Skip to main content

SQLi

15171 CVEs technique

Monthly

CVE-2025-10878 CRITICAL POC Act Now

AdminPando 1.0.1 by Fikir Odalari has a CVSS 10.0 SQL injection in the login functionality allowing complete authentication bypass and database takeover.

SQLi Authentication Bypass Fikir Odalari Adminpando
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-25241 CRITICAL Act Now

PEAR PHP framework has a seventh SQL injection with higher EPSS (0.12%), indicating more active scanning for this particular injection vector.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25240 CRITICAL Act Now

PEAR PHP framework has another SQL injection vulnerability prior to version 1.33.0, the sixth in a series of critical security flaws in the PHP component distribution system.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25239 HIGH This Week

SQL injection in PEAR's apidoc queue insertion allows unauthenticated remote attackers to manipulate database queries by controlling filename values, enabling unauthorized data modification. PEAR versions before 1.33.0 are affected, and no patch is currently available for affected deployments.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25238 CRITICAL Act Now

PEAR PHP framework prior to 1.33.0 has a fifth SQL injection vulnerability, part of a comprehensive security audit that found multiple injection points across the framework.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25236 CRITICAL Act Now

PEAR PHP framework has a second SQL injection vulnerability in a different code path, providing an alternate database compromise vector.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25234 CRITICAL Act Now

PEAR PHP framework prior to 1.33.0 has a SQL injection vulnerability allowing attackers to extract data from the component distribution database.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-70311 MEDIUM This Month

JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack. [CVSS 6.5 MEDIUM]

SQLi Jeewms
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69981 npm CRITICAL Act Now

FUXA v1.2.7 has an unrestricted file upload in the /api/upload endpoint that lacks authentication and file type validation, enabling web shell deployment on SCADA systems.

SQLi Fuxa
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-63624 CRITICAL POC Act Now

Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the industrial monitoring database.

IoT Industrial SQLi Iot Smart Water Meter Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-57529 CRITICAL POC Act Now

YouDataSum CPAS Audit Management System v4.9 has a SQL injection in the archive report endpoint allowing extraction of audit and compliance data.

SQLi Cpas Audit Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2020-37112 HIGH POC This Week

GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. [CVSS 7.1 HIGH]

SQLi Open Eclass Platform
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2020-37111 MEDIUM POC This Month

60CycleCMS 2.5.2 contains a cross-site scripting (XSS) vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. [CVSS 6.1 MEDIUM]

PHP SQLi XSS 60cyclecms
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2020-37110 HIGH POC This Week

60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. [CVSS 8.2 HIGH]

PHP SQLi XSS 60cyclecms
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37108 HIGH POC This Week

PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-37105 HIGH POC This Week

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25022 HIGH This Week

Blind SQL injection in KiviCare clinic management system versions 3.6.16 and earlier allows authenticated attackers to execute arbitrary SQL queries over the network with no user interaction required. An attacker with valid credentials can exploit this vulnerability to extract sensitive data from the underlying database, though code execution is not possible. No patch is currently available for this HIGH severity vulnerability affecting the Iqonic Design product.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-1312 PyPI MEDIUM PATCH This Month

SQL injection in Django's QuerySet.order_by() method allows authenticated attackers to execute arbitrary SQL commands through specially crafted column aliases containing periods when used with FilteredRelation and dictionary expansion. This vulnerability affects Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28, with potentially older unsupported versions also impacted. Patches are available for all affected versions.

Django SQLi Python
NVD HeroDevs VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1287 PyPI MEDIUM PATCH GHSA This Month

SQL injection via FilteredRelation column aliases in Django 4.2, 5.2, and 6.0 allows authenticated attackers to execute arbitrary SQL queries through crafted dictionary arguments in QuerySet methods like annotate() and aggregate(). An attacker with database access can exploit control characters in alias names to bypass input validation and potentially extract sensitive data or modify database contents. Patches are available for all affected versions, and unsupported Django releases may also be vulnerable.

Django SQLi Python
NVD HeroDevs VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1207 PyPI MEDIUM POC PATCH GHSA This Month

SQL injection in Django's PostGIS RasterField lookups allows authenticated attackers to execute arbitrary SQL commands through the band index parameter in affected versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Unsupported Django series including 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. A patch is available and authentication is required to exploit this vulnerability.

Django SQLi Python
NVD HeroDevs VulDB
CVSS 3.1
5.4
EPSS
5.5%
CVE-2025-5319 CRITICAL Act Now

Emit Informatics product has a SQL injection vulnerability allowing unauthenticated database compromise through unsanitized input parameters.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-1432 This Week

SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'.

SQLi
NVD
EPSS
0.0%
CVE-2025-8587 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection.This issue affects SKSPro: through 07012026. [CVSS 8.6 HIGH]

SQLi Skspro
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-1746 LOW POC Monitor

SQL injection in JeecgBoot 3.9.0's Online Report API endpoint allows authenticated remote attackers to manipulate the keyword parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with valid credentials can leverage this flaw to read, modify, or delete sensitive database information.

SQLi Jeecg Boot
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2021-47918 HIGH POC This Week

Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application. [CVSS 8.1 HIGH]

PHP SQLi Simple Cms Php
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2021-47915 HIGH POC This Week

PHP Melody version 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to inject malicious SQL commands. [CVSS 8.1 HIGH]

SQLi Php Melody
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2021-47909 HIGH This Week

Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system. [CVSS 8.1 HIGH]

SQLi
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-0683 MEDIUM This Month

Unauthenticated SQL injection in the SupportCandy WordPress plugin versions up to 3.4.4 allows subscribers and above to extract sensitive database information through inadequately sanitized custom field filters. An authenticated attacker can manipulate the equals operator parameter to inject malicious SQL queries and bypass existing protections, exposing confidential data stored in the WordPress database.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2020-37057 HIGH POC This Week

Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information. [CVSS 8.2 HIGH]

SQLi Online Exam System
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37053 HIGH POC This Week

Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. [CVSS 7.1 HIGH]

SQLi Navigate Cms
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-37051 HIGH POC This Week

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. [CVSS 8.2 HIGH]

PHP SQLi Online Exam System
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37035 HIGH POC This Week

e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. [CVSS 8.2 HIGH]

PHP SQLi
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-37033 HIGH POC This Week

Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-69662 PyPI HIGH POC PATCH GHSA This Week

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. [CVSS 8.6 HIGH]

PostgreSQL SQLi pandas
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-1701 MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /enrollment/index.php enables unauthenticated remote attackers to manipulate database queries and extract or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network against affected installations.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-24854 HIGH POC PATCH This Week

Authenticated SQL injection in ChurchCRM's PaddleNumEditor.php endpoint prior to version 6.7.2 allows any logged-in user to execute arbitrary database queries regardless of their assigned permissions. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete sensitive church data. Update to version 6.7.2 or later to remediate.

PHP SQLi Churchcrm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1688 MEDIUM POC This Month

SQL injection in itsourcecode Directory Management System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter in /admin/index.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can compromise data confidentiality, integrity, and availability.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-4686 HIGH This Week

Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment is affected by sql injection (CVSS 8.6).

SQLi
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-1595 MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the student_id parameter in /admin/edit_student_query.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available, increasing the risk of active exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1594 MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0's expense administration interface allows unauthenticated remote attackers to manipulate the detail parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems expose confidentiality, integrity, and availability of underlying data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1593 MEDIUM POC This Month

Society Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1590 MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /ramonsys/faculty/index.php enables unauthenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1589 MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the txtsearch parameter in /ramonsys/inquiry/index.php enables unauthenticated remote attackers to execute arbitrary SQL queries with limited impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7714 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Global Interactive Design Media Software Inc. [CVSS 7.5 HIGH]

SQLi Content Management System
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37006 HIGH POC This Week

berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2020-37005 HIGH POC This Week

TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2020-37004 HIGH POC This Week

Ultimate Project Manager CRM PRO 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2020-36999 HIGH POC This Week

Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-1552 LOW POC Monitor

SQL injection in SEMCMS 5.0 via the searchml parameter in /SEMCMS_Info.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1551 LOW POC Monitor

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15344 MEDIUM This Month

Tanium addressed a SQL injection vulnerability in Asset. [CVSS 6.3 MEDIUM]

SQLi Asset
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1546 LOW POC Monitor

SQL injection in jshERP up to version 3.6 allows authenticated remote attackers to manipulate the barCodes parameter in the DepotItem import function, potentially enabling unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available. The vendor has not responded to early notification of this issue.

