SQLi
Monthly
SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin login endpoint to remote unauthenticated exploitation via an unsanitized `email` parameter in `/admin/login.php`. A public proof-of-concept is available on GitHub (reflected in the CVSS 4.0 E:P metric), meaning exploitation requires minimal technical skill and is accessible to opportunistic attackers. No CISA KEV listing has been identified, but the zero-authentication barrier combined with available exploit code makes this a practical risk for any internet-exposed deployment.
SQL injection in code-projects Online Job Portal 1.0 exposes the login.php endpoint to remote unauthenticated exploitation via the txtUser and txtPass parameters, enabling attackers to manipulate backend SQL queries without any credentials or user interaction. A public proof-of-concept exploit is documented on GitHub, significantly lowering the barrier to attack for any internet-exposed instance. No patch has been identified from the vendor at time of analysis; the wildcard CPE suggests all versions are affected.
SQL injection in itsourcecode Hospital Management System 1.0 exposes patient and appointment data to remote attackers holding low-privilege credentials via the `patiente` parameter in `/patientappointment.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation with no attack complexity, and the E:P modifier reflects a publicly disclosed proof-of-concept on GitHub. While not yet listed in CISA KEV, the combination of a live PoC, a healthcare data context, and trivial exploitation conditions makes this a credible risk for any organization running this application.
SQL injection in code-projects Assessment Management 1.0 allows authenticated remote attackers to execute arbitrary SQL queries by manipulating the smarksrange[] array parameter in /lecturer/marking-scheme.php. The CVSS 4.0 vector (PR:L) confirms low-privilege authentication is required, limiting the attack surface to registered users such as lecturers. A public exploit proof-of-concept is available on GitHub, elevating the practical risk despite the medium CVSS 4.0 score of 5.3 and no confirmed active exploitation in the CISA KEV catalog.
SQL injection in code-projects Assessment Management 1.0 exposes database query handling in the lecturer marking-scheme feature to manipulation via the unsanitized `squestions[]` parameter at `/lecturer/marking-scheme.php`. Authenticated remote attackers with low-privilege access can alter SQL query logic to extract or modify student assessment data. A public proof-of-concept exploit is documented on GitHub, lowering the skill bar for exploitation; however, the application is not listed in CISA KEV and carries a CVSS 4.0 score of 2.1 reflecting its constrained impact and authentication prerequisite.
SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the database to remote query manipulation via the `user_id` parameter in `/admin/girlsproductdeletequery.php`. The CVSS 4.0 vector rates this as network-exploitable with no authentication required (PR:N), though the `/admin/` path location raises questions about whether authentication is enforced in practice - a discrepancy worth verifying in deployment. A publicly available exploit exists per VulDB, though the vulnerability is not listed in CISA KEV and the overall CVSS 4.0 score of 5.5 reflects limited impact across confidentiality, integrity, and availability.
SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 enables remote, unauthenticated attackers to manipulate database queries through the user_id parameter in /admin/mensproductdeletequery.php, exposing partial confidentiality, integrity, and availability of the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication or special conditions are required for exploitation over the network. A public exploit has been disclosed on GitHub, elevating the practical risk above the raw score suggests - though this is not confirmed as actively exploited by CISA KEV at time of analysis.
SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the admin login interface to remote unauthenticated attackers through unsanitized input in the Username parameter of /admin/login.php. The CVSS 4.0 score of 6.9 (Medium) reflects limited per-request impact (VC:L/VI:L/VA:L), but a publicly available proof-of-concept exploit (E:P) on GitHub substantially lowers the exploitation bar for opportunistic attackers. No KEV listing exists at time of analysis; however, the trivial attack complexity (AC:L, AT:N, PR:N, UI:N) combined with public exploit code makes any internet-facing deployment of this script an immediate remediation priority.
SQL injection in code-projects Online Voting System 1.0 exposes remote unauthenticated attackers a direct path to manipulate backend database queries through four parameters in the vote submission endpoint /saveVote.php. The test_input function - intended as a sanitization layer - fails to neutralize SQL metacharacters across voterName, voterEmail, voterID, and selectedCandidate, indicating a systemic rather than isolated input-handling failure. A publicly available proof-of-concept exists on GitHub, lowering the exploitation barrier, though real-world exposure is substantially constrained by the product's near-zero production deployment footprint as an educational PHP project.
Unauthenticated SQL injection in code-projects Online Voting System 0.x-1.0 exposes the admin login endpoint to full authentication bypass and database extraction. The vulnerability resides in the `test_input` function within `/authentication.php`, where the `adminUserName` and `adminPassword` parameters are passed unsanitized into SQL queries, enabling classic injection attacks against the login form. A public proof-of-concept exploit has been published on GitHub; no vendor patch has been identified at time of analysis.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the database to remote unauthenticated attackers via the unvalidated ID parameter in /edit_class2.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms trivial, unauthenticated remote exploitation requiring no special conditions. Publicly available exploit code (E:P) lowers the bar to exploitation further, though the product's niche deployment footprint significantly limits real-world blast radius. No KEV listing; no patch identified at time of analysis.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_course.php` endpoint to unauthenticated remote database manipulation via a malicious `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no authentication or user interaction required, and a public proof-of-concept exploit has been disclosed on GitHub. No active exploitation is confirmed in CISA KEV, though the combination of a public POC and fully unauthenticated attack path elevates practical risk for any internet-exposed deployment.
SQL injection in CodeAstro Ecommerce Website 1.0 exposes authenticated customers to database manipulation via the c_name parameter on the account-editing endpoint. The vulnerability was publicly disclosed with a proof-of-concept exploit referenced on GitHub, meaning exploitation tooling is accessible. Impact is assessed as limited scope - low confidentiality, integrity, and availability - but network reachability and the public PoC raise opportunistic risk for unpatched deployments.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the login endpoint at /index.php to unauthenticated remote attackers who can manipulate the Username parameter to execute arbitrary SQL queries against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero prerequisites for exploitation, and the E:P modifier reflects a publicly available proof-of-concept on GitHub. No CISA KEV listing was found at time of analysis, but the combination of an exposed login surface, no authentication barrier, and live POC code materially elevates practical risk beyond the medium CVSS score of 6.9.
SQL injection in itsourcecode Hospital Management System 1.0 exposes patient records to partial disclosure and modification via the `editid` parameter in `/patient.php`. The CVSS 4.0 vector (PR:L) confirms exploitation requires a low-privilege authenticated session, limiting the immediate attack surface to users who can log in. A public proof-of-concept exploit exists (E:P), elevating practical risk above the base score of 5.3, though no CISA KEV listing confirms active exploitation at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `editid` parameter in `/medicine.php`. The attack achieves partial confidentiality, integrity, and availability impact against the underlying database. A public proof-of-concept exploit has been published (tracked via GitHub issue), lowering the barrier for exploitation; however, no active exploitation has been confirmed by CISA KEV at time of analysis.
SQL injection in Raera's Destekz support/help-desk application (all versions through 02062026) allows remote attackers to inject arbitrary SQL via unsanitized input, per the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector indicating unauthenticated network exploitation. TR-CERT rates this critical (9.8) with full confidentiality, integrity, and availability impact, meaning an attacker can read, modify, or destroy backend database contents. No public exploit identified at time of analysis, but the vendor has confirmed the product is no longer supported, so no fix will be issued.
SQL injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (all versions up to and including 4.3.5) enables authenticated administrators to append arbitrary SQL clauses to existing queries via the unescaped 's' search parameter in the admin data-request table interface. The vulnerable code spans at least four distinct query paths in class-wpl-data-req-table.php (lines 322, 377, 492, and 513), each failing to sanitize or properly prepare user-supplied input before use in database queries. No public exploit or CISA KEV listing has been identified at time of analysis; the high privilege requirement (WordPress administrator) substantially constrains real-world attack surface.
Privilege escalation in Ubiquiti's UniFi Protect Application is possible through an authenticated SQL injection (CWE-89) reachable by a low-privileged user with network access, letting that attacker escalate privileges on the underlying host device with full confidentiality, integrity, and availability impact. The flaw was reported through HackerOne and disclosed in Ubiquiti Security Advisory Bulletin 066; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 8.8 (AV:N/AC:L/PR:L) it is a high-priority patch for any exposed NVR/Protect deployment.
Privilege escalation in Ubiquiti's UniFi Talk Application allows an authenticated attacker holding a low-privileged account to chain multiple SQL injection flaws (CWE-89) and gain elevated control over the underlying host device. The issue carries a critical 9.9 CVSS score driven by network reachability, low attack complexity, and a scope change from the application into the host OS. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low bar of only needing minimal authenticated access makes this a high-priority patch for exposed UniFi Talk deployments.
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authenticated SQL injection flaws (CWE-89) to gain elevated privileges on affected UniFi OS instances and hardware. The issue affects UniFi OS Server and a broad range of Ubiquiti gateway, recorder, and Cloud Key appliances. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the CVSS 8.8 rating and low attack complexity make it a meaningful escalation risk once an attacker has any authenticated foothold.
SQL injection in Progress Flowmon ADS (Anomaly Detection System) before versions 12.5.6 and 13.0.5 allows a low-privileged authenticated user to read and modify application data by sending specially crafted requests. The CVSS 4.0 base score of 8.7 (High) reflects high confidentiality and integrity impact plus availability impact over the network with only low privileges required. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
SQL injection in the WP EasyCart WordPress e-commerce plugin (all versions up to and including 5.9.0) lets a low-privileged authenticated user with Contributor role inject arbitrary SQL into backend queries. Reported by Patchstack and rated CVSS 8.5, the flaw allows attackers to read sensitive database contents such as customer records, order data, and WordPress user credential hashes. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Authenticated SQL injection in the WordPress plugin nicen-localize-image (versions 1.4.9 and earlier) allows users holding the low-privilege Contributor role to inject arbitrary SQL into the WordPress database backend. Because the CVSS scope is changed and confidentiality impact is High, a Contributor can read data beyond the plugin's own remit, potentially extracting other users' credentials or secrets from the wp_users/wp_options tables. Reported by Patchstack with a CVSS of 8.5; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
SQL injection in the iNET Webkit WordPress plugin (version 1.2.4 and prior) lets authenticated users holding at least the Contributor role inject arbitrary SQL through unsanitized input, exposing the WordPress database. Reported by Patchstack and carrying a CVSS 8.5 (scope-changed) rating, it enables read access to sensitive data such as user credentials and secrets. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
SQL injection in the Custom Field Template WordPress plugin (versions <= 2.7.8) allows a low-privileged authenticated user at the Contributor role to inject arbitrary SQL into backend database queries. Because the CVSS scope is changed and confidentiality impact is High, a Contributor can read data beyond their own authorization boundary, including other users' credentials and site secrets. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no KEV listing.
SQL injection in the WP Fast Total Search (fulltext-search) WordPress plugin by epsiloncool affects all versions up to and including 1.80.280, letting unauthenticated remote attackers inject arbitrary SQL into backend queries (CWE-89). Because the CVSS vector uses PR:N/UI:N with a scope change, exploitation needs no login or user interaction and can reach data beyond the plugin's own tables. No public exploit was identified at time of analysis; the issue was reported through Patchstack and carries a critical 9.3 base score.
SQL injection in the GeekyBot WordPress plugin (versions 1.2.5 and earlier) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries per the CVSS PR:N vector. Reported by Patchstack and rated CVSS 9.3 (critical) with a scope-changed vector, the flaw enables confidentiality-impacting data extraction from the WordPress database without any authentication or user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
SQL injection in the Unicamp WordPress theme (versions 2.2.2 and earlier) by ThemeMove allows an attacker holding a low-privilege Subscriber account to inject arbitrary SQL into backend database queries. Because the CVSS scope is marked changed with high confidentiality impact, a successful attacker can read data beyond their normal authorization boundary, including other users' records and potentially credentials stored in the WordPress database. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
SQL injection in the WP Review Slider Pro WordPress plugin (versions up to and including 12.7.2) lets unauthenticated attackers extract arbitrary database contents through the 'notinstring' parameter of the wprp_load_more_revs AJAX action. Because the action is exposed via wp_ajax_nopriv and its required nonce is leaked to the frontend through wp_localize_script on any page rendering the plugin shortcode, anyone who can reach a public page hosting the plugin can exploit it. Reported by Wordfence with a CVSS of 7.5; no public exploit identified at time of analysis.
SQL Injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin (all versions through 4.5.8) enables authenticated attackers with the view_contacts capability to append arbitrary SQL to existing database queries via the unsanitized 'select' parameter, resulting in full database read access. The flaw spans multiple code paths - db/query/query.php (lines 228 and 427), db/db.php (line 1366), and api/v4/base-object-api.php (line 505) - confirmed in both the 4.5.7 and 4.5.8 tagged releases by Wordfence. No public exploit code or CISA KEV listing has been identified at time of analysis, though the vulnerable code is publicly browsable in the WordPress plugin repository, materially lowering the barrier for exploit development.
SQL injection in the Houzez Property Feed WordPress plugin (versions up to and including 2.5.46) permits authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database by manipulating the `orderby` GET parameter on admin log pages. The root cause is a `$wpdb->prepare()` misuse pattern: user-supplied `$_GET['orderby']` and `$_GET['order']` values are filtered only with `sanitize_text_field()` - which does not neutralize SQL metacharacters - then concatenated directly into the SQL format string before `prepare()` is invoked, meaning prepare() only parameterizes the trailing LIMIT/OFFSET clause and cannot retroactively secure the already-tainted ORDER BY clause. No public exploit has been identified at time of analysis, and the high privilege requirement (WordPress Administrator) significantly constrains the realistic attacker pool.
SQL injection in the UTT nv518G security gateway (firmware nv518GV3v3.2.7-210919-161313) lets remote attackers inject arbitrary SQL through the gohead/sub_463bbc component, which per the advisory escalates to arbitrary code execution on the device. The flaw is unauthenticated (CVSS 9.8, PR:N) and publicly available exploit code exists via a GitHub write-up, though it is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile), indicating no evidence of widespread automated exploitation yet.
SQL injection in the Wikimedia Foundation's MediaWiki Cargo Extension exposes wiki deployments to unauthenticated database read and write operations across all versions prior to 1.43.9, 1.44.6, and 1.45.4. The Cargo extension's core function - accepting user-supplied query parameters to construct database queries - makes this a structurally sensitive attack surface, as improper neutralization of SQL special elements allows crafted input to escape intended query boundaries. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the PR:N/AC:L/AT:N CVSS 4.0 vector confirms exploitation requires no authentication or special preconditions against default-accessible Cargo query endpoints.
SQL injection in the Wikimedia Foundation's Cargo Extension for MediaWiki exposes all installations running versions prior to 1.43.9, 1.44.6, or 1.45.4 to unauthenticated database manipulation via the Cargo query interface. The flaw stems from improper neutralization of user-controlled input incorporated into SQL statements without adequate parameterization, allowing attackers to read, modify, or partially disrupt data stored in Cargo-managed tables. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 vector confirms low-complexity, network-accessible exploitation requiring no authentication or user interaction.
SQL injection in the Guardian language-system (translate_text.php) lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The CVSS 4.0 vector scores this 9.3 (Critical) with PR:N, and the VulnCheck advisory title labels it unauthenticated, though the CVE description states an authenticated attacker is required - this discrepancy should be verified. Publicly available exploit code exists, but there is no public exploit identified as being actively used in attacks (not in CISA KEV).
SQL injection in Guardian Language-System's designer.php exposes the entire backend database to attackers who supply a crafted 'name' GET parameter, which is concatenated directly into a SELECT query without sanitization (CWE-89). VulnCheck reports this as remotely reachable and publicly available exploit code exists, though no public exploit is confirmed as actively used in the wild (not in CISA KEV). Note a source conflict: the CVE description labels the attacker 'authenticated' while the VulnCheck advisory and CVSS 4.0 vector (PR:N) describe it as unauthenticated.
SQL injection in Guardian Language-System's subtitles.php lets attackers extract arbitrary database contents by tampering with the id GET parameter, which is concatenated directly into a SELECT query without sanitization. The flaw is error-based and rated critical (CVSS 4.0 base 9.3, VC:H/VI:H/VA:H), publicly available exploit code exists (VulnCheck advisory plus a public gist PoC), and there is no public exploit identified as being used in active attacks. Note a source conflict: the CVE description labels the attacker 'authenticated,' but the CVSS vector (PR:N) and VulnCheck's advisory title both describe it as unauthenticated.
SQL injection in Guardian language-system via the 'id' GET parameter in job_info_get.php lets attackers inject arbitrary SQL into a query against the 'jobs' table, enabling error-based extraction of database contents. The CVSS 4.0 vector (AV:N/PR:N) and VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description text describes an 'authenticated attacker' - a discrepancy defenders should verify. Publicly available exploit code exists (VulnCheck/gist PoC), raising the practical risk despite no confirmed active exploitation.
SQL injection in Guardian language-system's text_file.php lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The flaw is a classic error-based SQLi (CWE-89) where user input is concatenated directly into a SELECT statement, and publicly available exploit code exists (reported by VulnCheck). No CISA KEV listing exists, so this represents publicly available exploit code rather than confirmed active exploitation.
Error-based SQL injection in Guardian Language System's media.php allows attackers to extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter (CWE-89). Publicly available exploit code exists (published via a GitHub gist by VulnCheck), and the CVSS 4.0 vector (AV:N/AC:L/PR:N) plus the VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description conversely refers to an 'authenticated attacker' - a discrepancy defenders should verify. No public evidence of active in-the-wild exploitation (not listed in CISA KEV).
Unauthenticated SQL injection in Guardian Language System lets remote attackers manipulate the backend database by injecting into the `id` GET parameter of job_info.php, which is concatenated directly into a SQL query with no sanitization. Because no authentication is required (CVSS 4.0 PR:N) and publicly available exploit code exists, any attacker who can reach the endpoint can extract database version, current user, schema names, and table contents via error-based injection. Reported by VulnCheck with a CVSS of 9.3; no public exploit identified as actively used in the wild (not in CISA KEV).
Unauthenticated blind SQL injection in Control Web Panel (CWP) before 0.9.8.1225 lets remote attackers inject arbitrary SQL through the userRes POST parameter of the user endpoint, and because CWP's MySQL connection runs with root privileges the flaw escalates to full remote code execution via INTO DUMPFILE. Attackers write a PHP webshell into the web-accessible roundcube logs directory and execute commands as the cwpsvc account. Publicly available exploit code exists and a vendor patch has been released; this is a network, no-authentication, low-complexity issue (CVSS 4.0 9.3).
SQL Injection in the MotoPress Appointment Booking WordPress plugin (versions ≤ 2.4.5) allows authenticated attackers holding the mpa_appointment_employee custom role to append arbitrary SQL to booking search queries via the 's' parameter, enabling full read access to the underlying WordPress database. The vulnerability originates in ManageBookingsPage.php at two separate query-construction points (lines 247 and 310), where user-supplied input is neither escaped nor parameterized. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS signal was not supplied; however, the Wordfence intelligence report and a confirmed upstream fix commit indicate the issue is credibly documented.
SQL injection in the BookingPress Appointment Booking Pro WordPress plugin (versions up to and including 5.7.1) allows unauthenticated attackers to inject SQL through the 'store_service_date' POST parameter of the bpa_assign_staffmember_to_slots() function, enabling extraction of sensitive database contents such as user credentials and PII. The flaw stems from stripslashes_deep() being applied to user input before it is concatenated directly into a LIKE clause without $wpdb->prepare(). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; no EPSS score was provided in the input.
SQL injection in the Taskbuilder Project Management plugin for WordPress (versions ≤5.0.8) enables any authenticated user-including those with only subscriber-level access-to exfiltrate sensitive data from the WordPress database. The vulnerability exists in the `wppm_proj_filter` parameter handled by `wppm_view_project_tasks.php`, which lacks both proper SQL escaping and prepared statement usage. Compounding the risk, the `wp_ajax_wppm_view_project_tasks` AJAX handler performs no nonce verification, meaning the vulnerable code path is reachable by any authenticated WordPress session without additional preconditions. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
SQL Injection in the Taskbuilder Project Management & Task Management WordPress plugin (versions up to and including 5.0.8) allows any authenticated WordPress user with Subscriber-level access or higher to exfiltrate arbitrary data from the site's database. The root cause is dual: insufficient escaping of the 'task_search' parameter in the wppm_get_task_list AJAX handler combined with a complete absence of capability checks and nonce verification on that handler, meaning the attack surface is broader than typical subscriber-exploitable SQLi. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; however, the low privilege bar and straightforward injection vector make this a credible threat against any WordPress site running the affected plugin.
SQL injection in StoneFly Storage Concentrator (SC and SCVM) lets an unauthenticated remote attacker read sensitive database contents by injecting through the cookie value handled by the login.pl and debug.pl CGI scripts. Successful exploitation discloses session tokens, password hashes, and stored secret keys, enabling authentication bypass and broader compromise of the storage appliance. There is no public exploit identified at time of analysis, and the issue is tracked under CISA ICS advisory ICSA-26-181-06.
File path control vulnerability (CWE-73) in IBM App Connect Enterprise and IBM Integration Bus for z/OS enables a remote attacker to socially engineer a victim into triggering unauthorized file creation on the local system. Despite being tagged and described as SQL injection, the governing weakness classification is CWE-73 (External Control of File Name or Path), and the described impact - unexpected local file creation - aligns with that CWE rather than database injection. Affected versions span IBM ACE 12.x and 13.x across wide release ranges, as well as IBM Integration Bus for z/OS 10.1.x. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
SQL injection in Dolibarr ERP/CRM through version 23.0.3 lets authenticated REST API users exfiltrate arbitrary database contents - including password hashes and API keys - by abusing the sqlfilters parameter on the setup dictionary and multicurrencies list endpoints. The flawed filter only checked for balanced parentheses and rewrote matched triplets, so an appended UNION SELECT placed outside the expected pattern was concatenated into the WHERE clause unmodified. Publicly available exploit code exists and a vendor fix has been committed; the issue is not listed in CISA KEV.
SQL injection in the Apache Gravitino UI exposes server-side files to authenticated malicious users, enabling unauthorized file read and file truncation on the underlying host. Affected versions are listed as 1.0.0 and below, though the advisory contains an apparent inconsistency - the fix is attributed to version 1.0.0 itself, suggesting the actual patched release may be a later point version. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Blind SQL injection in Eksagate SYSGUARD 6001 (versions 2.0.2 up to but not including 6.1.16.0) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input, enabling extraction or manipulation of backend database contents. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) rates it 9.8 Critical with full confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vendor has confirmed the product is no longer supported, so no fix will be issued for affected branches.
SQL injection in DBIx::QuickORM (a Perl ORM) before version 0.000026 lets attackers manipulate queries through unquoted SQL identifiers. Because the bundled SQL::Abstract subclass sets bindtype but never quote_char, caller-supplied identifiers such as order_by values, where-clause column keys, field/returning lists, upsert columns, and join aliases are emitted verbatim into the SQL string while only values are placeholder-bound. An application that forwards untrusted input into any of these identifier positions exposes data disclosure and tampering; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
SQL injection in Redeight CMS 1.0 lets unauthenticated remote attackers extract sensitive database contents by injecting through the 'userEmail' POST parameter of the /admin/index.php login endpoint. Because user input is interpolated directly into SQL without prepared statements, an attacker needs no credentials and no user interaction to read or manipulate backend data, including admin authentication material. The flaw was reported by CERT-PL and carries a CVSS 4.0 base score of 9.3 (Critical); no public exploit identified at time of analysis.
Unauthenticated SQL injection in the EventON WordPress Virtual Event Calendar plugin (versions through 5.0.11) lets remote attackers inject arbitrary SQL through the 'search' parameter, enabling extraction of database contents such as user credentials and secrets. Exploitation is gated by the non-default 'Enable additional search queries' setting being enabled and the presence of at least one published event. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis.
SQL injection in Raytha CMS 1.5.2 lets a remote, unauthenticated attacker inject arbitrary SQL through the OData filter parsing pipeline, yielding full compromise of the backing PostgreSQL database and extraction of stored credentials. The CVSS 4.0 base score is 9.3 (critical) with a fully network-reachable, no-privilege, no-interaction vector. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated network-facing nature makes it a high-priority patch candidate.
Unauthenticated SQL injection in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets remote attackers inject arbitrary SQL by abusing user-supplied array keys that are passed into a query without sanitization. Any unauthenticated visitor can extract sensitive database contents such as WordPress user records and password hashes. Publicly available exploit code exists, though EPSS rates exploitation probability low (0.18%, 7th percentile) and it is not on CISA KEV.
SQL injection in SigNoz observability platform (versions through 0.130.1) lets authenticated, low-privileged users inject arbitrary ClickHouse queries through the unsanitized rule ID path parameter of the alert-history endpoints. By URL-encoding quote characters that break out of the interpolated rule ID, an attacker can read every stored trace, log, and metric, and can abuse ClickHouse's url() table function to pivot into server-side request forgery against internal services. This is CWE-89 with a documented SSRF secondary impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in Snowflake CLI versions 1.1.0 through 3.18.x (fixed in 3.19) lets crafted parameter values reach vulnerable command paths and execute unintended SQL within the user's active Snowflake session. An authenticated CLI user who is fed malicious input - via social engineering, a poisoned repository configuration, or compromised automation - can have arbitrary statements run against their session, with impact bounded by that session's privileges. No public exploit identified at time of analysis; EPSS is very low (0.11%, 1st percentile) and the SSVC exploitation status is 'none', so this is a not-yet-exploited but high-technical-impact issue.
Snowflake CLI versions prior to 3.19 permit self-injection SQL execution through improper neutralization of local CLI parameters in Cortex SQL and object listing command paths, where crafted argument values cause the tool to construct and execute unintended SQL within the authenticated user's existing Snowflake session. Exploitation is structurally constrained to self-injection - the attacker must themselves supply the malicious values via local CLI arguments, and impact cannot exceed the privileges already held by the current session context. No public exploit code has been identified and no active exploitation is confirmed; the vendor-assigned CVSS score of 3.6 (Low) accurately reflects the narrow attack surface and bounded impact.
SQL injection in Snowflake CLI versions 1.2.2 through 3.18.x allows an attacker to execute unintended SQL statements within a victim's authenticated Snowflake session by planting crafted repository content, project configuration, manifest, or specification input. When a developer processes that attacker-controlled content through a vulnerable command path, the injected SQL runs with the victim's session privileges, enabling data theft, modification, or destruction up to that user's authorization level. There is no public exploit identified at time of analysis, exploitation is not confirmed in CISA KEV, and EPSS is low at 0.31% (23rd percentile), reflecting the user-interaction requirement.
SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated patient users to database-level attacks via the `/patientchangepassword.php` endpoint. The `newpassword` parameter is passed unsanitized into SQL queries, allowing an authenticated attacker to manipulate backend database operations - potentially reading, modifying, or deleting patient records. A public proof-of-concept exploit exists (GitHub issue linked from VulDB report), though no active exploitation has been confirmed by CISA KEV. The CVSS 4.0 score of 2.1 reflects the limited real-world severity due to the authentication prerequisite and constrained impact scope.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientdetail.php` endpoint to database manipulation via the unsanitized `editid` parameter, reachable by any low-privileged authenticated user over the network. A public proof-of-concept exploit is available (referenced via GitHub issue), lowering the skill barrier for exploitation against any deployed instance. The CVSS 4.0 score of 2.1 reflects low per-impact ratings across confidentiality, integrity, and availability, but SQL injection vulnerabilities routinely exceed their scored impact bounds when database accounts carry excess privileges - no public exploitation has been confirmed in CISA KEV.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the billing endpoint /insertbillingrecord.php to database manipulation by low-privileged remote attackers via the unsanitized patientid parameter. A public exploit has been disclosed on GitHub, lowering the barrier to exploitation significantly despite a low CVSS 4.0 base score of 2.1. No CISA KEV listing exists, but the combination of a publicly available proof-of-concept and access to potentially sensitive patient health and billing records elevates real-world concern beyond what the numeric score alone conveys.
SQL injection in EyouCMS up to version 1.7.1 allows remote authenticated attackers with high privileges to manipulate database queries via the click_like argument in the /index.php API component. The CVSS 4.0 score is 2.0, heavily discounted by the PR:H requirement, yet confidentiality, integrity, and availability impacts are all rated Low. A public proof-of-concept exists via a GitHub issue report; the vendor has not acknowledged or patched the vulnerability. No active exploitation has been confirmed (not listed in CISA KEV).
SQL injection in FrontAccounting before 2.4.20 allows authenticated attackers to extract arbitrary database contents by injecting UNION SELECT payloads into the PARAM_0 POST parameter of the Bank Statement report handler (rep601.php). Attackers with valid low-privilege accounts can dump usernames, password hashes, and email addresses from the users table, with results rendered into the generated PDF report. Publicly available exploit code exists and a vendor patch was released in 2.4.20; the flaw is not listed in CISA KEV and no active exploitation is confirmed.
SQL injection in FrontAccounting's Audit Trail report handler (reporting/rep710.php) lets authenticated users holding the SA_GLANALYTIC permission run arbitrary SQL through the PARAM_2 and PARAM_3 POST parameters in all releases prior to 2.4.20. Attackers can extract arbitrary database contents via UNION-based injection or knock the application offline by amplifying SLEEP() across JOINed result sets to exhaust database connections. Publicly available exploit code exists (VulnCheck/Jiva Security writeup), but the issue is not in CISA KEV, so it is no public exploit identified as actively exploited.
SQL injection in FrontAccounting's get_gl_transactions() function lets authenticated users holding the SA_GLANALYTIC permission read arbitrary database contents by injecting into the unparameterized filter_type parameter of a SQL IN() clause. The flaw enables boolean-based blind extraction of sensitive journal-entry and general-ledger data using reliable response-size differentials. Publicly available exploit code exists and a vendor patch shipped in 2.4.20, though there is no public exploit identified as actively exploited.
SQL injection in code-projects Real State Services 1.0 exposes the `ID` parameter of `/single-list_sale.php?action=add` to remote, unauthenticated query manipulation, enabling attackers to read or modify database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or special conditions are required to reach the endpoint, and the E:P modifier confirms publicly available exploit code referenced via a GitHub CVE disclosure. No patch has been issued; this is not currently listed in CISA KEV, indicating no confirmed mass exploitation at time of analysis.
Unauthenticated SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes backend database contents via the `course_year_section` parameter in `/preview3.php`. The CVSS 4.0 vector confirms network-accessible, no-authentication, no-interaction exploitation (AV:N/AC:L/PR:N/UI:N), and exploit code is publicly available (E:P on GitHub). No active exploitation is confirmed in CISA KEV, but the public POC lowers the bar for opportunistic attacks against any publicly exposed instance.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes database contents through the unsanitized ID parameter in /edit_class1.php, exploitable by unauthenticated remote attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required and the attack is fully remote with no user interaction. A public proof-of-concept has been disclosed on GitHub, lowering the exploitation barrier; the product is not currently listed in the CISA KEV catalog.
SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin user-management endpoint to remote database manipulation via the unsanitized Name parameter in /admin/mod_users/controller.php?action=add. The CVSS 4.0 vector assigns no privilege requirement (PR:N) and low complexity (AC:L), though the admin-panel path raises a discrepancy worth verifying - the endpoint may be accessible without authentication if the application does not enforce session controls on admin routes. A public proof-of-concept exploit exists (E:P in the CVSS 4.0 supplemental data), elevating immediate risk despite the absence of a CISA KEV listing.
SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin amenities controller to remote database manipulation via the unsanitized amen_id parameter at /admin/mod_amenities/controller.php?action=edit. A publicly available proof-of-concept exploit has been confirmed (CVSS 4.0 E:P modifier; VulDB submission 843569; GitHub issue Hh-176/CVE#3), enabling unauthenticated or low-privileged remote attackers to read, modify, or corrupt hotel management database records. No vendor patch has been identified at time of analysis.
SQL injection in itsourcecode Baptism Information Management System 1.0 exposes database contents to remote unauthenticated attackers via the ID parameter in /editBaptism.php. A publicly available proof-of-concept exploit exists on GitHub, enabling data exfiltration or modification without any credentials or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/E:P) confirms low-complexity remote exploitation with no special conditions required, and no vendor-released patch has been identified.
SQL injection in itsourcecode Baptism Information Management System 1.0 exposes the `/delbaptism.php` endpoint to remote database manipulation via an unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this requires no authentication or user interaction against any network-accessible instance. A public proof-of-concept exploit exists on GitHub, making this immediately weaponizable against any exposed deployment, though the application is not listed in CISA KEV and its niche footprint substantially limits aggregate exposure.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctortimings.php` endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privilege authenticated attacker to read, modify, or partially disrupt backend database contents. The CVSS 4.0 vector (PR:L) confirms that some form of application authentication is required, limiting opportunistic mass exploitation, but a publicly available proof-of-concept exploit on GitHub materially lowers the barrier for targeted attacks. No patch has been released; the vulnerability is not listed in the CISA KEV catalog, but the sensitivity of healthcare data in scope makes it a meaningful risk for any production deployment.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctorprofile.php` endpoint to remote exploitation via the `doctorname` parameter, allowing an authenticated attacker to execute arbitrary SQL commands against the backend database. Affected systems risk unauthorized access to, modification of, or partial disruption of sensitive medical and staff records stored within the application. A public proof-of-concept exploit has been disclosed on GitHub (CVSS 4.0 E:P), significantly lowering the technical barrier for exploitation despite the moderate base score; no CISA KEV listing is present at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the backend database to authenticated remote attackers through the `newpassword` parameter of `/doctorchangepassword.php`. An attacker holding low-privilege credentials - such as a doctor account - can craft malicious SQL payloads to read, modify, or potentially delete database records. A public exploit exists per the CVSS 4.0 E:P modifier and a referenced GitHub issue; no active exploitation has been confirmed by CISA KEV.
SQL injection in CodeAstro Human Resource Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the ID argument passed to the GetFileInfo function within the View Endpoint. The vulnerability resides in hrsystem/application/models/Employee_model.php and can result in unauthorized read and write access to the underlying database. A public exploit has been published on GitHub, elevating practical risk despite the authentication requirement and moderate CVSS 4.0 score of 5.3.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/departmentDoctor.php` endpoint to database manipulation via the unsanitized `deptid` parameter, allowing a remote low-privileged attacker to read, modify, or corrupt backend database records. The CVSS 4.0 vector (PR:L) confirms that a valid application account is required, limiting opportunistic exploitation. A public proof-of-concept exploit is available on GitHub (linked from VulDB), and no vendor patch has been identified at time of analysis, making compensating controls the only available remediation path.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the /department.php endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privileged authenticated attacker to read, modify, or delete hospital database contents. The CVSS 4.0 vector (PR:L) confirms a valid user account is required, constraining but not eliminating risk for internet-exposed instances. A public exploit has been released on GitHub, materially increasing the likelihood of opportunistic abuse against deployed instances.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the Appointment Handler endpoint `/appointmentdetail.php` to remote database manipulation via the unsanitized `editid` parameter. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and a public proof-of-concept exploit is available on GitHub, materially lowering the bar for exploitation. While not listed in CISA KEV, the combination of network reachability, trivial exploitation complexity, and live PoC code makes this a concrete risk for any organization running this codebase in production.
SQL injection in YzmCMS up to version 7.5 allows network-based attackers to manipulate database queries by supplying crafted input to the siteurl argument within the installation endpoint /application/install/index.php. No authentication is required per the CVSS 4.0 vector (PR:N), though the attack is rated high complexity (AC:H), meaning exploitation is non-trivial despite a publicly available proof-of-concept on GitHub. The vendor did not respond to coordinated disclosure, leaving no official patch available; CVSS 4.0 scores this 6.3 with partial impact across confidentiality, integrity, and availability - no confirmed active exploitation (not in CISA KEV).
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview4.php` endpoint to unauthenticated remote attackers via the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-prerequisite network exploitation against default deployments, with low-level impact across confidentiality, integrity, and availability of the backend database. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept has been disclosed on GitHub (E:P maturity confirmed), meaningfully lowering the barrier for opportunistic and automated attacks against academic institutions running this software.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_class.php` endpoint to unauthenticated remote database manipulation via the unsanitized `ID` parameter. Per the CVSS 4.0 vector (PR:N, UI:N, AC:L), no authentication or user interaction is required to initiate the attack, and a public proof-of-concept exploit is available on GitHub. No vendor patch has been identified at time of analysis, leaving deployments with no vendor-sanctioned remediation path.
SQL injection in CodeAstro Human Resource Management System 1.0 allows a low-privileged authenticated remote attacker to manipulate the `emid` parameter in the Update_Earn_Leave endpoint, triggering time-based blind SQL injection against the underlying database. The vulnerability resides in the `emselectByCode` function within `application/models/Employee_model.php`, where unsanitized input is passed directly into SQL query construction. A public proof-of-concept exploit is available on GitHub; no active exploitation has been confirmed by CISA KEV at time of analysis.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `course_year_section` parameter in /preview5.php. The input is passed directly into SQL queries without sanitization (CWE-89), enabling data extraction, modification, or availability disruption. A public proof-of-concept exploit is available on GitHub, and no patch has been identified at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/appointmentapproval.php` Appointment Handler endpoint to database manipulation via the `editid` parameter, allowing low-privileged remote attackers to read, modify, or delete backend data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-exploitability with minimal attack complexity once credentials are obtained, and a public proof-of-concept has been disclosed on GitHub, substantially lowering the attacker skill threshold. No active exploitation is confirmed by CISA KEV, but the medical context of the affected system - which likely stores sensitive patient and appointment records - amplifies the potential impact of even a limited SQL injection.
SQL injection in the JoomCCK content-construction-kit extension for Joomla (versions 1.0 through 6.4.0) lets remote attackers read arbitrary database contents by injecting into a front-end controller task that concatenates an unescaped request parameter into two SQL statements. The flaw is reachable over the network without authentication or user interaction, and SSVC rates it automatable with total technical impact; however, there is no public exploit identified at time of analysis and EPSS is low at 0.28% (20th percentile).
SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin login endpoint to remote unauthenticated exploitation via an unsanitized `email` parameter in `/admin/login.php`. A public proof-of-concept is available on GitHub (reflected in the CVSS 4.0 E:P metric), meaning exploitation requires minimal technical skill and is accessible to opportunistic attackers. No CISA KEV listing has been identified, but the zero-authentication barrier combined with available exploit code makes this a practical risk for any internet-exposed deployment.
SQL injection in code-projects Online Job Portal 1.0 exposes the login.php endpoint to remote unauthenticated exploitation via the txtUser and txtPass parameters, enabling attackers to manipulate backend SQL queries without any credentials or user interaction. A public proof-of-concept exploit is documented on GitHub, significantly lowering the barrier to attack for any internet-exposed instance. No patch has been identified from the vendor at time of analysis; the wildcard CPE suggests all versions are affected.
SQL injection in itsourcecode Hospital Management System 1.0 exposes patient and appointment data to remote attackers holding low-privilege credentials via the `patiente` parameter in `/patientappointment.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation with no attack complexity, and the E:P modifier reflects a publicly disclosed proof-of-concept on GitHub. While not yet listed in CISA KEV, the combination of a live PoC, a healthcare data context, and trivial exploitation conditions makes this a credible risk for any organization running this application.
SQL injection in code-projects Assessment Management 1.0 allows authenticated remote attackers to execute arbitrary SQL queries by manipulating the smarksrange[] array parameter in /lecturer/marking-scheme.php. The CVSS 4.0 vector (PR:L) confirms low-privilege authentication is required, limiting the attack surface to registered users such as lecturers. A public exploit proof-of-concept is available on GitHub, elevating the practical risk despite the medium CVSS 4.0 score of 5.3 and no confirmed active exploitation in the CISA KEV catalog.
SQL injection in code-projects Assessment Management 1.0 exposes database query handling in the lecturer marking-scheme feature to manipulation via the unsanitized `squestions[]` parameter at `/lecturer/marking-scheme.php`. Authenticated remote attackers with low-privilege access can alter SQL query logic to extract or modify student assessment data. A public proof-of-concept exploit is documented on GitHub, lowering the skill bar for exploitation; however, the application is not listed in CISA KEV and carries a CVSS 4.0 score of 2.1 reflecting its constrained impact and authentication prerequisite.
SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the database to remote query manipulation via the `user_id` parameter in `/admin/girlsproductdeletequery.php`. The CVSS 4.0 vector rates this as network-exploitable with no authentication required (PR:N), though the `/admin/` path location raises questions about whether authentication is enforced in practice - a discrepancy worth verifying in deployment. A publicly available exploit exists per VulDB, though the vulnerability is not listed in CISA KEV and the overall CVSS 4.0 score of 5.5 reflects limited impact across confidentiality, integrity, and availability.
SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 enables remote, unauthenticated attackers to manipulate database queries through the user_id parameter in /admin/mensproductdeletequery.php, exposing partial confidentiality, integrity, and availability of the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication or special conditions are required for exploitation over the network. A public exploit has been disclosed on GitHub, elevating the practical risk above the raw score suggests - though this is not confirmed as actively exploited by CISA KEV at time of analysis.
SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the admin login interface to remote unauthenticated attackers through unsanitized input in the Username parameter of /admin/login.php. The CVSS 4.0 score of 6.9 (Medium) reflects limited per-request impact (VC:L/VI:L/VA:L), but a publicly available proof-of-concept exploit (E:P) on GitHub substantially lowers the exploitation bar for opportunistic attackers. No KEV listing exists at time of analysis; however, the trivial attack complexity (AC:L, AT:N, PR:N, UI:N) combined with public exploit code makes any internet-facing deployment of this script an immediate remediation priority.
SQL injection in code-projects Online Voting System 1.0 exposes remote unauthenticated attackers a direct path to manipulate backend database queries through four parameters in the vote submission endpoint /saveVote.php. The test_input function - intended as a sanitization layer - fails to neutralize SQL metacharacters across voterName, voterEmail, voterID, and selectedCandidate, indicating a systemic rather than isolated input-handling failure. A publicly available proof-of-concept exists on GitHub, lowering the exploitation barrier, though real-world exposure is substantially constrained by the product's near-zero production deployment footprint as an educational PHP project.
Unauthenticated SQL injection in code-projects Online Voting System 0.x-1.0 exposes the admin login endpoint to full authentication bypass and database extraction. The vulnerability resides in the `test_input` function within `/authentication.php`, where the `adminUserName` and `adminPassword` parameters are passed unsanitized into SQL queries, enabling classic injection attacks against the login form. A public proof-of-concept exploit has been published on GitHub; no vendor patch has been identified at time of analysis.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the database to remote unauthenticated attackers via the unvalidated ID parameter in /edit_class2.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms trivial, unauthenticated remote exploitation requiring no special conditions. Publicly available exploit code (E:P) lowers the bar to exploitation further, though the product's niche deployment footprint significantly limits real-world blast radius. No KEV listing; no patch identified at time of analysis.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_course.php` endpoint to unauthenticated remote database manipulation via a malicious `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no authentication or user interaction required, and a public proof-of-concept exploit has been disclosed on GitHub. No active exploitation is confirmed in CISA KEV, though the combination of a public POC and fully unauthenticated attack path elevates practical risk for any internet-exposed deployment.
SQL injection in CodeAstro Ecommerce Website 1.0 exposes authenticated customers to database manipulation via the c_name parameter on the account-editing endpoint. The vulnerability was publicly disclosed with a proof-of-concept exploit referenced on GitHub, meaning exploitation tooling is accessible. Impact is assessed as limited scope - low confidentiality, integrity, and availability - but network reachability and the public PoC raise opportunistic risk for unpatched deployments.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the login endpoint at /index.php to unauthenticated remote attackers who can manipulate the Username parameter to execute arbitrary SQL queries against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero prerequisites for exploitation, and the E:P modifier reflects a publicly available proof-of-concept on GitHub. No CISA KEV listing was found at time of analysis, but the combination of an exposed login surface, no authentication barrier, and live POC code materially elevates practical risk beyond the medium CVSS score of 6.9.
SQL injection in itsourcecode Hospital Management System 1.0 exposes patient records to partial disclosure and modification via the `editid` parameter in `/patient.php`. The CVSS 4.0 vector (PR:L) confirms exploitation requires a low-privilege authenticated session, limiting the immediate attack surface to users who can log in. A public proof-of-concept exploit exists (E:P), elevating practical risk above the base score of 5.3, though no CISA KEV listing confirms active exploitation at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `editid` parameter in `/medicine.php`. The attack achieves partial confidentiality, integrity, and availability impact against the underlying database. A public proof-of-concept exploit has been published (tracked via GitHub issue), lowering the barrier for exploitation; however, no active exploitation has been confirmed by CISA KEV at time of analysis.
SQL injection in Raera's Destekz support/help-desk application (all versions through 02062026) allows remote attackers to inject arbitrary SQL via unsanitized input, per the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector indicating unauthenticated network exploitation. TR-CERT rates this critical (9.8) with full confidentiality, integrity, and availability impact, meaning an attacker can read, modify, or destroy backend database contents. No public exploit identified at time of analysis, but the vendor has confirmed the product is no longer supported, so no fix will be issued.
SQL injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (all versions up to and including 4.3.5) enables authenticated administrators to append arbitrary SQL clauses to existing queries via the unescaped 's' search parameter in the admin data-request table interface. The vulnerable code spans at least four distinct query paths in class-wpl-data-req-table.php (lines 322, 377, 492, and 513), each failing to sanitize or properly prepare user-supplied input before use in database queries. No public exploit or CISA KEV listing has been identified at time of analysis; the high privilege requirement (WordPress administrator) substantially constrains real-world attack surface.
Privilege escalation in Ubiquiti's UniFi Protect Application is possible through an authenticated SQL injection (CWE-89) reachable by a low-privileged user with network access, letting that attacker escalate privileges on the underlying host device with full confidentiality, integrity, and availability impact. The flaw was reported through HackerOne and disclosed in Ubiquiti Security Advisory Bulletin 066; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 8.8 (AV:N/AC:L/PR:L) it is a high-priority patch for any exposed NVR/Protect deployment.
Privilege escalation in Ubiquiti's UniFi Talk Application allows an authenticated attacker holding a low-privileged account to chain multiple SQL injection flaws (CWE-89) and gain elevated control over the underlying host device. The issue carries a critical 9.9 CVSS score driven by network reachability, low attack complexity, and a scope change from the application into the host OS. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low bar of only needing minimal authenticated access makes this a high-priority patch for exposed UniFi Talk deployments.
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authenticated SQL injection flaws (CWE-89) to gain elevated privileges on affected UniFi OS instances and hardware. The issue affects UniFi OS Server and a broad range of Ubiquiti gateway, recorder, and Cloud Key appliances. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the CVSS 8.8 rating and low attack complexity make it a meaningful escalation risk once an attacker has any authenticated foothold.
SQL injection in Progress Flowmon ADS (Anomaly Detection System) before versions 12.5.6 and 13.0.5 allows a low-privileged authenticated user to read and modify application data by sending specially crafted requests. The CVSS 4.0 base score of 8.7 (High) reflects high confidentiality and integrity impact plus availability impact over the network with only low privileges required. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
SQL injection in the WP EasyCart WordPress e-commerce plugin (all versions up to and including 5.9.0) lets a low-privileged authenticated user with Contributor role inject arbitrary SQL into backend queries. Reported by Patchstack and rated CVSS 8.5, the flaw allows attackers to read sensitive database contents such as customer records, order data, and WordPress user credential hashes. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Authenticated SQL injection in the WordPress plugin nicen-localize-image (versions 1.4.9 and earlier) allows users holding the low-privilege Contributor role to inject arbitrary SQL into the WordPress database backend. Because the CVSS scope is changed and confidentiality impact is High, a Contributor can read data beyond the plugin's own remit, potentially extracting other users' credentials or secrets from the wp_users/wp_options tables. Reported by Patchstack with a CVSS of 8.5; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
SQL injection in the iNET Webkit WordPress plugin (version 1.2.4 and prior) lets authenticated users holding at least the Contributor role inject arbitrary SQL through unsanitized input, exposing the WordPress database. Reported by Patchstack and carrying a CVSS 8.5 (scope-changed) rating, it enables read access to sensitive data such as user credentials and secrets. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
SQL injection in the Custom Field Template WordPress plugin (versions <= 2.7.8) allows a low-privileged authenticated user at the Contributor role to inject arbitrary SQL into backend database queries. Because the CVSS scope is changed and confidentiality impact is High, a Contributor can read data beyond their own authorization boundary, including other users' credentials and site secrets. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no KEV listing.
SQL injection in the WP Fast Total Search (fulltext-search) WordPress plugin by epsiloncool affects all versions up to and including 1.80.280, letting unauthenticated remote attackers inject arbitrary SQL into backend queries (CWE-89). Because the CVSS vector uses PR:N/UI:N with a scope change, exploitation needs no login or user interaction and can reach data beyond the plugin's own tables. No public exploit was identified at time of analysis; the issue was reported through Patchstack and carries a critical 9.3 base score.
SQL injection in the GeekyBot WordPress plugin (versions 1.2.5 and earlier) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries per the CVSS PR:N vector. Reported by Patchstack and rated CVSS 9.3 (critical) with a scope-changed vector, the flaw enables confidentiality-impacting data extraction from the WordPress database without any authentication or user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
SQL injection in the Unicamp WordPress theme (versions 2.2.2 and earlier) by ThemeMove allows an attacker holding a low-privilege Subscriber account to inject arbitrary SQL into backend database queries. Because the CVSS scope is marked changed with high confidentiality impact, a successful attacker can read data beyond their normal authorization boundary, including other users' records and potentially credentials stored in the WordPress database. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
SQL injection in the WP Review Slider Pro WordPress plugin (versions up to and including 12.7.2) lets unauthenticated attackers extract arbitrary database contents through the 'notinstring' parameter of the wprp_load_more_revs AJAX action. Because the action is exposed via wp_ajax_nopriv and its required nonce is leaked to the frontend through wp_localize_script on any page rendering the plugin shortcode, anyone who can reach a public page hosting the plugin can exploit it. Reported by Wordfence with a CVSS of 7.5; no public exploit identified at time of analysis.
SQL Injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin (all versions through 4.5.8) enables authenticated attackers with the view_contacts capability to append arbitrary SQL to existing database queries via the unsanitized 'select' parameter, resulting in full database read access. The flaw spans multiple code paths - db/query/query.php (lines 228 and 427), db/db.php (line 1366), and api/v4/base-object-api.php (line 505) - confirmed in both the 4.5.7 and 4.5.8 tagged releases by Wordfence. No public exploit code or CISA KEV listing has been identified at time of analysis, though the vulnerable code is publicly browsable in the WordPress plugin repository, materially lowering the barrier for exploit development.
SQL injection in the Houzez Property Feed WordPress plugin (versions up to and including 2.5.46) permits authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database by manipulating the `orderby` GET parameter on admin log pages. The root cause is a `$wpdb->prepare()` misuse pattern: user-supplied `$_GET['orderby']` and `$_GET['order']` values are filtered only with `sanitize_text_field()` - which does not neutralize SQL metacharacters - then concatenated directly into the SQL format string before `prepare()` is invoked, meaning prepare() only parameterizes the trailing LIMIT/OFFSET clause and cannot retroactively secure the already-tainted ORDER BY clause. No public exploit has been identified at time of analysis, and the high privilege requirement (WordPress Administrator) significantly constrains the realistic attacker pool.
SQL injection in the UTT nv518G security gateway (firmware nv518GV3v3.2.7-210919-161313) lets remote attackers inject arbitrary SQL through the gohead/sub_463bbc component, which per the advisory escalates to arbitrary code execution on the device. The flaw is unauthenticated (CVSS 9.8, PR:N) and publicly available exploit code exists via a GitHub write-up, though it is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile), indicating no evidence of widespread automated exploitation yet.
SQL injection in the Wikimedia Foundation's MediaWiki Cargo Extension exposes wiki deployments to unauthenticated database read and write operations across all versions prior to 1.43.9, 1.44.6, and 1.45.4. The Cargo extension's core function - accepting user-supplied query parameters to construct database queries - makes this a structurally sensitive attack surface, as improper neutralization of SQL special elements allows crafted input to escape intended query boundaries. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the PR:N/AC:L/AT:N CVSS 4.0 vector confirms exploitation requires no authentication or special preconditions against default-accessible Cargo query endpoints.
SQL injection in the Wikimedia Foundation's Cargo Extension for MediaWiki exposes all installations running versions prior to 1.43.9, 1.44.6, or 1.45.4 to unauthenticated database manipulation via the Cargo query interface. The flaw stems from improper neutralization of user-controlled input incorporated into SQL statements without adequate parameterization, allowing attackers to read, modify, or partially disrupt data stored in Cargo-managed tables. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 vector confirms low-complexity, network-accessible exploitation requiring no authentication or user interaction.
SQL injection in the Guardian language-system (translate_text.php) lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The CVSS 4.0 vector scores this 9.3 (Critical) with PR:N, and the VulnCheck advisory title labels it unauthenticated, though the CVE description states an authenticated attacker is required - this discrepancy should be verified. Publicly available exploit code exists, but there is no public exploit identified as being actively used in attacks (not in CISA KEV).
SQL injection in Guardian Language-System's designer.php exposes the entire backend database to attackers who supply a crafted 'name' GET parameter, which is concatenated directly into a SELECT query without sanitization (CWE-89). VulnCheck reports this as remotely reachable and publicly available exploit code exists, though no public exploit is confirmed as actively used in the wild (not in CISA KEV). Note a source conflict: the CVE description labels the attacker 'authenticated' while the VulnCheck advisory and CVSS 4.0 vector (PR:N) describe it as unauthenticated.
SQL injection in Guardian Language-System's subtitles.php lets attackers extract arbitrary database contents by tampering with the id GET parameter, which is concatenated directly into a SELECT query without sanitization. The flaw is error-based and rated critical (CVSS 4.0 base 9.3, VC:H/VI:H/VA:H), publicly available exploit code exists (VulnCheck advisory plus a public gist PoC), and there is no public exploit identified as being used in active attacks. Note a source conflict: the CVE description labels the attacker 'authenticated,' but the CVSS vector (PR:N) and VulnCheck's advisory title both describe it as unauthenticated.
SQL injection in Guardian language-system via the 'id' GET parameter in job_info_get.php lets attackers inject arbitrary SQL into a query against the 'jobs' table, enabling error-based extraction of database contents. The CVSS 4.0 vector (AV:N/PR:N) and VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description text describes an 'authenticated attacker' - a discrepancy defenders should verify. Publicly available exploit code exists (VulnCheck/gist PoC), raising the practical risk despite no confirmed active exploitation.
SQL injection in Guardian language-system's text_file.php lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The flaw is a classic error-based SQLi (CWE-89) where user input is concatenated directly into a SELECT statement, and publicly available exploit code exists (reported by VulnCheck). No CISA KEV listing exists, so this represents publicly available exploit code rather than confirmed active exploitation.
Error-based SQL injection in Guardian Language System's media.php allows attackers to extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter (CWE-89). Publicly available exploit code exists (published via a GitHub gist by VulnCheck), and the CVSS 4.0 vector (AV:N/AC:L/PR:N) plus the VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description conversely refers to an 'authenticated attacker' - a discrepancy defenders should verify. No public evidence of active in-the-wild exploitation (not listed in CISA KEV).
Unauthenticated SQL injection in Guardian Language System lets remote attackers manipulate the backend database by injecting into the `id` GET parameter of job_info.php, which is concatenated directly into a SQL query with no sanitization. Because no authentication is required (CVSS 4.0 PR:N) and publicly available exploit code exists, any attacker who can reach the endpoint can extract database version, current user, schema names, and table contents via error-based injection. Reported by VulnCheck with a CVSS of 9.3; no public exploit identified as actively used in the wild (not in CISA KEV).
Unauthenticated blind SQL injection in Control Web Panel (CWP) before 0.9.8.1225 lets remote attackers inject arbitrary SQL through the userRes POST parameter of the user endpoint, and because CWP's MySQL connection runs with root privileges the flaw escalates to full remote code execution via INTO DUMPFILE. Attackers write a PHP webshell into the web-accessible roundcube logs directory and execute commands as the cwpsvc account. Publicly available exploit code exists and a vendor patch has been released; this is a network, no-authentication, low-complexity issue (CVSS 4.0 9.3).
SQL Injection in the MotoPress Appointment Booking WordPress plugin (versions ≤ 2.4.5) allows authenticated attackers holding the mpa_appointment_employee custom role to append arbitrary SQL to booking search queries via the 's' parameter, enabling full read access to the underlying WordPress database. The vulnerability originates in ManageBookingsPage.php at two separate query-construction points (lines 247 and 310), where user-supplied input is neither escaped nor parameterized. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS signal was not supplied; however, the Wordfence intelligence report and a confirmed upstream fix commit indicate the issue is credibly documented.
SQL injection in the BookingPress Appointment Booking Pro WordPress plugin (versions up to and including 5.7.1) allows unauthenticated attackers to inject SQL through the 'store_service_date' POST parameter of the bpa_assign_staffmember_to_slots() function, enabling extraction of sensitive database contents such as user credentials and PII. The flaw stems from stripslashes_deep() being applied to user input before it is concatenated directly into a LIKE clause without $wpdb->prepare(). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; no EPSS score was provided in the input.
SQL injection in the Taskbuilder Project Management plugin for WordPress (versions ≤5.0.8) enables any authenticated user-including those with only subscriber-level access-to exfiltrate sensitive data from the WordPress database. The vulnerability exists in the `wppm_proj_filter` parameter handled by `wppm_view_project_tasks.php`, which lacks both proper SQL escaping and prepared statement usage. Compounding the risk, the `wp_ajax_wppm_view_project_tasks` AJAX handler performs no nonce verification, meaning the vulnerable code path is reachable by any authenticated WordPress session without additional preconditions. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
SQL Injection in the Taskbuilder Project Management & Task Management WordPress plugin (versions up to and including 5.0.8) allows any authenticated WordPress user with Subscriber-level access or higher to exfiltrate arbitrary data from the site's database. The root cause is dual: insufficient escaping of the 'task_search' parameter in the wppm_get_task_list AJAX handler combined with a complete absence of capability checks and nonce verification on that handler, meaning the attack surface is broader than typical subscriber-exploitable SQLi. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; however, the low privilege bar and straightforward injection vector make this a credible threat against any WordPress site running the affected plugin.
SQL injection in StoneFly Storage Concentrator (SC and SCVM) lets an unauthenticated remote attacker read sensitive database contents by injecting through the cookie value handled by the login.pl and debug.pl CGI scripts. Successful exploitation discloses session tokens, password hashes, and stored secret keys, enabling authentication bypass and broader compromise of the storage appliance. There is no public exploit identified at time of analysis, and the issue is tracked under CISA ICS advisory ICSA-26-181-06.
File path control vulnerability (CWE-73) in IBM App Connect Enterprise and IBM Integration Bus for z/OS enables a remote attacker to socially engineer a victim into triggering unauthorized file creation on the local system. Despite being tagged and described as SQL injection, the governing weakness classification is CWE-73 (External Control of File Name or Path), and the described impact - unexpected local file creation - aligns with that CWE rather than database injection. Affected versions span IBM ACE 12.x and 13.x across wide release ranges, as well as IBM Integration Bus for z/OS 10.1.x. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
SQL injection in Dolibarr ERP/CRM through version 23.0.3 lets authenticated REST API users exfiltrate arbitrary database contents - including password hashes and API keys - by abusing the sqlfilters parameter on the setup dictionary and multicurrencies list endpoints. The flawed filter only checked for balanced parentheses and rewrote matched triplets, so an appended UNION SELECT placed outside the expected pattern was concatenated into the WHERE clause unmodified. Publicly available exploit code exists and a vendor fix has been committed; the issue is not listed in CISA KEV.
SQL injection in the Apache Gravitino UI exposes server-side files to authenticated malicious users, enabling unauthorized file read and file truncation on the underlying host. Affected versions are listed as 1.0.0 and below, though the advisory contains an apparent inconsistency - the fix is attributed to version 1.0.0 itself, suggesting the actual patched release may be a later point version. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Blind SQL injection in Eksagate SYSGUARD 6001 (versions 2.0.2 up to but not including 6.1.16.0) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input, enabling extraction or manipulation of backend database contents. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) rates it 9.8 Critical with full confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vendor has confirmed the product is no longer supported, so no fix will be issued for affected branches.
SQL injection in DBIx::QuickORM (a Perl ORM) before version 0.000026 lets attackers manipulate queries through unquoted SQL identifiers. Because the bundled SQL::Abstract subclass sets bindtype but never quote_char, caller-supplied identifiers such as order_by values, where-clause column keys, field/returning lists, upsert columns, and join aliases are emitted verbatim into the SQL string while only values are placeholder-bound. An application that forwards untrusted input into any of these identifier positions exposes data disclosure and tampering; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
SQL injection in Redeight CMS 1.0 lets unauthenticated remote attackers extract sensitive database contents by injecting through the 'userEmail' POST parameter of the /admin/index.php login endpoint. Because user input is interpolated directly into SQL without prepared statements, an attacker needs no credentials and no user interaction to read or manipulate backend data, including admin authentication material. The flaw was reported by CERT-PL and carries a CVSS 4.0 base score of 9.3 (Critical); no public exploit identified at time of analysis.
Unauthenticated SQL injection in the EventON WordPress Virtual Event Calendar plugin (versions through 5.0.11) lets remote attackers inject arbitrary SQL through the 'search' parameter, enabling extraction of database contents such as user credentials and secrets. Exploitation is gated by the non-default 'Enable additional search queries' setting being enabled and the presence of at least one published event. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis.
SQL injection in Raytha CMS 1.5.2 lets a remote, unauthenticated attacker inject arbitrary SQL through the OData filter parsing pipeline, yielding full compromise of the backing PostgreSQL database and extraction of stored credentials. The CVSS 4.0 base score is 9.3 (critical) with a fully network-reachable, no-privilege, no-interaction vector. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated network-facing nature makes it a high-priority patch candidate.
Unauthenticated SQL injection in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets remote attackers inject arbitrary SQL by abusing user-supplied array keys that are passed into a query without sanitization. Any unauthenticated visitor can extract sensitive database contents such as WordPress user records and password hashes. Publicly available exploit code exists, though EPSS rates exploitation probability low (0.18%, 7th percentile) and it is not on CISA KEV.
SQL injection in SigNoz observability platform (versions through 0.130.1) lets authenticated, low-privileged users inject arbitrary ClickHouse queries through the unsanitized rule ID path parameter of the alert-history endpoints. By URL-encoding quote characters that break out of the interpolated rule ID, an attacker can read every stored trace, log, and metric, and can abuse ClickHouse's url() table function to pivot into server-side request forgery against internal services. This is CWE-89 with a documented SSRF secondary impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in Snowflake CLI versions 1.1.0 through 3.18.x (fixed in 3.19) lets crafted parameter values reach vulnerable command paths and execute unintended SQL within the user's active Snowflake session. An authenticated CLI user who is fed malicious input - via social engineering, a poisoned repository configuration, or compromised automation - can have arbitrary statements run against their session, with impact bounded by that session's privileges. No public exploit identified at time of analysis; EPSS is very low (0.11%, 1st percentile) and the SSVC exploitation status is 'none', so this is a not-yet-exploited but high-technical-impact issue.
Snowflake CLI versions prior to 3.19 permit self-injection SQL execution through improper neutralization of local CLI parameters in Cortex SQL and object listing command paths, where crafted argument values cause the tool to construct and execute unintended SQL within the authenticated user's existing Snowflake session. Exploitation is structurally constrained to self-injection - the attacker must themselves supply the malicious values via local CLI arguments, and impact cannot exceed the privileges already held by the current session context. No public exploit code has been identified and no active exploitation is confirmed; the vendor-assigned CVSS score of 3.6 (Low) accurately reflects the narrow attack surface and bounded impact.
SQL injection in Snowflake CLI versions 1.2.2 through 3.18.x allows an attacker to execute unintended SQL statements within a victim's authenticated Snowflake session by planting crafted repository content, project configuration, manifest, or specification input. When a developer processes that attacker-controlled content through a vulnerable command path, the injected SQL runs with the victim's session privileges, enabling data theft, modification, or destruction up to that user's authorization level. There is no public exploit identified at time of analysis, exploitation is not confirmed in CISA KEV, and EPSS is low at 0.31% (23rd percentile), reflecting the user-interaction requirement.
SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated patient users to database-level attacks via the `/patientchangepassword.php` endpoint. The `newpassword` parameter is passed unsanitized into SQL queries, allowing an authenticated attacker to manipulate backend database operations - potentially reading, modifying, or deleting patient records. A public proof-of-concept exploit exists (GitHub issue linked from VulDB report), though no active exploitation has been confirmed by CISA KEV. The CVSS 4.0 score of 2.1 reflects the limited real-world severity due to the authentication prerequisite and constrained impact scope.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientdetail.php` endpoint to database manipulation via the unsanitized `editid` parameter, reachable by any low-privileged authenticated user over the network. A public proof-of-concept exploit is available (referenced via GitHub issue), lowering the skill barrier for exploitation against any deployed instance. The CVSS 4.0 score of 2.1 reflects low per-impact ratings across confidentiality, integrity, and availability, but SQL injection vulnerabilities routinely exceed their scored impact bounds when database accounts carry excess privileges - no public exploitation has been confirmed in CISA KEV.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the billing endpoint /insertbillingrecord.php to database manipulation by low-privileged remote attackers via the unsanitized patientid parameter. A public exploit has been disclosed on GitHub, lowering the barrier to exploitation significantly despite a low CVSS 4.0 base score of 2.1. No CISA KEV listing exists, but the combination of a publicly available proof-of-concept and access to potentially sensitive patient health and billing records elevates real-world concern beyond what the numeric score alone conveys.
SQL injection in EyouCMS up to version 1.7.1 allows remote authenticated attackers with high privileges to manipulate database queries via the click_like argument in the /index.php API component. The CVSS 4.0 score is 2.0, heavily discounted by the PR:H requirement, yet confidentiality, integrity, and availability impacts are all rated Low. A public proof-of-concept exists via a GitHub issue report; the vendor has not acknowledged or patched the vulnerability. No active exploitation has been confirmed (not listed in CISA KEV).
SQL injection in FrontAccounting before 2.4.20 allows authenticated attackers to extract arbitrary database contents by injecting UNION SELECT payloads into the PARAM_0 POST parameter of the Bank Statement report handler (rep601.php). Attackers with valid low-privilege accounts can dump usernames, password hashes, and email addresses from the users table, with results rendered into the generated PDF report. Publicly available exploit code exists and a vendor patch was released in 2.4.20; the flaw is not listed in CISA KEV and no active exploitation is confirmed.
SQL injection in FrontAccounting's Audit Trail report handler (reporting/rep710.php) lets authenticated users holding the SA_GLANALYTIC permission run arbitrary SQL through the PARAM_2 and PARAM_3 POST parameters in all releases prior to 2.4.20. Attackers can extract arbitrary database contents via UNION-based injection or knock the application offline by amplifying SLEEP() across JOINed result sets to exhaust database connections. Publicly available exploit code exists (VulnCheck/Jiva Security writeup), but the issue is not in CISA KEV, so it is no public exploit identified as actively exploited.
SQL injection in FrontAccounting's get_gl_transactions() function lets authenticated users holding the SA_GLANALYTIC permission read arbitrary database contents by injecting into the unparameterized filter_type parameter of a SQL IN() clause. The flaw enables boolean-based blind extraction of sensitive journal-entry and general-ledger data using reliable response-size differentials. Publicly available exploit code exists and a vendor patch shipped in 2.4.20, though there is no public exploit identified as actively exploited.
SQL injection in code-projects Real State Services 1.0 exposes the `ID` parameter of `/single-list_sale.php?action=add` to remote, unauthenticated query manipulation, enabling attackers to read or modify database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or special conditions are required to reach the endpoint, and the E:P modifier confirms publicly available exploit code referenced via a GitHub CVE disclosure. No patch has been issued; this is not currently listed in CISA KEV, indicating no confirmed mass exploitation at time of analysis.
Unauthenticated SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes backend database contents via the `course_year_section` parameter in `/preview3.php`. The CVSS 4.0 vector confirms network-accessible, no-authentication, no-interaction exploitation (AV:N/AC:L/PR:N/UI:N), and exploit code is publicly available (E:P on GitHub). No active exploitation is confirmed in CISA KEV, but the public POC lowers the bar for opportunistic attacks against any publicly exposed instance.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes database contents through the unsanitized ID parameter in /edit_class1.php, exploitable by unauthenticated remote attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required and the attack is fully remote with no user interaction. A public proof-of-concept has been disclosed on GitHub, lowering the exploitation barrier; the product is not currently listed in the CISA KEV catalog.
SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin user-management endpoint to remote database manipulation via the unsanitized Name parameter in /admin/mod_users/controller.php?action=add. The CVSS 4.0 vector assigns no privilege requirement (PR:N) and low complexity (AC:L), though the admin-panel path raises a discrepancy worth verifying - the endpoint may be accessible without authentication if the application does not enforce session controls on admin routes. A public proof-of-concept exploit exists (E:P in the CVSS 4.0 supplemental data), elevating immediate risk despite the absence of a CISA KEV listing.
SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin amenities controller to remote database manipulation via the unsanitized amen_id parameter at /admin/mod_amenities/controller.php?action=edit. A publicly available proof-of-concept exploit has been confirmed (CVSS 4.0 E:P modifier; VulDB submission 843569; GitHub issue Hh-176/CVE#3), enabling unauthenticated or low-privileged remote attackers to read, modify, or corrupt hotel management database records. No vendor patch has been identified at time of analysis.
SQL injection in itsourcecode Baptism Information Management System 1.0 exposes database contents to remote unauthenticated attackers via the ID parameter in /editBaptism.php. A publicly available proof-of-concept exploit exists on GitHub, enabling data exfiltration or modification without any credentials or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/E:P) confirms low-complexity remote exploitation with no special conditions required, and no vendor-released patch has been identified.
SQL injection in itsourcecode Baptism Information Management System 1.0 exposes the `/delbaptism.php` endpoint to remote database manipulation via an unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this requires no authentication or user interaction against any network-accessible instance. A public proof-of-concept exploit exists on GitHub, making this immediately weaponizable against any exposed deployment, though the application is not listed in CISA KEV and its niche footprint substantially limits aggregate exposure.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctortimings.php` endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privilege authenticated attacker to read, modify, or partially disrupt backend database contents. The CVSS 4.0 vector (PR:L) confirms that some form of application authentication is required, limiting opportunistic mass exploitation, but a publicly available proof-of-concept exploit on GitHub materially lowers the barrier for targeted attacks. No patch has been released; the vulnerability is not listed in the CISA KEV catalog, but the sensitivity of healthcare data in scope makes it a meaningful risk for any production deployment.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctorprofile.php` endpoint to remote exploitation via the `doctorname` parameter, allowing an authenticated attacker to execute arbitrary SQL commands against the backend database. Affected systems risk unauthorized access to, modification of, or partial disruption of sensitive medical and staff records stored within the application. A public proof-of-concept exploit has been disclosed on GitHub (CVSS 4.0 E:P), significantly lowering the technical barrier for exploitation despite the moderate base score; no CISA KEV listing is present at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the backend database to authenticated remote attackers through the `newpassword` parameter of `/doctorchangepassword.php`. An attacker holding low-privilege credentials - such as a doctor account - can craft malicious SQL payloads to read, modify, or potentially delete database records. A public exploit exists per the CVSS 4.0 E:P modifier and a referenced GitHub issue; no active exploitation has been confirmed by CISA KEV.
SQL injection in CodeAstro Human Resource Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the ID argument passed to the GetFileInfo function within the View Endpoint. The vulnerability resides in hrsystem/application/models/Employee_model.php and can result in unauthorized read and write access to the underlying database. A public exploit has been published on GitHub, elevating practical risk despite the authentication requirement and moderate CVSS 4.0 score of 5.3.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/departmentDoctor.php` endpoint to database manipulation via the unsanitized `deptid` parameter, allowing a remote low-privileged attacker to read, modify, or corrupt backend database records. The CVSS 4.0 vector (PR:L) confirms that a valid application account is required, limiting opportunistic exploitation. A public proof-of-concept exploit is available on GitHub (linked from VulDB), and no vendor patch has been identified at time of analysis, making compensating controls the only available remediation path.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the /department.php endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privileged authenticated attacker to read, modify, or delete hospital database contents. The CVSS 4.0 vector (PR:L) confirms a valid user account is required, constraining but not eliminating risk for internet-exposed instances. A public exploit has been released on GitHub, materially increasing the likelihood of opportunistic abuse against deployed instances.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the Appointment Handler endpoint `/appointmentdetail.php` to remote database manipulation via the unsanitized `editid` parameter. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and a public proof-of-concept exploit is available on GitHub, materially lowering the bar for exploitation. While not listed in CISA KEV, the combination of network reachability, trivial exploitation complexity, and live PoC code makes this a concrete risk for any organization running this codebase in production.
SQL injection in YzmCMS up to version 7.5 allows network-based attackers to manipulate database queries by supplying crafted input to the siteurl argument within the installation endpoint /application/install/index.php. No authentication is required per the CVSS 4.0 vector (PR:N), though the attack is rated high complexity (AC:H), meaning exploitation is non-trivial despite a publicly available proof-of-concept on GitHub. The vendor did not respond to coordinated disclosure, leaving no official patch available; CVSS 4.0 scores this 6.3 with partial impact across confidentiality, integrity, and availability - no confirmed active exploitation (not in CISA KEV).
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview4.php` endpoint to unauthenticated remote attackers via the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-prerequisite network exploitation against default deployments, with low-level impact across confidentiality, integrity, and availability of the backend database. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept has been disclosed on GitHub (E:P maturity confirmed), meaningfully lowering the barrier for opportunistic and automated attacks against academic institutions running this software.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_class.php` endpoint to unauthenticated remote database manipulation via the unsanitized `ID` parameter. Per the CVSS 4.0 vector (PR:N, UI:N, AC:L), no authentication or user interaction is required to initiate the attack, and a public proof-of-concept exploit is available on GitHub. No vendor patch has been identified at time of analysis, leaving deployments with no vendor-sanctioned remediation path.
SQL injection in CodeAstro Human Resource Management System 1.0 allows a low-privileged authenticated remote attacker to manipulate the `emid` parameter in the Update_Earn_Leave endpoint, triggering time-based blind SQL injection against the underlying database. The vulnerability resides in the `emselectByCode` function within `application/models/Employee_model.php`, where unsanitized input is passed directly into SQL query construction. A public proof-of-concept exploit is available on GitHub; no active exploitation has been confirmed by CISA KEV at time of analysis.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `course_year_section` parameter in /preview5.php. The input is passed directly into SQL queries without sanitization (CWE-89), enabling data extraction, modification, or availability disruption. A public proof-of-concept exploit is available on GitHub, and no patch has been identified at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/appointmentapproval.php` Appointment Handler endpoint to database manipulation via the `editid` parameter, allowing low-privileged remote attackers to read, modify, or delete backend data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-exploitability with minimal attack complexity once credentials are obtained, and a public proof-of-concept has been disclosed on GitHub, substantially lowering the attacker skill threshold. No active exploitation is confirmed by CISA KEV, but the medical context of the affected system - which likely stores sensitive patient and appointment records - amplifies the potential impact of even a limited SQL injection.
SQL injection in the JoomCCK content-construction-kit extension for Joomla (versions 1.0 through 6.4.0) lets remote attackers read arbitrary database contents by injecting into a front-end controller task that concatenates an unescaped request parameter into two SQL statements. The flaw is reachable over the network without authentication or user interaction, and SSVC rates it automatable with total technical impact; however, there is no public exploit identified at time of analysis and EPSS is low at 0.28% (20th percentile).