordysCRM 1.4.1 employee list query via departmentIds parameter. PoC available.

SQLi Cordys Crm
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in Farktor E-Commerce platform allows full database access.

SQLi E Commerce Package
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

METIS WIC devices expose an unauthenticated /dbviewer/ endpoint that permits remote attackers to directly access and export internal SQLite databases containing sensitive operational telemetry. The affected Golang and Django applications run with debug mode enabled, causing error responses to leak backend source code, local file paths, and system configuration details. No patch is currently available.

Golang Django SQLi
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress Industrial SQLi +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in EverShop e-commerce platform during category update/deletion event handling. Path/request_path values injected unsanitized into SQL. Patch available.

SQLi Evershop
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Worklenz is a project management tool. [CVSS 8.8 HIGH]

SQLi Worklenz
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Authenticated attackers can exploit SQL injection in Ivanti Endpoint Manager prior to version 2024 SU5 to extract sensitive data from the underlying database. This network-accessible vulnerability requires valid credentials but allows unauthorized information disclosure with no user interaction needed. No patch is currently available for affected systems.

Ivanti SQLi Endpoint Manager
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Ergosis Security Systems Computer Industry and Trade Inc. ZEUS PDKS is affected by sql injection (CVSS 8.8).

SQLi
NVD VulDB
Prev Page 23 of 169 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy