Skip to main content

SQLi

15171 CVEs technique

Monthly

CVE-2026-22687 Go MEDIUM POC PATCH This Month

WeKnora versions before 0.2.5 allow unauthenticated attackers to bypass database query restrictions through prompt injection techniques when the Agent service is enabled, enabling unauthorized access to sensitive data. Public exploit code exists for this vulnerability, which affects the framework's document understanding and semantic retrieval capabilities. A patch is available in version 0.2.5 and later.

SQLi AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
5.6
EPSS
0.1%
CVE-2025-65091 Maven CRITICAL PATCH Act Now

XWiki Full Calendar Macro (before 2.4.5) has SQL injection accessible to guest users via the Calendar.JSONService page. Maximum CVSS 10.0 with scope change. Patch available.

SQLi Denial Of Service Full Calendar Macro
NVD GitHub
CVSS 3.1
10.0
EPSS
0.2%
CVE-2025-51626 MEDIUM This Month

SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancel_order.php endpoint. [CVSS 6.5 MEDIUM]

PHP SQLi Pss.Sale.Com
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-67811 MEDIUM This Month

Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. [CVSS 6.5 MEDIUM]

SQLi Rhapsode
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22197 HIGH This Week

GestSup versions before 3.2.60 allow authenticated attackers to execute SQL injection attacks through insufficiently sanitized filtering and sorting parameters in the asset list functionality, potentially enabling unauthorized database access or modification. The vulnerability requires valid credentials to exploit but has no available patch, leaving affected installations vulnerable to data breach or manipulation depending on database permissions.

SQLi Gestsup
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22196 HIGH This Week

GestSup prior to version 3.2.60 is vulnerable to SQL injection in the ticket creation feature, allowing authenticated attackers to execute arbitrary database queries through unsanitized user input. An attacker with valid credentials can read or modify sensitive database contents depending on the database permission level. No patch is currently available.

SQLi Gestsup
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22195 HIGH This Week

Authenticated attackers can exploit SQL injection in GestSup's search functionality (versions before 3.2.60) to manipulate database queries and access or modify sensitive data. The vulnerability stems from insufficient input validation on user-controlled search parameters in SQL statements. With no patch currently available, affected organizations should implement database access controls and monitor for suspicious search activity.

SQLi Gestsup
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-15496 LOW POC Monitor

A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. [CVSS 6.3 MEDIUM]

SQLi Yshopmall
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15494 LOW POC Monitor

A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. [CVSS 6.3 MEDIUM]

SQLi Docsys
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15493 LOW POC Monitor

Docsys versions up to 2.02.36. contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

SQLi Docsys
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-0803 LOW POC Monitor

PHPGurukul Online Course Registration System through version 3.1 contains a SQL injection vulnerability in /enroll.php that allows authenticated attackers to manipulate multiple parameters (studentregno, Pincode, session, department, level, course, sem) to execute arbitrary database queries over the network. Public exploit code exists for this vulnerability, and no patch is currently available, creating risk for deployments handling course enrollment data.

PHP SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-67281 MEDIUM This Month

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple SQL injection vulnerabilities exists which allow a low privileged and administrative user to access the database and its content. [CVSS 5.4 MEDIUM]

SQLi Tim Flow
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67280 MEDIUM This Month

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user. [CVSS 5.4 MEDIUM]

Information Disclosure SQLi Tim Flow
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-15492 LOW POC Monitor

A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. [CVSS 6.3 MEDIUM]

SQLi Docsys
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-14598 CRITICAL POC Act Now

BeeS Software BET Portal has SQL injection in the login functionality, allowing unauthenticated attackers to bypass authentication and extract database contents. PoC available.

SQLi Bet E Portal
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-64092 HIGH This Week

This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database. [CVSS 7.5 HIGH]

SQLi Icx500 Firmware Icx510 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-0733 LOW POC Monitor

SQL injection in PHPGurukul Online Course Registration System through 3.1 allows authenticated attackers to manipulate the id/cid parameters in the manage-students.php admin function, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-0729 LOW POC Monitor

SQL injection in the Intern Membership Management System 1.0 add_activity.php file allows authenticated administrators to manipulate the Title parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw enables an authenticated attacker with high privileges to compromise data confidentiality and integrity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-0728 LOW POC Monitor

SQL injection in the Intern Membership Management System 1.0 admin deletion function allows authenticated attackers with high privileges to manipulate the admin_id parameter and execute arbitrary database queries remotely. Public exploit code is available for this vulnerability, which affects PHP-based deployments. The vulnerability enables unauthorized data access, modification, and potential denial of service with no patch currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-61548 CRITICAL POC Act Now

Print Shop Pro WebDesk 18.34 has SQL injection in the hfInventoryDistFormID parameter of GetUnitPrice. Combined with CVE-2025-61546 (negative quantities), this endpoint has two critical vulnerabilities. PoC available, fixed in 19.69.

SQLi Print Shop Pro Webdesk
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-61246 CRITICAL POC Act Now

online-shopping-system-php 1.0 has SQL injection in review_action.php via the proId parameter. PoC available.

PHP SQLi Online Shopping System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-21892 PyPI MEDIUM POC PATCH This Month

SQL injection in Parsl's visualization dashboard allows unauthenticated attackers to execute arbitrary database queries through unsafe string formatting of the workflow_id parameter. Public exploit code exists for this vulnerability, enabling potential data theft or database denial of service attacks against the monitoring infrastructure. The issue affects Parsl versions prior to 2026.01.05, which includes the fix.

Python SQLi Denial Of Service Parsl
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-22242 PHP MEDIUM POC PATCH This Month

Blind SQL injection in CoreShop prior to version 4.1.8 allows authenticated administrators to extract sensitive database information through boolean-based or time-based attack techniques. The vulnerability is limited to information disclosure due to the application's read-only database permissions, preventing data modification or denial of service. Public exploit code exists for this vulnerability; administrators should upgrade to version 4.1.8 or later.

SQLi Coreshop
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-67928 CRITICAL Act Now

Automotive Listings WordPress theme (through 18.6) has blind SQL injection enabling unauthenticated database extraction.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-67921 HIGH This Week

Lobo WordPress theme (before 2.8.6) has blind SQL injection enabling unauthenticated database extraction.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-23993 CRITICAL Act Now

Felan Framework (through 1.1.3) also has SQL injection in addition to the auth bypass (CVE-2025-23504). Two critical vulnerabilities in the same plugin create a devastating attack chain.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-22728 HIGH This Week

Workreap WordPress plugin (through 3.3.6) has SQL injection enabling unauthenticated database extraction. A freelance marketplace plugin likely containing user PII and financial data.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-22713 HIGH This Week

WooCommerce Orders & Customers Exporter (through 5.4) has SQL injection enabling unauthenticated extraction of all order and customer data including payment details and personal information.

WordPress SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-0701 LOW POC Monitor

SQL injection in the admin panel of code-projects Intern Membership Management System 1.0 allows authenticated attackers with high privileges to manipulate the Username parameter in /intern/admin/add_admin.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations should restrict administrative access and consider implementing input validation controls or upgrading to a patched version when available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-0700 MEDIUM POC This Month

Intern Membership Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-0699 LOW POC Monitor

SQL injection in the Intern Membership Management System 1.0 admin panel allows authenticated attackers with high privileges to manipulate the activity_id parameter in edit_activity.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, though no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-0698 LOW POC Monitor

SQL injection in the Intern Membership Management System 1.0 admin panel allows authenticated attackers with high privileges to manipulate the admin_id parameter in /intern/admin/edit_students.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to read, modify, or delete sensitive data. No patch is currently available to remediate this issue.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-0697 LOW POC Monitor

SQL injection in the Intern Membership Management System 1.0 admin panel allows remote attackers with high privileges to manipulate the admin_id parameter in /intern/admin/edit_admin.php, potentially enabling unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-21875 CRITICAL POC Act Now

ClipBucket v5 (5.5.2-#187 and below) has blind SQL injection in the channel comment functionality via the obj_id parameter. Unauthenticated attackers can extract the entire database. PoC available.

PHP SQLi Clipbucket
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2019-25279 HIGH POC This Week

Facesentry Access Control System Firmware versions up to 5.7.0 is affected by cleartext storage of sensitive information (CVSS 7.5).

SQLi Facesentry Access Control System Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2023-7333 PyPI MEDIUM PATCH This Month

A weakness has been identified in bluelabsio records-mover versions up to 1.5.4. contains a security vulnerability (CVSS 5.3).

SQLi
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-21856 HIGH POC PATCH This Week

The Tarkov Data Manager is a tool to manage the Tarkov item data. [CVSS 7.2 HIGH]

MySQL SQLi Tarkov Data Manager
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-32303 CRITICAL Act Now

WPCHURCH WordPress plugin (through 2.7.0) has blind SQL injection with scope change, enabling unauthenticated extraction of the full WordPress database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-14719 MEDIUM This Month

The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
NVD WPScan
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-69351 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4. [CVSS 6.5 MEDIUM]

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-59379 HIGH This Week

DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 allows an attacker to retrieve sensitive information from the underlying SQL database via Blind SQL Injection through the user parameter in the login page. [CVSS 7.5 HIGH]

SQLi Isensix Advanced Remote Monitoring System Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-9318 MEDIUM This Month

The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘is_linking’ parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress SQLi Quiz And Survey Master PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14153 MEDIUM This Month

Page Expire Popup/Redirection for WordPress (WordPress plugin) is affected by sql injection (CVSS 6.5).

WordPress SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13652 MEDIUM POC This Month

The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13409 MEDIUM This Month

The Form Vibes - Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-0607 MEDIUM POC This Month

Online Music Site versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0606 MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 via the ID parameter in /FrontEnd/Albums.php allows unauthenticated remote attackers to manipulate database queries and potentially extract or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving all installations at risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0605 MEDIUM POC This Month

SQL injection in the Online Music Site 1.0 login functionality allows unauthenticated remote attackers to manipulate username and password parameters, potentially leading to unauthorized data access, modification, or service disruption. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-39484 CRITICAL Act Now

Waituk Entrada WordPress theme (through 5.7.7) contains blind SQL injection with scope change, allowing unauthenticated database extraction beyond the theme's own data.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-0597 LOW POC Monitor

SQL injection in Campcodes Supplier Management System 1.0 allows authenticated remote attackers to manipulate the txtRetailerAddress parameter in /retailer/edit_profile.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations running PHP-based installations should implement input validation controls and restrict access to the vulnerable endpoint until patching becomes available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15029 CRITICAL PATCH Act Now

Centreon Infra Monitoring's AWIE export module contains SQL injection accessible to unauthenticated users. Combined with CVE-2025-15026 (missing auth on import), the AWIE module has both unauthenticated data extraction and unauthorized configuration access. Patch available.

SQLi Awie
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-0592 MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 user registration handler allows remote attackers to manipulate multiple input fields (name, address, contact details, email, username) without authentication to execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing active exploitation risk. No patch is currently available for affected PHP-based installations.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0591 LOW POC Monitor

SQL injection in the cart update handler of Online Product Reservation System 1.0 allows authenticated attackers to manipulate product ID and quantity parameters, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available, affecting systems running the vulnerable PHP application.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-0590 LOW POC Monitor

SQL injection in the Online Product Reservation System 1.0 checkout delete function allows authenticated attackers to manipulate POST parameters and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems at risk of data theft or manipulation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-68865 CRITICAL Act Now

Infility Global WordPress plugin (through 2.14.48) contains SQL injection with scope change, enabling unauthenticated database extraction beyond the plugin's own data. No patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-31044 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through 3.3.2. [CVSS 8.5 HIGH]

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-30633 CRITICAL Act Now

Amazon Native Shopping Recommendations WordPress plugin (through 1.3) contains SQL injection that allows unauthenticated attackers to extract database contents with scope change. Abandoned plugin with no expected patch.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-0585 MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 allows unauthenticated remote attackers to manipulate the transaction_id parameter in /order_view.php and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The flaw enables attackers to read, modify, or delete sensitive data with network access only.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0584 LOW POC Monitor

SQL injection in the Online Product Reservation System 1.0 via the ID parameter in app/products/left_cart.php allows authenticated attackers to read, modify, or delete database contents remotely. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available for affected PHP installations running this software.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-0583 MEDIUM POC This Month

SQL injection in the User Login component of Online Product Reservation System 1.0 allows unauthenticated remote attackers to manipulate the emailadd parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers to potentially extract sensitive data or modify database contents. No patch is currently available to address this issue.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0582 LOW POC Monitor

SQL injection in itsourcecode Society Management System 1.0 allows authenticated attackers to manipulate the Title parameter in /admin/edit_activity_query.php, enabling remote data exfiltration, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems at risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15239 MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. [CVSS 6.5 MEDIUM]

SQLi AI / ML Qoca Aim
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15238 MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. [CVSS 6.5 MEDIUM]

SQLi AI / ML Qoca Aim
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14124 HIGH POC This Week

The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. [CVSS 8.6 HIGH]

WordPress SQLi PHP
NVD WPScan
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-15450 LOW Monitor

A vulnerability was identified in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. Affected by this vulnerability is the function findOrderHosNum of the file /ssm_pro/orderHos/. Such manipulation of the argument hospitalAddress/hospitalName leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not u...

SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-0579 MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 POST parameter handler allows unauthenticated remote attackers to manipulate product attributes like ID, name, and price to execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected installations face potential data theft, modification, and service disruption.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0578 MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 administrator delete function allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch is currently available for affected PHP installations running this product.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-15443 LOW POC Monitor

A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. [CVSS 4.7 MEDIUM]

SQLi Crmeb
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-15442 LOW POC Monitor

A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. [CVSS 4.7 MEDIUM]

SQLi Crmeb
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-0576 MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 parameter handler allows unauthenticated remote attackers to manipulate cat/price/name/model/serial arguments and execute arbitrary SQL queries with public exploit code available. The vulnerability affects the /handgunner-administrator/prod.php endpoint and enables attackers to read, modify, or delete database contents without authentication. No patch is currently available for this high-severity flaw.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0575 MEDIUM POC This Month

SQL injection in the administrator login component of code-projects Online Product Reservation System 1.0 allows unauthenticated remote attackers to manipulate emailadd and pass parameters in /handgunner-administrator/adminlogin.php, enabling data exfiltration and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0570 MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 via the fname parameter in /Frontend/Feedback.php allows unauthenticated remote attackers to manipulate database queries and potentially extract sensitive information. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-0569 MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 via the ID parameter in /Frontend/AlbumByCategory.php allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-0568 MEDIUM POC This Month

SQL injection in Online Music Site 1.0's ViewSongs.php parameter handling allows unauthenticated remote attackers to manipulate the ID argument and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and impacts the confidentiality, integrity, and availability of the affected application.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-0567 MEDIUM POC This Month

SQL injection in code-projects Content Management System 1.0 via the ID parameter in /pages.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can leverage this to read, modify, or delete sensitive database information with low complexity from any network location.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15439 LOW Monitor

A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. [CVSS 6.3 MEDIUM]

SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-59389 CRITICAL Act Now

QNAP Hyper Data Protector before 2.2.4.1 has an SQL injection vulnerability that allows remote attackers to execute unauthorized commands on the backup database. Combined with CVE-2025-59388 (hardcoded credentials), this creates a critical attack chain.

SQLi Hyper Data Protector
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-59387 This Week

An SQL injection vulnerability has been reported to affect MARS (Multi-Application Recovery Service). The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.

SQLi
NVD
EPSS
0.2%
CVE-2025-65125 CRITICAL POC Act Now

The online-movie-booking application (v5.5) by gosaliajainam contains SQL injection in movie_details.php, allowing unauthenticated attackers to extract the entire database. PoC exists. This is an open-source educational project often deployed without hardening.

PHP SQLi Online Movie Booking
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-0565 MEDIUM POC This Month

Content Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-0546 MEDIUM POC This Month

SQL injection in code-projects Content Management System 1.0 via the search.php parameter allows unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available. Affected installations should implement immediate input validation or access controls until patching is possible.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15436 MEDIUM POC This Month

A vulnerability has been found in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /worksheet/work_edit.jsp. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15435 MEDIUM POC This Month

A flaw has been found in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_update.jsp. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15434 MEDIUM POC This Month

A vulnerability was detected in Yonyou KSOA 9.0. Affected is an unknown function of the file /kp/PrintZPYG.jsp. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15425 MEDIUM POC This Month

A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_user.jsp of the component HTTP GET Parameter Handler. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15424 MEDIUM POC This Month

A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /worksheet/agent_worksdel.jsp of the component HTTP GET Parameter Handler. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-15421 MEDIUM POC This Month

A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/agent_worksadd.jsp of the component HTTP GET Parameter Handler. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15420 MEDIUM POC This Month

A security vulnerability has been detected in Yonyou KSOA 9.0. This affects an unknown part of the file /worksheet/agent_work_report.jsp. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-55065 HIGH This Week

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CVSS 7.5 HIGH]

SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-15410 MEDIUM POC This Month

A vulnerability was identified in code-projects Online Guitar Store 1.0. Affected by this issue is some unknown functionality of the file /login.php. [CVSS 7.3 HIGH]

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
EPSS 0% CVSS 5.6
MEDIUM POC PATCH This Month

WeKnora versions before 0.2.5 allow unauthenticated attackers to bypass database query restrictions through prompt injection techniques when the Agent service is enabled, enabling unauthorized access to sensitive data. Public exploit code exists for this vulnerability, which affects the framework's document understanding and semantic retrieval capabilities. A patch is available in version 0.2.5 and later.

SQLi AI / ML Weknora +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

XWiki Full Calendar Macro (before 2.4.5) has SQL injection accessible to guest users via the Calendar.JSONService page. Maximum CVSS 10.0 with scope change. Patch available.

SQLi Denial Of Service Full Calendar Macro
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancel_order.php endpoint. [CVSS 6.5 MEDIUM]

PHP SQLi Pss.Sale.Com
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. [CVSS 6.5 MEDIUM]

SQLi Rhapsode
NVD
EPSS 0% CVSS 8.1
HIGH This Week

GestSup versions before 3.2.60 allow authenticated attackers to execute SQL injection attacks through insufficiently sanitized filtering and sorting parameters in the asset list functionality, potentially enabling unauthorized database access or modification. The vulnerability requires valid credentials to exploit but has no available patch, leaving affected installations vulnerable to data breach or manipulation depending on database permissions.

SQLi Gestsup
NVD
EPSS 0% CVSS 8.1
HIGH This Week

GestSup prior to version 3.2.60 is vulnerable to SQL injection in the ticket creation feature, allowing authenticated attackers to execute arbitrary database queries through unsanitized user input. An attacker with valid credentials can read or modify sensitive database contents depending on the database permission level. No patch is currently available.

SQLi Gestsup
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated attackers can exploit SQL injection in GestSup's search functionality (versions before 3.2.60) to manipulate database queries and access or modify sensitive data. The vulnerability stems from insufficient input validation on user-controlled search parameters in SQL statements. With no patch currently available, affected organizations should implement database access controls and monitor for suspicious search activity.

SQLi Gestsup
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. [CVSS 6.3 MEDIUM]

SQLi Yshopmall
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. [CVSS 6.3 MEDIUM]

SQLi Docsys
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Docsys versions up to 2.02.36. contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

SQLi Docsys
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

PHPGurukul Online Course Registration System through version 3.1 contains a SQL injection vulnerability in /enroll.php that allows authenticated attackers to manipulate multiple parameters (studentregno, Pincode, session, department, level, course, sem) to execute arbitrary database queries over the network. Public exploit code exists for this vulnerability, and no patch is currently available, creating risk for deployments handling course enrollment data.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple SQL injection vulnerabilities exists which allow a low privileged and administrative user to access the database and its content. [CVSS 5.4 MEDIUM]

SQLi Tim Flow
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user. [CVSS 5.4 MEDIUM]

Information Disclosure SQLi Tim Flow
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. [CVSS 6.3 MEDIUM]

SQLi Docsys
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

BeeS Software BET Portal has SQL injection in the login functionality, allowing unauthenticated attackers to bypass authentication and extract database contents. PoC available.

SQLi Bet E Portal
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database. [CVSS 7.5 HIGH]

SQLi Icx500 Firmware Icx510 Firmware
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Course Registration System through 3.1 allows authenticated attackers to manipulate the id/cid parameters in the manage-students.php admin function, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in the Intern Membership Management System 1.0 add_activity.php file allows authenticated administrators to manipulate the Title parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw enables an authenticated attacker with high privileges to compromise data confidentiality and integrity.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in the Intern Membership Management System 1.0 admin deletion function allows authenticated attackers with high privileges to manipulate the admin_id parameter and execute arbitrary database queries remotely. Public exploit code is available for this vulnerability, which affects PHP-based deployments. The vulnerability enables unauthorized data access, modification, and potential denial of service with no patch currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Print Shop Pro WebDesk 18.34 has SQL injection in the hfInventoryDistFormID parameter of GetUnitPrice. Combined with CVE-2025-61546 (negative quantities), this endpoint has two critical vulnerabilities. PoC available, fixed in 19.69.

SQLi Print Shop Pro Webdesk
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

online-shopping-system-php 1.0 has SQL injection in review_action.php via the proId parameter. PoC available.

PHP SQLi Online Shopping System
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

SQL injection in Parsl's visualization dashboard allows unauthenticated attackers to execute arbitrary database queries through unsafe string formatting of the workflow_id parameter. Public exploit code exists for this vulnerability, enabling potential data theft or database denial of service attacks against the monitoring infrastructure. The issue affects Parsl versions prior to 2026.01.05, which includes the fix.

Python SQLi Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM POC PATCH This Month

Blind SQL injection in CoreShop prior to version 4.1.8 allows authenticated administrators to extract sensitive database information through boolean-based or time-based attack techniques. The vulnerability is limited to information disclosure due to the application's read-only database permissions, preventing data modification or denial of service. Public exploit code exists for this vulnerability; administrators should upgrade to version 4.1.8 or later.

SQLi Coreshop
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Automotive Listings WordPress theme (through 18.6) has blind SQL injection enabling unauthenticated database extraction.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Lobo WordPress theme (before 2.8.6) has blind SQL injection enabling unauthenticated database extraction.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Felan Framework (through 1.1.3) also has SQL injection in addition to the auth bypass (CVE-2025-23504). Two critical vulnerabilities in the same plugin create a devastating attack chain.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Workreap WordPress plugin (through 3.3.6) has SQL injection enabling unauthenticated database extraction. A freelance marketplace plugin likely containing user PII and financial data.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

WooCommerce Orders & Customers Exporter (through 5.4) has SQL injection enabling unauthenticated extraction of all order and customer data including payment details and personal information.

WordPress SQLi
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in the admin panel of code-projects Intern Membership Management System 1.0 allows authenticated attackers with high privileges to manipulate the Username parameter in /intern/admin/add_admin.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations should restrict administrative access and consider implementing input validation controls or upgrading to a patched version when available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Intern Membership Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in the Intern Membership Management System 1.0 admin panel allows authenticated attackers with high privileges to manipulate the activity_id parameter in edit_activity.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, though no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in the Intern Membership Management System 1.0 admin panel allows authenticated attackers with high privileges to manipulate the admin_id parameter in /intern/admin/edit_students.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to read, modify, or delete sensitive data. No patch is currently available to remediate this issue.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in the Intern Membership Management System 1.0 admin panel allows remote attackers with high privileges to manipulate the admin_id parameter in /intern/admin/edit_admin.php, potentially enabling unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

ClipBucket v5 (5.5.2-#187 and below) has blind SQL injection in the channel comment functionality via the obj_id parameter. Unauthenticated attackers can extract the entire database. PoC available.

PHP SQLi Clipbucket
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Facesentry Access Control System Firmware versions up to 5.7.0 is affected by cleartext storage of sensitive information (CVSS 7.5).

SQLi Facesentry Access Control System Firmware
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A weakness has been identified in bluelabsio records-mover versions up to 1.5.4. contains a security vulnerability (CVSS 5.3).

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

The Tarkov Data Manager is a tool to manage the Tarkov item data. [CVSS 7.2 HIGH]

MySQL SQLi Tarkov Data Manager
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

WPCHURCH WordPress plugin (through 2.7.0) has blind SQL injection with scope change, enabling unauthenticated extraction of the full WordPress database.

SQLi
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
NVD WPScan
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4. [CVSS 6.5 MEDIUM]

SQLi
NVD
EPSS 0% CVSS 7.5
HIGH This Week

DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 allows an attacker to retrieve sensitive information from the underlying SQL database via Blind SQL Injection through the user parameter in the login page. [CVSS 7.5 HIGH]

SQLi Isensix Advanced Remote Monitoring System Firmware
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘is_linking’ parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress SQLi Quiz And Survey Master +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Page Expire Popup/Redirection for WordPress (WordPress plugin) is affected by sql injection (CVSS 6.5).

WordPress SQLi PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress SQLi PHP
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

The Form Vibes - Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Online Music Site versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 via the ID parameter in /FrontEnd/Albums.php allows unauthenticated remote attackers to manipulate database queries and potentially extract or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving all installations at risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Online Music Site 1.0 login functionality allows unauthenticated remote attackers to manipulate username and password parameters, potentially leading to unauthorized data access, modification, or service disruption. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at immediate risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Waituk Entrada WordPress theme (through 5.7.7) contains blind SQL injection with scope change, allowing unauthenticated database extraction beyond the theme's own data.

SQLi
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Campcodes Supplier Management System 1.0 allows authenticated remote attackers to manipulate the txtRetailerAddress parameter in /retailer/edit_profile.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations running PHP-based installations should implement input validation controls and restrict access to the vulnerable endpoint until patching becomes available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Centreon Infra Monitoring's AWIE export module contains SQL injection accessible to unauthenticated users. Combined with CVE-2025-15026 (missing auth on import), the AWIE module has both unauthenticated data extraction and unauthorized configuration access. Patch available.

SQLi Awie
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 user registration handler allows remote attackers to manipulate multiple input fields (name, address, contact details, email, username) without authentication to execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing active exploitation risk. No patch is currently available for affected PHP-based installations.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in the cart update handler of Online Product Reservation System 1.0 allows authenticated attackers to manipulate product ID and quantity parameters, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available, affecting systems running the vulnerable PHP application.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in the Online Product Reservation System 1.0 checkout delete function allows authenticated attackers to manipulate POST parameters and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems at risk of data theft or manipulation.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Infility Global WordPress plugin (through 2.14.48) contains SQL injection with scope change, enabling unauthenticated database extraction beyond the plugin's own data. No patch available.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through 3.3.2. [CVSS 8.5 HIGH]

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Amazon Native Shopping Recommendations WordPress plugin (through 1.3) contains SQL injection that allows unauthenticated attackers to extract database contents with scope change. Abandoned plugin with no expected patch.

SQLi
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 allows unauthenticated remote attackers to manipulate the transaction_id parameter in /order_view.php and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The flaw enables attackers to read, modify, or delete sensitive data with network access only.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in the Online Product Reservation System 1.0 via the ID parameter in app/products/left_cart.php allows authenticated attackers to read, modify, or delete database contents remotely. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available for affected PHP installations running this software.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the User Login component of Online Product Reservation System 1.0 allows unauthenticated remote attackers to manipulate the emailadd parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers to potentially extract sensitive data or modify database contents. No patch is currently available to address this issue.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Society Management System 1.0 allows authenticated attackers to manipulate the Title parameter in /admin/edit_activity_query.php, enabling remote data exfiltration, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems at risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. [CVSS 6.5 MEDIUM]

SQLi AI / ML Qoca Aim
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. [CVSS 6.5 MEDIUM]

SQLi AI / ML Qoca Aim
NVD
EPSS 0% CVSS 8.6
HIGH POC This Week

The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. [CVSS 8.6 HIGH]

WordPress SQLi PHP
NVD WPScan
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was identified in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. Affected by this vulnerability is the function findOrderHosNum of the file /ssm_pro/orderHos/. Such manipulation of the argument hospitalAddress/hospitalName leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not u...

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 POST parameter handler allows unauthenticated remote attackers to manipulate product attributes like ID, name, and price to execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected installations face potential data theft, modification, and service disruption.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 administrator delete function allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch is currently available for affected PHP installations running this product.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. [CVSS 4.7 MEDIUM]

SQLi Crmeb
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. [CVSS 4.7 MEDIUM]

SQLi Crmeb
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Online Product Reservation System 1.0 parameter handler allows unauthenticated remote attackers to manipulate cat/price/name/model/serial arguments and execute arbitrary SQL queries with public exploit code available. The vulnerability affects the /handgunner-administrator/prod.php endpoint and enables attackers to read, modify, or delete database contents without authentication. No patch is currently available for this high-severity flaw.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the administrator login component of code-projects Online Product Reservation System 1.0 allows unauthenticated remote attackers to manipulate emailadd and pass parameters in /handgunner-administrator/adminlogin.php, enabling data exfiltration and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 via the fname parameter in /Frontend/Feedback.php allows unauthenticated remote attackers to manipulate database queries and potentially extract sensitive information. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Music Site 1.0 via the ID parameter in /Frontend/AlbumByCategory.php allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Online Music Site 1.0's ViewSongs.php parameter handling allows unauthenticated remote attackers to manipulate the ID argument and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and impacts the confidentiality, integrity, and availability of the affected application.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Content Management System 1.0 via the ID parameter in /pages.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can leverage this to read, modify, or delete sensitive database information with low complexity from any network location.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. [CVSS 6.3 MEDIUM]

SQLi
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

QNAP Hyper Data Protector before 2.2.4.1 has an SQL injection vulnerability that allows remote attackers to execute unauthorized commands on the backup database. Combined with CVE-2025-59388 (hardcoded credentials), this creates a critical attack chain.

SQLi Hyper Data Protector
NVD
EPSS 0%
This Week

An SQL injection vulnerability has been reported to affect MARS (Multi-Application Recovery Service). The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.

SQLi
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

The online-movie-booking application (v5.5) by gosaliajainam contains SQL injection in movie_details.php, allowing unauthenticated attackers to extract the entire database. PoC exists. This is an open-source educational project often deployed without hardening.

PHP SQLi Online Movie Booking
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Content Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Content Management System 1.0 via the search.php parameter allows unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available. Affected installations should implement immediate input validation or access controls until patching is possible.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /worksheet/work_edit.jsp. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A flaw has been found in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_update.jsp. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in Yonyou KSOA 9.0. Affected is an unknown function of the file /kp/PrintZPYG.jsp. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_user.jsp of the component HTTP GET Parameter Handler. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /worksheet/agent_worksdel.jsp of the component HTTP GET Parameter Handler. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/agent_worksadd.jsp of the component HTTP GET Parameter Handler. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security vulnerability has been detected in Yonyou KSOA 9.0. This affects an unknown part of the file /worksheet/agent_work_report.jsp. [CVSS 7.3 HIGH]

SQLi Ksoa
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CVSS 7.5 HIGH]

SQLi
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in code-projects Online Guitar Store 1.0. Affected by this issue is some unknown functionality of the file /login.php. [CVSS 7.3 HIGH]

PHP SQLi
NVD GitHub VulDB
Prev Page 27 of 169 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy