SQLi

CVE-2025-6611 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 affecting the /php_action/createBrand.php endpoint via the brandStatus parameter. The vulnerability allows unauthenticated remote attackers to manipulate SQL queries, potentially resulting in unauthorized data access, modification, or deletion. Public exploit disclosure and active exploitation risk are confirmed.

A vulnerability was found in itsourcecode Employee Management System up to 1.0. It has been classified as critical. This affects an unknown part of the file /admin/editempprofile.php. The manipulation of the argument FirstName leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was found in SourceCodester Best Salon Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /panel/bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability has been found in SourceCodester Best Salon Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /panel/edit-services.php. The manipulation of the argument editid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

A SQL injection vulnerability in Student Record system Using PHP and MySQL v (CVSS 7.1) that allows a remote attacker. High severity vulnerability requiring prompt remediation.

A vulnerability, which was classified as critical, was found in SourceCodester Best Salon Management System 1.0. Affected is an unknown function of the file /panel/stock.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability, which was classified as critical, has been found in SourceCodester Best Salon Management System 1.0. This issue affects some unknown processing of the file /panel/add-services.php. The manipulation of the argument Type leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

A vulnerability classified as critical was found in SourceCodester Best Salon Management System 1.0. This vulnerability affects unknown code of the file /panel/edit-staff.php. The manipulation of the argument editid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

A vulnerability classified as critical has been found in SourceCodester Best Salon Management System 1.0. This affects an unknown part of the file /panel/add-staff.php. The manipulation of the argument Name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-0966 is a SQL injection vulnerability in IBM InfoSphere Information Server 11.7 that allows authenticated remote attackers to execute arbitrary SQL commands against the backend database. An attacker with valid credentials can view, add, modify, or delete sensitive information without administrative privileges. The vulnerability carries a CVSS score of 7.6 (High) and requires low attack complexity, making it a significant risk for organizations using affected versions.

A vulnerability, which was classified as critical, was found in SourceCodester Best Salon Management System 1.0. This affects an unknown part of the file /view-appointment.php. The manipulation of the argument viewid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability, which was classified as critical, has been found in SourceCodester Best Salon Management System 1.0. Affected by this issue is some unknown functionality of the file /edit-customer-detailed.php. The manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability classified as critical was found in SourceCodester Best Salon Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-customer.php. The manipulation of the argument name/email/mobilenum/gender/details/dob/marriage_date leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-6580 is a critical SQL injection vulnerability in SourceCodester Best Salon Management System 1.0 affecting the Login component's Username parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing exploitation risk.

CVE-2025-6579 is a critical SQL injection vulnerability in code-projects Car Rental System 1.0 affecting the /message_admin.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available and may be actively exploited in the wild.

CVE-2025-6578 is a critical SQL injection vulnerability in Simple Online Hotel Reservation System version 1.0 affecting the /admin/delete_account.php file through unsanitized admin_id parameter manipulation. An unauthenticated remote attacker can execute arbitrary SQL queries to read, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk for deployed instances.

ControlID iDSecure On-premises versions 4.7.48.0 and prior contain SQL injection vulnerabilities that allow unauthenticated remote attackers to execute arbitrary SQL queries, potentially leaking sensitive information or modifying database contents. The CVSS 9.1 score reflects the critical nature (high confidentiality and integrity impact), though availability is not directly affected. Active exploitation status and proof-of-concept availability cannot be confirmed from provided data, but the unauthenticated, network-accessible attack vector makes this a high-priority vulnerability.

A vulnerability, which was classified as critical, has been found in PHPGurukul Hospital Management System 4.0. Affected by this issue is some unknown functionality of the file /doctor/search.php. The manipulation of the argument searchdata leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

A remote code execution vulnerability in OS4Ed Open Source Information System Community (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

CVE-2025-6567 is a critical SQL injection vulnerability in Campcodes Online Recruitment Management System version 1.0, specifically in the Recruitment/admin/view_application.php file where the ID parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of recruitment records. The vulnerability has been publicly disclosed with proof-of-concept code available, and exploitation requires no special privileges or user interaction.

Apache Airflow Providers Snowflake versions before 6.4.0 contain a Special Element Injection vulnerability (CWE-75) in the CopyFromExternalStageToSnowflakeOperator that fails to properly sanitize table and stage parameters, allowing unauthenticated attackers to execute arbitrary SQL injection attacks with complete system compromise (CVSS 9.8). This is a critical remote vulnerability requiring network access only, with no authentication or user interaction needed, making it a high-priority patch regardless of KEV/EPSS status.

CVE-2025-34038 is an unauthenticated SQL injection vulnerability in Weaver E-cology 8.0's getdata.jsp endpoint that allows attackers to execute arbitrary SQL queries by injecting malicious code through the unsanitized 'sql' parameter in the getSelectAllIds() method. The vulnerability affects Weaver E-cology 8.0 and enables attackers to extract sensitive data including administrator password hashes without authentication. Active exploitation has been observed by Shadowserver Foundation as of 2025-02-05, indicating this is a real and present threat in the wild.

A vulnerability has been found in xxyopen/201206030 novel-plus up to 5.1.3 and classified as critical. This vulnerability affects the function list of the file novel-admin/src/main/resources/mybatis/system/UserMapper.xml of the component User Management Module. The manipulation of the argument sort/order leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A SQL injection vulnerability (CVSS 9.8) that allows a remote attacker. Risk factors: public PoC available.

CVE-2025-6503 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/fetchSelectedCategories.php file where the 'categoriesId' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The exploit has been publicly disclosed and proof-of-concept code is available, significantly elevating exploitation risk in production environments.

CVE-2025-6502 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/changePassword.php file where the user_id parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit details available, increasing immediate risk of active exploitation.

CVE-2025-6501 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 affecting the /php_action/createCategories.php file, where the 'categoriesStatus' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and proof-of-concept availability indicate active threat potential with low barrier to exploitation.

CVE-2025-6500 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/editCategories.php file where the 'editCategoriesName' parameter is inadequately sanitized. An unauthenticated attacker can exploit this remotely to read, modify, or delete database contents, affecting confidentiality, integrity, and availability. Public exploit disclosure and confirmed proof-of-concept availability increase real-world risk significantly.

CVE-2025-6489 is a critical SQL injection vulnerability in itsourcecode Agri-Trading Online Shopping System version 1.0, affecting the /transactionsave.php file through the 'del' parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially compromising confidentiality, integrity, and availability of the application database. Public disclosure of this vulnerability exists, and exploitation is feasible without authentication or user interaction.

A vulnerability was found in code-projects Online Shopping Store 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /action.php. The manipulation of the argument cat_id/brand_id/keyword/proId/pid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-6483 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /edituser.php file's ID parameter. An unauthenticated remote attacker can exploit this weakness to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, increasing the likelihood of active exploitation.

CVE-2025-6482 is a SQL injection vulnerability in Simple Pizza Ordering System 1.0 affecting the /edituser-exec.php endpoint via the userid parameter, allowing unauthenticated remote attackers to execute arbitrary SQL commands and potentially exfiltrate, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept exploitation available, presenting immediate risk to affected installations. With a CVSS score of 7.3 and network-based attack vector requiring no user interaction, this represents a moderately critical risk requiring urgent patching.

CVE-2025-6481 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System 1.0 affecting the /update.php file's ID parameter, allowing unauthenticated remote attackers to manipulate database queries and potentially extract, modify, or delete sensitive data. The vulnerability has been publicly disclosed with proof-of-concept availability, significantly increasing exploitation risk in production environments. With a CVSS score of 7.3 and low attack complexity, this represents an immediate threat to any organization running the affected version without patches.

A SQL injection vulnerability in A vulnerability classified as critical (CVSS 7.3). Risk factors: public PoC available.

CVE-2025-6479 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System 1.0 affecting the /salesreport.php file parameter 'dayfrom'. An unauthenticated attacker can remotely execute arbitrary SQL queries with no user interaction required, potentially enabling data exfiltration, modification, or deletion. The vulnerability has been publicly disclosed with exploit proof-of-concept availability, increasing real-world exploitation risk.

CVE-2025-6474 is a critical SQL injection vulnerability in code-projects Inventory Management System version 1.0 affecting the /changeUsername.php file, specifically the user_id parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with proof-of-concept availability, making active exploitation likely.

CVE-2025-6472 is a critical SQL injection vulnerability in code-projects Online Bidding System 1.0 affecting the /showprod.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability has been publicly disclosed with exploit code available, creating immediate risk for exposed instances.

CVE-2025-6471 is a critical SQL injection vulnerability in code-projects Online Bidding System version 1.0 affecting the /administrator endpoint, where the 'aduser' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Public exploit code is available and the vulnerability is actively exploitable with no authentication required.

CVE-2025-6470 is a critical SQL injection vulnerability in code-projects Online Bidding System 1.0, specifically in the /bidlog.php file's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk. With a CVSS score of 7.3 and network-accessible attack vector requiring no authentication, this poses significant risk to confidentiality, integrity, and availability of affected systems.

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

CVE-2025-6468 is a critical SQL injection vulnerability in code-projects Online Bidding System version 1.0 affecting the /bidnow.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to read, modify, or delete database contents, potentially compromising confidentiality, integrity, and availability of the entire bidding system. The vulnerability has been publicly disclosed with proof-of-concept code available, significantly increasing exploitation risk in active deployments.

CVE-2025-6467 is a critical SQL injection vulnerability in code-projects Online Bidding System version 1.0 affecting the /login.php file's User parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially compromise data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, and while the CVSS score of 7.3 indicates high severity, the attack requires no authentication or user interaction, making it highly exploitable in real-world scenarios.

CVE-2025-6458 is a critical SQL injection vulnerability in code-projects Online Hotel Reservation System version 1.0, affecting the /admin/execedituser.php endpoint. An unauthenticated remote attacker can manipulate the 'userid' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in the wild.

CVE-2025-6457 is a critical SQL injection vulnerability in code-projects Online Hotel Reservation System 1.0 affecting the /reservation/demo.php file, where the 'Start' parameter is unsanitized and directly used in database queries. An unauthenticated remote attacker can exploit this vulnerability to read, modify, or delete sensitive database content including guest information, reservations, and payment data. The vulnerability has been publicly disclosed with exploit code available, though specific EPSS probability and KEV/CISA inclusion status cannot be determined from provided data.

CVE-2025-6456 is a critical SQL injection vulnerability in code-projects Online Hotel Reservation System 1.0, specifically in the /reservation/order.php file's 'Start' parameter. An unauthenticated remote attacker can manipulate this parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the hotel reservation database. Public exploit code is available, and the vulnerability is actively exploitable.

CVE-2025-6455 is a SQL injection vulnerability in code-projects Online Hotel Reservation System version 1.0, specifically in the /messageexec.php file where the 'Name' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, indicating active exploitation risk.

CVE-2025-6451 is a critical SQL injection vulnerability in code-projects Simple Online Hotel Reservation System version 1.0, affecting the /admin/delete_pending.php file where the transaction_id parameter is unsanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to data exfiltration, modification, or deletion of the hotel reservation database. Public exploit disclosure and active threat indicators suggest this vulnerability warrants immediate patching.

CVE-2025-6450 is a critical SQL injection vulnerability in code-projects Simple Online Hotel Reservation System version 1.0, affecting the /admin/confirm_reserve.php endpoint where the transaction_id parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of the hotel reservation database. Public exploit code is available and the vulnerability meets criteria for active exploitation risk.

CVE-2025-6449 is a critical SQL injection vulnerability in Simple Online Hotel Reservation System v1.0 affecting the /admin/checkout_query.php endpoint. An unauthenticated remote attacker can manipulate the 'transaction_id' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system disruption. The vulnerability has been publicly disclosed with exploits available, and the CVSS 7.3 score reflects high impact across confidentiality, integrity, and availability despite moderate attack complexity.

CVE-2025-6448 is a critical SQL injection vulnerability in code-projects Simple Online Hotel Reservation System 1.0 affecting the /admin/delete_room.php endpoint. An unauthenticated remote attacker can manipulate the room_id parameter to execute arbitrary SQL queries, potentially resulting in unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with working exploits available, making active exploitation likely.

CVE-2025-6447 is a critical SQL injection vulnerability in the Simple Online Hotel Reservation System version 1.0, specifically in the /admin/index.php file's Username parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system disruption. The exploit has been publicly disclosed with proof-of-concept code available, significantly increasing the risk of active exploitation.

A critical SQL injection vulnerability exists in code-projects Client Details System version 1.0, specifically in the /clientdetails/admin/index.php file where the Username parameter is improperly validated. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit code available and demonstrates moderate real-world risk despite the critical classification, with a CVSS score of 7.3 indicating concrete but not maximum severity.

A critical SQL injection vulnerability exists in code-projects Simple Online Hotel Reservation System version 1.0, specifically in the /admin/add_account.php file where the 'name' or 'admin_id' parameters are not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of the hotel reservation database. Public exploit code is available and the vulnerability is actively being disclosed, increasing exploitation risk in the wild.

A critical SQL injection vulnerability exists in code-projects Simple Online Hotel Reservation System version 1.0, specifically in the /admin/add_room.php file where the 'room_type' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of hotel reservation system data. A proof-of-concept exploit has been publicly disclosed, increasing real-world exploitation risk.

CVE-2025-6419 is a critical SQL injection vulnerability in code-projects Simple Online Hotel Reservation System 1.0 affecting the /admin/edit_room.php endpoint, where the 'room_type' parameter is improperly sanitized, allowing unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.3 with public proof-of-concept code available, indicating active exploitation risk and widespread discoverability.

CVE-2025-6418 is a critical SQL injection vulnerability in Simple Online Hotel Reservation System 1.0 affecting the /admin/edit_query_account.php endpoint, where the 'Name' parameter is improperly sanitized, allowing remote attackers to execute arbitrary SQL queries without authentication. The vulnerability has been publicly disclosed with exploit code availability, making it a high-priority threat for organizations running this system in production; attackers can manipulate database queries to extract sensitive data, modify records, or potentially escalate privileges.

A vulnerability has been found in PHPGurukul Art Gallery Management System 1.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/add-artist.php. The manipulation of the argument awarddetails leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability, which was classified as critical, was found in PHPGurukul Art Gallery Management System 1.1. Affected is an unknown function of the file /admin/changeimage4.php. The manipulation of the argument editid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability, which was classified as critical, has been found in PHPGurukul Art Gallery Management System 1.1. This issue affects some unknown processing of the file /admin/changeimage3.php. The manipulation of the argument editid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

A vulnerability classified as critical was found in PHPGurukul Art Gallery Management System 1.1. This vulnerability affects unknown code of the file /admin/changeimage2.php. The manipulation of the argument editid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

A vulnerability classified as critical has been found in PHPGurukul Art Gallery Management System 1.1. This affects an unknown part of the file /admin/changeimage1.php. The manipulation of the argument editid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/changeimage.php. The manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/changepropic.php. The manipulation of the argument imageid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. It has been classified as critical. Affected is an unknown function of the file /admin/edit-art-medium-detail.php. The manipulation of the argument editid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-6409 is a critical SQL injection vulnerability in PHPGurukul Art Gallery Management System 1.1 affecting the /admin/forgot-password.php endpoint. An unauthenticated remote attacker can manipulate the 'email' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability has been publicly disclosed with proof-of-concept availability, making it actively exploitable in the wild.

A critical SQL injection vulnerability exists in Campcodes Online Hospital Management System version 1.0 affecting the /doctor/search.php endpoint via the 'searchdata' parameter. An unauthenticated remote attacker can execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the hospital database. Public exploit disclosure and lack of authentication requirements significantly elevate real-world risk.

A SQL injection vulnerability (CVSS 7.3). Risk factors: public PoC available.

CVE-2025-6406 is a critical SQL injection vulnerability in Campcodes Online Hospital Management System version 1.0, specifically in the /hms/forgot-password.php endpoint where the 'fullname' parameter is unsanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of sensitive hospital patient and administrative data. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

CVE-2025-6405 is a critical SQL injection vulnerability in Campcodes Online Teacher Record Management System version 1.0, affecting the /admin/edit-teacher-detail.php endpoint through an unsanitized 'editid' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of teacher records and sensitive educational data. Public disclosure and proof-of-concept availability indicate active exploitation risk, though CVSS 7.3 reflects moderate actual impact (read/write/availability) rather than complete system compromise.

CVE-2025-6404 is a critical SQL injection vulnerability in Campcodes Online Teacher Record Management System version 1.0, specifically in the /admin/search.php file's searchdata parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the database. Public disclosure and available proof-of-concept code indicate active exploitation is possible and likely occurring.

CVE-2025-6403 is a critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /student.php file's ID parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of student and payment records. The vulnerability has been publicly disclosed with working exploits available, and while the CVSS score of 7.3 indicates medium-to-high severity, the SQL injection vector combined with public PoC availability presents significant real-world risk for deployed instances.

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

CVE-2025-6363 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /adding-exec.php file where the 'ingname' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database records. With a CVSS score of 7.3 and network-based attack vector requiring no user interaction, this vulnerability poses significant risk to affected deployments, though real-world exploitation likelihood depends on whether POC code and active exploitation attempts are documented.

CVE-2025-6362 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /editpro.php file where the ID parameter is improperly validated. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system compromise. The vulnerability has a CVSS score of 7.3 (High) and requires no user interaction or authentication, making it a significant risk for deployments of this application.

CVE-2025-6361 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /adds.php file's userid parameter. An unauthenticated remote attacker can exploit this vulnerability without user interaction to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the application database. The vulnerability has a CVSS score of 7.3 (High) and represents an immediate risk to any organization running this unpatched system in production.

CVE-2025-6360 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /portal.php file's ID parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

CVE-2025-6359 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /cashconfirm.php file where the 'transactioncode' parameter is unsanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

CVE-2025-6358 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /saveorder.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, and system disruption. Public proof-of-concept code is available, increasing the immediate risk of active exploitation.

CVE-2025-6357 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /paymentportal.php file where the 'person' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability with no user interaction required to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing the likelihood of active exploitation.

CVE-2025-6356 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /addmem.php file that allows unauthenticated remote attackers to manipulate database queries. An attacker can exploit this vulnerability to read, modify, or delete sensitive data from the underlying database. The vulnerability has public exploit code available and may be actively exploited in the wild.

CVE-2025-6355 is a critical SQL injection vulnerability in SourceCodester Online Hotel Reservation System version 1.0, specifically in the /admin/execeditroom.php file where the 'userid' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or denial of service. Public disclosure and proof-of-concept availability significantly elevate real-world exploitation risk.

CVE-2025-6354 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the customer signup functionality (/function/customer_signup.php). An unauthenticated remote attacker can manipulate the email parameter to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept availability and demonstrates active exploitation potential.

A vulnerability was found in itsourcecode Employee Record Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /editprofile.php. The manipulation of the argument emp1name leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was found in SourceCodester Advance Charity Management System 1.0. It has been classified as critical. This affects an unknown part of the file /members/fundDetails.php. The manipulation of the argument m06 leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-52822 is an SQL injection vulnerability in Iqonic Design's WP Roadmap WordPress plugin (versions up to 2.1.3) that allows authenticated attackers to execute arbitrary SQL commands. An attacker with user-level privileges can exploit this via network access without user interaction to read sensitive database contents and cause denial of service. The vulnerability has not been confirmed as actively exploited in the wild, but the high CVSS score (8.5) and low attack complexity indicate this should be treated as a priority for affected WordPress installations.

CVE-2025-52821 is a SQL Injection vulnerability in thanhtungtnt Video List Manager versions up to 1.7 that allows authenticated attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 8.5 with high confidentiality impact and cross-site scope implications, meaning successful exploitation could lead to unauthorized data access and potential lateral movement within affected systems. While the attack requires valid credentials (PR:L), the network accessibility and low attack complexity make this a significant risk for organizations using this plugin.

CVE-2025-46179 is a critical SQL injection vulnerability in CloudClassroom-PHP Project v1.0's askquery.php file, where the 'squeryx' parameter is passed directly into SQL queries without sanitization. This affects all installations of CloudClassroom-PHP v1.0 and allows unauthenticated remote attackers to execute arbitrary SQL commands, potentially leading to complete database compromise including data exfiltration, modification, and denial of service. The vulnerability has a CVSS 9.8 score reflecting its network-based exploitability with no authentication or user interaction required; active exploitation status and POC availability are unknown from the provided data.

CVE-2025-6344 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus.php file's email parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and exploit code availability increase the real-world threat level significantly.

CVE-2025-6343 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_product.php file where the 'pid' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the shoe store's database. The exploit has been publicly disclosed with proof-of-concept code available, significantly increasing real-world exploitation risk.