SQLi Jsherp
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1545 MEDIUM POC This Month

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1535 MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminReply.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary SQL queries, potentially compromising database confidentiality and integrity. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1534 MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminEditUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling potential data theft, modification, or service disruption. No patch is currently available, leaving affected installations vulnerable.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1533 LOW POC Monitor

SQL injection in Online Music Site 1.0's AdminAddCategory.php allows remote attackers with high privileges to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-57793 HIGH This Week

Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user-supplied input in a web application component. Crafted input can be executed as part of backend database queries. [CVSS 8.6 HIGH]

SQLi Blue
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-57792 CRITICAL Act Now

Explorance Blue versions before 8.14.9 have a CVSS 10.0 SQL injection vulnerability enabling unauthenticated attackers to fully compromise the survey and assessment database.

SQLi Blue
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2020-36972 HIGH POC This Week

SmartBlog 2.0.1 contains a blind SQL injection vulnerability in the 'id_post' parameter of the details controller that allows attackers to extract database information. [CVSS 8.2 HIGH]

SQLi Smartblog
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-36945 HIGH POC This Week

WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-22243 PHP HIGH POC PATCH This Week

SQL injection in EGroupware's Nextmatch filter allows authenticated attackers to execute arbitrary database commands by exploiting PHP type juggling that bypasses integer validation checks. Public exploit code exists for this vulnerability affecting EGroupware versions prior to 23.1.20260113 and 26.0.20260113, and no patch is currently available. Attackers with valid credentials can manipulate WHERE clauses to extract sensitive data, modify records, or compromise database integrity.

PHP SQLi Egroupware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-0702 HIGH This Week

Unauthenticated attackers can exploit time-based SQL injection in the VidShop plugin for WordPress (versions up to 1.1.4) through the unescaped 'fields' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to inject malicious SQL commands without authentication. No patch is currently available for this high-severity flaw affecting WooCommerce installations.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1483 HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application's 'Id_usuario' parameter allows unauthenticated remote attackers to extract sensitive database information through covert channels, bypassing normal application output mechanisms. This vulnerability affects the '/evaluacion_objetivos_ver_auto.aspx' endpoint and compromises data confidentiality with no patch currently available.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1482 HIGH This Week

Unauthenticated attackers can exploit an out-of-band SQL injection flaw in the Evaluacion De Desempeno application's 'Id_evaluacion' parameter to extract sensitive database information through indirect data exfiltration channels. This network-accessible vulnerability requires no user interaction and affects all instances without authentication controls, potentially exposing confidential evaluation records. No patch is currently available.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1481 HIGH This Week

Out-of-band SQL injection in the Performance Evaluation (Evaluacion De Desempeno) application allows unauthenticated remote attackers to extract sensitive database information through the 'Id_usuario' parameter in '/evaluacion_objetivos_anyo_sig_ver_auto.aspx' by exfiltrating data via external channels. The vulnerability compromises data confidentiality without requiring user interaction, affecting all deployments of the affected application. No patch is currently available.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1480 HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application's 'Id_usuario' parameter allows unauthenticated remote attackers to extract sensitive database information through external data exfiltration channels. This vulnerability affects the '/evaluacion_objetivos_anyo_sig_evalua.aspx' endpoint and compromises confidentiality without requiring user interaction. No patch is currently available.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1479 HIGH This Week

Out-of-band SQL injection in Evaluacion De Desempeno's '/evaluacion_hca_ver_auto.asp' endpoint allows unauthenticated remote attackers to extract sensitive database information through the 'Id_usuario' and 'Id_evaluacion' parameters. The vulnerability compromises confidentiality by enabling data exfiltration via covert channels without requiring direct application responses. No patch is currently available for affected deployments.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1478 HIGH This Week

Unauthenticated attackers can exploit an out-of-band SQL injection flaw in the Performance Evaluation (EDD) application via the 'Id_usuario' and 'Id_evaluacion' parameters to extract sensitive database information through external channels, compromising data confidentiality. The vulnerability requires no user interaction and is remotely exploitable from the network. No patch is currently available.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1477 HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application allows unauthenticated remote attackers to extract sensitive database information through the 'Id_usuario' and 'Id_evaluacion' parameters in the '/evaluacion_competencias_evalua_old.aspx' endpoint. An attacker can bypass normal application output channels to exfiltrate confidential data, compromising database confidentiality. No patch is currently available for this vulnerability.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1476 HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application's 'Id_usuario' parameter allows unauthenticated remote attackers to extract sensitive database information through indirect data exfiltration channels. This vulnerability in the '/evaluacion_acciones_ver_auto.aspx' endpoint compromises the confidentiality of stored data without requiring user interaction. No patch is currently available for this HIGH severity vulnerability.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1475 HIGH This Week

Unauthenticated attackers can extract sensitive database information from the Evaluacion De Desempeno application through an out-of-band SQL injection vulnerability in the 'Id_usuario' parameter of '/evaluacion_acciones_evalua.aspx'. The vulnerability allows data exfiltration via external channels without direct application responses, compromising database confidentiality. No patch is currently available for this high-severity flaw.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1474 HIGH This Week

Out-of-band SQL injection in the Performance Evaluation (EDD) application allows unauthenticated remote attackers to extract sensitive database information through the 'Id_usuario' and 'Id_evaluacion' parameters in '/evaluacion_inicio.aspx'. An attacker can exfiltrate confidential data via external channels without direct application feedback, compromising data confidentiality. No patch is currently available for this vulnerability.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1473 HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application's 'Id_usuario' parameter allows unauthenticated remote attackers to exfiltrate sensitive database information through covert channels. The vulnerability affects the '/evaluacion_competencias_evalua.aspx' endpoint and enables unauthorized access to confidential data despite the application not directly returning query results. No patch is currently available for this HIGH severity vulnerability.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1472 HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application allows unauthenticated remote attackers to extract sensitive database information through the 'txAny' parameter in '/evaluacion_competencias_autoeval_list.aspx' without direct output reflection. By leveraging external data channels, an attacker can bypass normal application responses to exfiltrate confidential data and compromise database confidentiality. No patch is currently available for this vulnerability.

SQLi Evaluacion De Desempeno
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69564 CRITICAL POC Act Now

Mobile Shop Management System has code injection in ExAddNewUser.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-69563 CRITICAL POC Act Now

Mobile Shop Management System has SQL injection in ExLogin.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-69562 CRITICAL POC Act Now

Mobile Shop Management System has SQL injection in insertmessage.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2021-47902 HIGH POC This Week

Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-36951 HIGH POC This Week

Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. [CVSS 8.2 HIGH]

SQLi
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2020-36947 PHP HIGH POC This Week

LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. [CVSS 7.1 HIGH]

SQLi Librenms
NVD GitHub Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-1449 MEDIUM This Month

SQL injection in Hisense TransTech Smart Bus Management System through version 20260113 allows unauthenticated remote attackers to manipulate the key parameter in the TireMng.aspx Page_Load function and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure attempts. An attacker can exploit this over the network without authentication to read, modify, or delete sensitive data.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-59473 HIGH This Week

SQL Injection vulnerability in the Structure for Admin authenticated user [CVSS 7.2 HIGH]

SQLi Expressionengine
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-1443 MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminDeleteUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can leverage this to compromise data confidentiality, integrity, and availability.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-59105 Monitor

With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption.

Linux Windows SSH SQLi
NVD
EPSS
0.0%
CVE-2025-59100 Monitor

The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots.

SQLi
NVD
EPSS
0.0%
CVE-2025-59099 Monitor

The Access Manager is using the open source web server CompactWebServer written in C#. This web server is affected by a path traversal vulnerability, which allows an attacker to directly access files via simple GET requests without prior authentication.

SQLi Denial Of Service Path Traversal
NVD
EPSS
0.2%
CVE-2026-1422 MEDIUM POC This Month

SQL injection in the login page of code-projects Online Examination System 1.0 allows unauthenticated remote attackers to manipulate the User parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and affects confidentiality, integrity, and availability of the affected system.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14973 MEDIUM This Month

The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. [CVSS 6.8 MEDIUM]

WordPress SQLi PHP
NVD WPScan
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-0806 MEDIUM This Month

SQL injection in the WP-ClanWars WordPress plugin through version 2.0.1 allows authenticated administrators to execute arbitrary SQL queries via an unescaped 'orderby' parameter, enabling extraction of sensitive database information. The vulnerability requires high-level administrative privileges and does not allow data modification or system availability impacts. No patch is currently available for this issue.

WordPress SQLi
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-52025 CRITICAL Act Now

Aptsys gemscms POS Platform has a SQL injection in the GetServiceByRestaurantID endpoint allowing extraction of restaurant and payment data.

SQLi Gemscms Backend
NVD GitHub
CVSS 3.1
9.4
EPSS
0.0%
EPSS 0% CVSS 10.0
CRITICAL POC Act Now

AdminPando 1.0.1 by Fikir Odalari has a CVSS 10.0 SQL injection in the login functionality allowing complete authentication bypass and database takeover.

SQLi Authentication Bypass Fikir Odalari Adminpando
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

PEAR PHP framework has a seventh SQL injection with higher EPSS (0.12%), indicating more active scanning for this particular injection vector.

PHP SQLi Pearweb
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

PEAR PHP framework has another SQL injection vulnerability prior to version 1.33.0, the sixth in a series of critical security flaws in the PHP component distribution system.

PHP SQLi Pearweb
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in PEAR's apidoc queue insertion allows unauthenticated remote attackers to manipulate database queries by controlling filename values, enabling unauthorized data modification. PEAR versions before 1.33.0 are affected, and no patch is currently available for affected deployments.

PHP SQLi Pearweb
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

PEAR PHP framework prior to 1.33.0 has a fifth SQL injection vulnerability, part of a comprehensive security audit that found multiple injection points across the framework.

PHP SQLi Pearweb
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

PEAR PHP framework has a second SQL injection vulnerability in a different code path, providing an alternate database compromise vector.

PHP SQLi Pearweb
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

PEAR PHP framework prior to 1.33.0 has a SQL injection vulnerability allowing attackers to extract data from the component distribution database.

PHP SQLi Pearweb
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack. [CVSS 6.5 MEDIUM]

SQLi Jeewms
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

FUXA v1.2.7 has an unrestricted file upload in the /api/upload endpoint that lacks authentication and file type validation, enabling web shell deployment on SCADA systems.

SQLi Fuxa
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the industrial monitoring database.

IoT Industrial SQLi +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

YouDataSum CPAS Audit Management System v4.9 has a SQL injection in the archive report endpoint allowing extraction of audit and compliance data.

SQLi Cpas Audit Management System
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. [CVSS 7.1 HIGH]

SQLi Open Eclass Platform
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

60CycleCMS 2.5.2 contains a cross-site scripting (XSS) vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. [CVSS 6.1 MEDIUM]

PHP SQLi XSS +1
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. [CVSS 8.2 HIGH]

PHP SQLi XSS +1
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in KiviCare clinic management system versions 3.6.16 and earlier allows authenticated attackers to execute arbitrary SQL queries over the network with no user interaction required. An attacker with valid credentials can exploit this vulnerability to extract sensitive data from the underlying database, though code execution is not possible. No patch is currently available for this HIGH severity vulnerability affecting the Iqonic Design product.

SQLi
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

SQL injection in Django's QuerySet.order_by() method allows authenticated attackers to execute arbitrary SQL commands through specially crafted column aliases containing periods when used with FilteredRelation and dictionary expansion. This vulnerability affects Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28, with potentially older unsupported versions also impacted. Patches are available for all affected versions.

Django SQLi Python
NVD HeroDevs VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

SQL injection via FilteredRelation column aliases in Django 4.2, 5.2, and 6.0 allows authenticated attackers to execute arbitrary SQL queries through crafted dictionary arguments in QuerySet methods like annotate() and aggregate(). An attacker with database access can exploit control characters in alias names to bypass input validation and potentially extract sensitive data or modify database contents. Patches are available for all affected versions, and unsupported Django releases may also be vulnerable.

Django SQLi Python
NVD HeroDevs VulDB
EPSS 5% CVSS 5.4
MEDIUM POC PATCH This Month

SQL injection in Django's PostGIS RasterField lookups allows authenticated attackers to execute arbitrary SQL commands through the band index parameter in affected versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Unsupported Django series including 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. A patch is available and authentication is required to exploit this vulnerability.

Django SQLi Python
NVD HeroDevs VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Emit Informatics product has a SQL injection vulnerability allowing unauthenticated database compromise through unsanitized input parameters.

SQLi
NVD VulDB
EPSS 0%
This Week

SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'.

SQLi
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection.This issue affects SKSPro: through 07012026. [CVSS 8.6 HIGH]

SQLi Skspro
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in JeecgBoot 3.9.0's Online Report API endpoint allows authenticated remote attackers to manipulate the keyword parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with valid credentials can leverage this flaw to read, modify, or delete sensitive database information.

SQLi Jeecg Boot
NVD VulDB
EPSS 0% CVSS 8.1
HIGH POC This Week

Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application. [CVSS 8.1 HIGH]

PHP SQLi Simple Cms Php
NVD
EPSS 0% CVSS 8.1
HIGH POC This Week

PHP Melody version 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to inject malicious SQL commands. [CVSS 8.1 HIGH]

SQLi Php Melody
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system. [CVSS 8.1 HIGH]

SQLi
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated SQL injection in the SupportCandy WordPress plugin versions up to 3.4.4 allows subscribers and above to extract sensitive database information through inadequately sanitized custom field filters. An authenticated attacker can manipulate the equals operator parameter to inject malicious SQL queries and bypass existing protections, exposing confidential data stored in the WordPress database.

WordPress SQLi
NVD
EPSS 0% CVSS 8.2
HIGH POC This Week

Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information. [CVSS 8.2 HIGH]

SQLi Online Exam System
NVD GitHub Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. [CVSS 7.1 HIGH]

SQLi Navigate Cms
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. [CVSS 8.2 HIGH]

PHP SQLi Online Exam System
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. [CVSS 8.2 HIGH]

PHP SQLi
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. [CVSS 8.6 HIGH]

PostgreSQL SQLi pandas
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /enrollment/index.php enables unauthenticated remote attackers to manipulate database queries and extract or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network against affected installations.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Authenticated SQL injection in ChurchCRM's PaddleNumEditor.php endpoint prior to version 6.7.2 allows any logged-in user to execute arbitrary database queries regardless of their assigned permissions. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete sensitive church data. Update to version 6.7.2 or later to remediate.

PHP SQLi Churchcrm
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Directory Management System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter in /admin/index.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can compromise data confidentiality, integrity, and availability.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment is affected by sql injection (CVSS 8.6).

SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the student_id parameter in /admin/edit_student_query.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available, increasing the risk of active exploitation.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0's expense administration interface allows unauthenticated remote attackers to manipulate the detail parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems expose confidentiality, integrity, and availability of underlying data.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Society Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /ramonsys/faculty/index.php enables unauthenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the txtsearch parameter in /ramonsys/inquiry/index.php enables unauthenticated remote attackers to execute arbitrary SQL queries with limited impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Global Interactive Design Media Software Inc. [CVSS 7.5 HIGH]

SQLi Content Management System
NVD VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Ultimate Project Manager CRM PRO 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass
NVD GitHub Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SEMCMS 5.0 via the searchml parameter in /SEMCMS_Info.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Tanium addressed a SQL injection vulnerability in Asset. [CVSS 6.3 MEDIUM]

SQLi Asset
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in jshERP up to version 3.6 allows authenticated remote attackers to manipulate the barCodes parameter in the DepotItem import function, potentially enabling unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available. The vendor has not responded to early notification of this issue.

SQLi Jsherp
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminReply.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary SQL queries, potentially compromising database confidentiality and integrity. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminEditUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling potential data theft, modification, or service disruption. No patch is currently available, leaving affected installations vulnerable.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in Online Music Site 1.0's AdminAddCategory.php allows remote attackers with high privileges to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user-supplied input in a web application component. Crafted input can be executed as part of backend database queries. [CVSS 8.6 HIGH]

SQLi Blue
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Explorance Blue versions before 8.14.9 have a CVSS 10.0 SQL injection vulnerability enabling unauthenticated attackers to fully compromise the survey and assessment database.

SQLi Blue
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC This Week

SmartBlog 2.0.1 contains a blind SQL injection vulnerability in the 'id_post' parameter of the details controller that allows attackers to extract database information. [CVSS 8.2 HIGH]

SQLi Smartblog
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

SQL injection in EGroupware's Nextmatch filter allows authenticated attackers to execute arbitrary database commands by exploiting PHP type juggling that bypasses integer validation checks. Public exploit code exists for this vulnerability affecting EGroupware versions prior to 23.1.20260113 and 26.0.20260113, and no patch is currently available. Attackers with valid credentials can manipulate WHERE clauses to extract sensitive data, modify records, or compromise database integrity.

PHP SQLi Egroupware
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can exploit time-based SQL injection in the VidShop plugin for WordPress (versions up to 1.1.4) through the unescaped 'fields' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to inject malicious SQL commands without authentication. No patch is currently available for this high-severity flaw affecting WooCommerce installations.

WordPress SQLi
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application's 'Id_usuario' parameter allows unauthenticated remote attackers to extract sensitive database information through covert channels, bypassing normal application output mechanisms. This vulnerability affects the '/evaluacion_objetivos_ver_auto.aspx' endpoint and compromises data confidentiality with no patch currently available.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can exploit an out-of-band SQL injection flaw in the Evaluacion De Desempeno application's 'Id_evaluacion' parameter to extract sensitive database information through indirect data exfiltration channels. This network-accessible vulnerability requires no user interaction and affects all instances without authentication controls, potentially exposing confidential evaluation records. No patch is currently available.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Out-of-band SQL injection in the Performance Evaluation (Evaluacion De Desempeno) application allows unauthenticated remote attackers to extract sensitive database information through the 'Id_usuario' parameter in '/evaluacion_objetivos_anyo_sig_ver_auto.aspx' by exfiltrating data via external channels. The vulnerability compromises data confidentiality without requiring user interaction, affecting all deployments of the affected application. No patch is currently available.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application's 'Id_usuario' parameter allows unauthenticated remote attackers to extract sensitive database information through external data exfiltration channels. This vulnerability affects the '/evaluacion_objetivos_anyo_sig_evalua.aspx' endpoint and compromises confidentiality without requiring user interaction. No patch is currently available.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Out-of-band SQL injection in Evaluacion De Desempeno's '/evaluacion_hca_ver_auto.asp' endpoint allows unauthenticated remote attackers to extract sensitive database information through the 'Id_usuario' and 'Id_evaluacion' parameters. The vulnerability compromises confidentiality by enabling data exfiltration via covert channels without requiring direct application responses. No patch is currently available for affected deployments.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can exploit an out-of-band SQL injection flaw in the Performance Evaluation (EDD) application via the 'Id_usuario' and 'Id_evaluacion' parameters to extract sensitive database information through external channels, compromising data confidentiality. The vulnerability requires no user interaction and is remotely exploitable from the network. No patch is currently available.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application allows unauthenticated remote attackers to extract sensitive database information through the 'Id_usuario' and 'Id_evaluacion' parameters in the '/evaluacion_competencias_evalua_old.aspx' endpoint. An attacker can bypass normal application output channels to exfiltrate confidential data, compromising database confidentiality. No patch is currently available for this vulnerability.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application's 'Id_usuario' parameter allows unauthenticated remote attackers to extract sensitive database information through indirect data exfiltration channels. This vulnerability in the '/evaluacion_acciones_ver_auto.aspx' endpoint compromises the confidentiality of stored data without requiring user interaction. No patch is currently available for this HIGH severity vulnerability.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can extract sensitive database information from the Evaluacion De Desempeno application through an out-of-band SQL injection vulnerability in the 'Id_usuario' parameter of '/evaluacion_acciones_evalua.aspx'. The vulnerability allows data exfiltration via external channels without direct application responses, compromising database confidentiality. No patch is currently available for this high-severity flaw.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Out-of-band SQL injection in the Performance Evaluation (EDD) application allows unauthenticated remote attackers to extract sensitive database information through the 'Id_usuario' and 'Id_evaluacion' parameters in '/evaluacion_inicio.aspx'. An attacker can exfiltrate confidential data via external channels without direct application feedback, compromising data confidentiality. No patch is currently available for this vulnerability.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application's 'Id_usuario' parameter allows unauthenticated remote attackers to exfiltrate sensitive database information through covert channels. The vulnerability affects the '/evaluacion_competencias_evalua.aspx' endpoint and enables unauthorized access to confidential data despite the application not directly returning query results. No patch is currently available for this HIGH severity vulnerability.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Out-of-band SQL injection in the Evaluacion De Desempeno application allows unauthenticated remote attackers to extract sensitive database information through the 'txAny' parameter in '/evaluacion_competencias_autoeval_list.aspx' without direct output reflection. By leveraging external data channels, an attacker can bypass normal application responses to exfiltrate confidential data and compromise database confidentiality. No patch is currently available for this vulnerability.

SQLi Evaluacion De Desempeno
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Mobile Shop Management System has code injection in ExAddNewUser.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Mobile Shop Management System has SQL injection in ExLogin.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Mobile Shop Management System has SQL injection in insertmessage.php.

PHP SQLi Mobile Shop Management System
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC This Week

Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. [CVSS 8.2 HIGH]

SQLi
NVD GitHub Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. [CVSS 7.1 HIGH]

SQLi Librenms
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in Hisense TransTech Smart Bus Management System through version 20260113 allows unauthenticated remote attackers to manipulate the key parameter in the TireMng.aspx Page_Load function and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure attempts. An attacker can exploit this over the network without authentication to read, modify, or delete sensitive data.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

SQL Injection vulnerability in the Structure for Admin authenticated user [CVSS 7.2 HIGH]

SQLi Expressionengine
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminDeleteUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can leverage this to compromise data confidentiality, integrity, and availability.

PHP SQLi
NVD GitHub VulDB
EPSS 0%
Monitor

With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption.

Linux Windows SSH +1
NVD
EPSS 0%
Monitor

The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots.

SQLi
NVD
EPSS 0%
Monitor

The Access Manager is using the open source web server CompactWebServer written in C#. This web server is affected by a path traversal vulnerability, which allows an attacker to directly access files via simple GET requests without prior authentication.

SQLi Denial Of Service Path Traversal
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the login page of code-projects Online Examination System 1.0 allows unauthenticated remote attackers to manipulate the User parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and affects confidentiality, integrity, and availability of the affected system.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. [CVSS 6.8 MEDIUM]

WordPress SQLi PHP
NVD WPScan
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in the WP-ClanWars WordPress plugin through version 2.0.1 allows authenticated administrators to execute arbitrary SQL queries via an unescaped 'orderby' parameter, enabling extraction of sensitive database information. The vulnerability requires high-level administrative privileges and does not allow data modification or system availability impacts. No patch is currently available for this issue.

WordPress SQLi
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Aptsys gemscms POS Platform has a SQL injection in the GetServiceByRestaurantID endpoint allowing extraction of restaurant and payment data.

SQLi Gemscms Backend
NVD GitHub
Prev Page 25 of 169 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy