Skip to main content

SQLi

15159 CVEs technique

Monthly

CVE-2026-13498 MEDIUM POC This Month

SQL injection in yashpokharna2555's restaurent-management-system exposes the /forgotpassword.php endpoint to unauthenticated remote exploitation via the POST email parameter, allowing attackers to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required, and a public exploit is referenced in GitHub issue #3. The project has no versioning scheme and the maintainer has not responded to the disclosure, meaning no patch is available and all deployed instances remain vulnerable.

SQLi PHP Restaurent Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13497 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the appointment management endpoint to remote database manipulation via the unsanitized `editid` parameter in `/appointment.php`. Authenticated low-privileged users can craft malicious SQL payloads to read, modify, or corrupt appointment and patient records in the underlying database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references); no CISA KEV listing at time of analysis.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13496 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/ajaxmedicine.php` endpoint to database manipulation via the unsanitized `medicineid` parameter, exploitable by any low-privilege authenticated user over the network. A public proof-of-concept has been published on GitHub, materially lowering the barrier to exploitation. No active exploitation has been confirmed by CISA KEV, but the combination of public exploit code, a medical data context, and low attack complexity makes this a credible risk for any organization running this software.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13495 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated administrators to database manipulation via the `loginid` parameter in `/adminprofile.php`. The CVSS 4.0 vector (PR:H) confirms exploitation is constrained to authenticated high-privilege sessions, limiting mass exploitation risk despite network accessibility. A public proof-of-concept exploit has been disclosed on GitHub, lowering the technical barrier for targeted abuse by insiders or credential-compromised actors.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-13488 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview7.php` endpoint to unauthenticated remote exploitation via unsanitized input in the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote exploitation with no authentication or user interaction required. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists (GitHub issue referenced in references), elevating urgency despite the absence of a CISA KEV listing.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13487 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes any publicly reachable deployment to unauthenticated database manipulation via the unsanitized `sy` parameter in /archive.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation with no prerequisites, yielding low-to-moderate impact across confidentiality, integrity, and availability of the underlying database. A publicly available proof-of-concept exploit exists on GitHub (referenced via VulDB submission 838189), lowering attacker skill requirements, though no CISA KEV listing indicates mass exploitation has not been confirmed at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13486 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate the `course_year_section` parameter on the `/preview6.php` endpoint, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no special conditions, and a public proof-of-concept has been disclosed on GitHub. While not listed in CISA KEV, the trivially low attack complexity combined with POC availability raises the realistic exploitation risk above what the 5.5 medium score alone implies.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13485 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview.php` endpoint to remote unauthenticated exploitation via the unsanitized `course_year_section` parameter, allowing arbitrary SQL query execution against the backend database. A public proof-of-concept exploit has been published on GitHub, materially lowering the barrier to exploitation. Impact is rated low-to-partial across confidentiality, integrity, and availability, bounded by the database account's privileges, and no vendor patch has been identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13333 MEDIUM This Month

SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding Sales Representative-level access or above to extract arbitrary data from the underlying WordPress database via the `query[select]` REST API parameter. The vulnerability is exploitable through a deliberate sanitization bypass: submitting an invalid filter type in `query[filters]` triggers a FilterException that silently redirects execution from the protected `Contact_Query` path to the unprotected `Legacy_Contact_Query` path. No CISA KEV listing or confirmed public exploit code exists at time of analysis, though Wordfence's advisory directly references vulnerable source lines at plugin version 4.5.5, materially lowering the barrier to independent PoC development.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13331 MEDIUM This Month

SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the vulnerability is straightforward to exploit with valid credentials given the low complexity rating.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-52785 CRITICAL PATCH Act Now

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user inject SQL through the timestamps parameter used to request historic work-package attributes, affecting all versions prior to 17.3.3 and 17.4.1. Rated CVSS 9.9 with a changed scope, it can expose or alter database contents beyond the user's normal authorization. No public exploit identified at time of analysis; the issue is fixed in 17.3.3 and 17.4.1.

SQLi Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-57667 HIGH This Week

SQL injection in the Groundhogg WordPress CRM/marketing-automation plugin (versions <= 4.5) allows an authenticated low-privileged user holding the Sales Representative role to inject arbitrary SQL into a database query, exposing sensitive data across the WordPress installation. The CVSS 3.1 base score is 8.5 (High) with a scope change, reflecting that compromise of the plugin's data layer reaches beyond its own privilege boundary. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS value supplied in the source data.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57663 HIGH This Week

SQL injection in the Zip Recipes (Recipe Maker For Your Food Blog) WordPress plugin lets an authenticated Contributor-level user inject arbitrary SQL through the plugin in versions 8.2.7 and earlier, exposing the full WordPress database. Reported by Patchstack, the flaw carries a CVSS 3.1 score of 8.5 with a scope change (S:C) reflecting access beyond the plugin's own data. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57662 HIGH This Week

SQL injection in the Contest Gallery WordPress plugin (versions <= 30.0.0) allows an authenticated user with Contributor-level access to inject arbitrary SQL through unsanitized input, exposing the contents of the WordPress database. The flaw was disclosed via Patchstack and carries a CVSS 8.5; no public exploit code has been identified at time of analysis and it is not listed in CISA KEV. The CVSS vector indicates a scope change (S:C), meaning the impact reaches beyond the vulnerable component into the underlying database.

SQLi
NVD VulDB
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57653 HIGH This Week

SQL injection in the WP Job Portal WordPress plugin (versions 2.5.2 and earlier) lets a low-privileged Contributor-level user inject arbitrary SQL into a backend query, exposing the WordPress database. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H) reflects high confidentiality impact with a scope change, and the issue was reported by Patchstack. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57644 HIGH This Week

SQL injection in the Restaurant Menu by MotoPress WordPress plugin (versions 2.4.10 and earlier) lets users holding Contributor-level accounts inject crafted SQL into backend database queries. Reported by Patchstack and classified as CWE-89, the flaw carries CVSS 8.5 and primarily threatens confidentiality, allowing a low-privileged authenticated user to read arbitrary data from the WordPress database. No public exploit identified at time of analysis, and EPSS/KEV data were not provided in the source intelligence.

SQLi
NVD VulDB
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57643 HIGH This Week

SQL injection in the WP Post Author WordPress plugin (versions 3.9.1 and earlier) allows authenticated users with Contributor-level access to inject arbitrary SQL into the site database. Because exploitation requires only a low-privilege account (PR:L) over the network with no user interaction, any site that permits self-registration or has untrusted contributors is at material risk of database content disclosure. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but Patchstack-reported WordPress plugin SQLi flaws are commonly weaponized after disclosure.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57642 HIGH This Week

SQL injection in the WordPress 'Gallery' plugin (gallery-plugin) through version 4.7.8 lets authenticated low-privilege users (Contributor role and above) inject crafted SQL via plugin-handled parameters, exposing the WordPress database. Tracked as CVE-2026-57642 (CWE-89) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 8.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A Contributor account is required, which limits exploitation to sites that allow self-registration or otherwise provision contributor-level access.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57636 HIGH This Week

SQL injection in the wpForo Forum plugin for WordPress (versions 3.0.9 and earlier) allows users holding low-privileged Contributor accounts to inject arbitrary SQL into backend database queries. Reported by Patchstack, the flaw (CWE-89) carries a CVSS 8.5 and a scope-changing vector, meaning an authenticated forum contributor can read sensitive database contents beyond the plugin's own data. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57631 HIGH This Week

SQL injection in the AYS Popup Box WordPress plugin (versions 6.0.1 and earlier) lets an authenticated administrator inject arbitrary SQL into the WordPress database through an unsanitized plugin parameter (CWE-89). Because exploitation requires existing high-privilege administrator access per the CVSS PR:H metric, this is primarily a data-exposure/privilege-abuse issue rather than a remote-takeover flaw, and no public exploit has been identified at time of analysis. It was reported by Patchstack rather than discovered in active attacks, and is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.3%
CVE-2026-57628 HIGH This Week

SQL injection in the WP All Import WordPress plugin (versions 4.0.1 and earlier) allows an authenticated administrator to inject arbitrary SQL into backend database queries, enabling extraction of sensitive data beyond what the plugin UI exposes. The CVSS 3.1 vector (AV:N/AC:L/PR:H) confirms it is network-reachable but requires high privileges, and the original vector's S:C/C:H/A:L rates impact as elevated. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.3%
CVE-2026-56070 CRITICAL Act Now

Unauthenticated SQL injection in the WordPress "Advance Product Search" plugin (slug th-advance-product-search) through version 1.4.4 lets remote attackers inject crafted SQL via a search-facing parameter without any login. Because the CVSS vector marks privileges as none (PR:N) and a scope change (S:C), an attacker can reach and read backend database content reachable from the plugin's queries. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; the high 9.3 score is driven by the unauthenticated network vector and confidentiality impact rather than any confirmed in-the-wild activity.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-56068 CRITICAL Act Now

SQL injection in the Crocoblock JetEngine WordPress plugin (versions 3.8.10.2 and earlier) lets remote unauthenticated attackers inject crafted SQL into backend database queries (CWE-89), per the CVSS:3.1 vector with PR:N/UI:N. The flaw carries a 9.3 critical score driven by network reachability, no required privileges, and a changed scope exposing the underlying WordPress database. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated, low-complexity nature makes it a high-priority patching target for any site running this widely deployed dynamic-content plugin.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-56067 CRITICAL Act Now

Unauthenticated SQL injection in the JetSmartFilters WordPress plugin (Crocoblock) affects all versions up to and including 3.8.3, letting remote attackers with no authentication inject crafted SQL through plugin filter parameters and read sensitive database contents. The CVSS 9.3 rating reflects network reachability with no privileges or user interaction required; the issue was reported by Patchstack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-56064 HIGH This Week

SQL injection in the Tourfic WordPress plugin (versions 2.22.5 and earlier) lets authenticated subscriber-level users inject arbitrary SQL through a vulnerable parameter, exposing the WordPress database. Because only a low-privilege account is required and registration is often open on WordPress sites, an attacker can read sensitive data such as user records and credential hashes. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-56062 CRITICAL Act Now

Unauthenticated SQL injection in the Quotes llama WordPress plugin (versions 3.1.5 and earlier) lets remote attackers without credentials inject malicious SQL through plugin input handling, exposing the WordPress database. The CVSS 3.1 base score of 9.3 reflects network reachability with no authentication and a scope change, meaning impact can reach beyond the plugin into the underlying database. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

SQLi
NVD VulDB
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-56036 CRITICAL Act Now

Unauthenticated SQL injection in the WordPress payment plugin 워드프레스 결제 심플페이 (SimplePay / pgall-for-woocommerce) version 5.5.6 and earlier lets remote attackers inject arbitrary SQL against the WooCommerce database without any authentication or user interaction. Per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N), exploitation is trivial and network-reachable, with high confidentiality impact and a changed scope. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-56034 CRITICAL Act Now

SQL injection in the Library Management System WordPress plugin (versions 3.5.7 and earlier) lets remote, unauthenticated attackers inject arbitrary SQL through an unsanitized input parameter (CWE-89). The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms network-reachable, no-authentication, low-complexity exploitation with high confidentiality impact, enabling extraction of database contents such as WordPress user records and credential hashes. No public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54831 CRITICAL Act Now

SQL injection in the GeoDirectory WordPress plugin (versions up to and including 2.8.162) allows remote unauthenticated attackers to inject malicious SQL into backend queries, per Patchstack. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) with PR:N indicates exploitation requires no authentication, and the scope-changed, high-confidentiality rating (S:C/C:H) points to database disclosure beyond the plugin's own data. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54827 CRITICAL Act Now

SQL injection in the Real Estate 7 WordPress theme (versions up to and including 3.5.9) lets unauthenticated remote attackers inject malicious SQL through an unsanitized parameter, exposing backend database contents. The CVSS 3.1 base score is 9.3 (S:C/C:H) driven by the scope change and high confidentiality impact, with no authentication or user interaction required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported through Patchstack's vulnerability research program.

SQLi
NVD VulDB
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54825 CRITICAL Act Now

Unauthenticated SQL injection in the wpDataTables WordPress plugin (versions up to and including 7.4) lets remote attackers inject crafted SQL into database queries without any authentication or user interaction, exposing the WordPress backend database. With a CVSS 9.3 (critical) score and a CWE-89 root cause, the flaw enables extraction of sensitive data such as user credentials and configuration secrets. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54820 CRITICAL Act Now

Unauthenticated SQL injection in the JetBooking WordPress plugin (versions 4.0.4.1 and earlier) lets remote attackers inject crafted SQL into a vulnerable query without any login, exposing the WordPress database. Reported by Patchstack with a CVSS 9.3 (scope-changed, high confidentiality impact), the flaw allows extraction of sensitive data such as user credentials and booking records. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-10835 HIGH POC PATCH This Week

SQL injection in the SALESmanago & Leadoo WordPress plugin before 3.11.3 allows low-privileged authenticated users to inject arbitrary SQL through an unsanitised parameter passed to a vulnerable AJAX action. Because the action enforces no authorisation check, even subscriber-level accounts can reach it, and the CVSS scope-changed, high-confidentiality rating (7.7) reflects the ability to read data across the WordPress database. Publicly available exploit code exists (WPScan), though EPSS is low (0.16%) and SSVC classifies exploitation as proof-of-concept only, not active.

WordPress SQLi Salesmanago Leadoo
NVD WPScan VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-13226 MEDIUM This Month

SQL Injection in the Groundhogg WordPress plugin (versions up to and including 4.5.4) allows any authenticated WordPress user - regardless of role - to extract sensitive data from the underlying database via the unsanitized 'after' parameter in the contacts table AJAX handler. The critical amplifier here is that the AJAX handler wp_ajax_groundhogg_get_contacts_table has its role capability check commented out and lacks nonce verification, effectively reducing the privilege bar from Sales Manager (as the CVE description initially implies) to any authenticated user including subscribers on open-registration sites. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation bar and the data exfiltration potential against CRM databases containing customer PII make this a meaningful risk for affected deployments.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57588 LOW POC PATCH Monitor

SQL injection in Tenable Nessus's scan result import functionality allows an attacker to craft a malicious scan file that, when imported by a privileged operator, injects SQL into the scan results database and exfiltrates stored scan data. The attack is entirely dependent on social engineering: the threat actor has no direct access to the Nessus instance and must convince a privileged user to import the weaponized file. A proof-of-concept exists per CVSS temporal indicator E:P, and Tenable has issued an official fix under advisory TNS-2026-17. No active exploitation is confirmed in CISA KEV.

SQLi Nessus
NVD Exploit-DB VulDB
CVSS 4.0
1.8
EPSS
0.2%
CVE-2026-57587 LOW PATCH Monitor

SQL injection in Tenable Nessus exposes scan-result databases to exfiltration by any remote unauthenticated attacker who controls the reverse DNS (PTR) records for a host being scanned. When Nessus resolves the hostname of a scanned target via PTR lookup, the returned value is incorporated into a SQL query without adequate sanitization, enabling read-level access to the scan results database. A proof-of-concept is indicated by the CVSS temporal metric (E:P), and Tenable has acknowledged the issue via advisory TNS-2026-17; no public active exploitation (CISA KEV) is confirmed at time of analysis.

SQLi Nessus
NVD VulDB
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-54829 HIGH This Week

Blind SQL injection in the WP Photo Album Plus WordPress plugin (all versions up to and including 9.1.13.005) lets remote attackers inject crafted SQL into a database query, enabling extraction of sensitive data such as user credentials and WordPress secrets. The flaw, reported by Patchstack, is reachable over the network without authentication (CVSS:3.1 PR:N) but carries high attack complexity (AC:H), and there is no public exploit identified at time of analysis. No EPSS score or CISA KEV listing was provided in the source data.

SQLi Wp Photo Album Plus
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54836 CRITICAL Act Now

SQL injection in the YMC Filter (YMC Smart Filter / Filter Grids) WordPress plugin lets remote attackers inject malicious SQL through unsanitized input, affecting all versions up to and including 3.11.5. Per the CVSS vector (PR:N), exploitation is unauthenticated and network-reachable, enabling database content disclosure and a scope change beyond the plugin's own data. No public exploit identified at time of analysis, and no EPSS score was supplied, so real-world exploitation prevalence is currently unmeasured.

SQLi Ymc Filter
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-54849 CRITICAL Act Now

SQL injection in the Premmerce Wishlist for WooCommerce WordPress plugin (versions 1.1.11 and earlier) lets remote unauthenticated attackers inject crafted SQL into backend database queries, per the CVSS PR:N vector. Reported by Patchstack and rated 9.3 (CVSS 3.1), it allows extraction of sensitive WordPress/WooCommerce data such as user records and credential hashes. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.

WordPress SQLi Premmerce Wishlist For Woocommerce
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-54843 CRITICAL Act Now

SQL injection in the WordPress "Meta Data Filter & Taxonomy Filter" (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.7, allowing remote attackers to inject arbitrary SQL into backend queries without authentication. Per the provided CVSS vector (PR:N), exploitation requires no login, and the high CVSS base score of 9.3 reflects network reachability plus a scope change. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS data supplied, so prioritization rests on the CVSS signal alone.

SQLi Mdtf
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-54838 HIGH This Week

SQL injection in the WC Vendors Marketplace WordPress plugin (versions <= 2.6.8) allows authenticated users holding only a low-privilege Subscriber-level account to inject arbitrary SQL into backend queries. Reported by Patchstack and tracked as CVE-2026-54838 (CWE-89), the flaw carries a CVSS 8.5 with a scope change, reflecting that a minimally-privileged marketplace account can read sensitive data across the WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Wc Vendors Marketplace
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-54822 HIGH This Week

SQL injection in the WordPress SALESmanago & Leadoo plugin (versions 3.11.2 and earlier) lets authenticated users holding only Subscriber-level privileges inject arbitrary SQL into backend database queries, enabling extraction of sensitive data from the WordPress database. Reported by Patchstack and rated CVSS 8.5, it is dangerous because Subscriber is the lowest authenticated role and is frequently self-registerable on WordPress sites. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

SQLi Salesmanago Leadoo
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-12937 HIGH This Week

Unauthenticated SQL injection in the Tourfic WordPress travel-booking plugin (versions through 2.22.7) lets remote attackers read arbitrary database contents via the 'post_id' parameter of the tf_room_availability AJAX action. Because the action is registered for logged-out users (wp_ajax_nopriv) and the required nonce is publicly emitted on single-hotel pages, no authentication is needed in practice. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

WordPress SQLi Tourfic Ai Powered Travel Booking Hotel Booking Car Rental Wordpress Plugin
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-2508 MEDIUM This Month

Time-based blind SQL injection in the Gravity Forms Booking plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to exfiltrate sensitive data from the underlying WordPress database via the 'staff_id' parameter. All plugin versions through 2.7.1 are affected due to insufficient input escaping and inadequate SQL query preparation on a user-controlled parameter. No public exploit code or active exploitation has been identified at time of analysis, though the low authentication barrier (subscriber-level) meaningfully broadens attacker opportunity on sites with open registration.

WordPress SQLi Gravity Bookings
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12077 HIGH This Week

SQL injection in the Dokan Pro WordPress multivendor marketplace plugin (all versions ≤ 5.0.4) lets unauthenticated remote attackers inject SQL through the 'latitude' and 'longitude' request parameters, enabling extraction of arbitrary database contents such as user credentials, API keys, and order data. The flaw is time-based (blind) and requires no authentication or user interaction, but no public exploit code or active exploitation has been identified at time of analysis. No EPSS or CISA KEV signal was provided in the source data.

WordPress SQLi Dokan Pro
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12079 MEDIUM This Month

Time-based blind SQL injection in the Dokan Pro WordPress plugin allows network-accessible authenticated attackers with Subscriber-level privileges to extract sensitive data from the underlying WordPress database. The flaw resides in the 'orderby' parameter, which is insufficiently escaped and passed into unparameterized SQL queries across all plugin versions through 5.0.4. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar - any registered subscriber - substantially widens the realistic attacker pool on marketplace and multi-vendor WordPress sites.

WordPress SQLi Dokan Pro
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-9786 HIGH This Week

Remote code execution in Quest NetVault Backup arises through SQL injection in the NVBUDashboard component's JSON-RPC message handler, letting attackers run arbitrary code in the NETWORK SERVICE context. While the flaw nominally requires authentication, ZDI reports the product's authentication mechanism can be bypassed, materially lowering the access bar. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but its CVSS 3.0 base score of 8.8 and full-impact (C:H/I:H/A:H) profile mark it as high priority for any exposed deployment.

SQLi RCE Netvault Backup
NVD VulDB
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9785 HIGH This Week

Remote code execution in Quest NetVault Backup arises from a SQL injection flaw in the handling of NVBULibrarySlot JSON-RPC messages, where a user-supplied string is concatenated into a SQL query without validation. Although the JSON-RPC interface nominally requires authentication, ZDI notes the existing authentication mechanism can be bypassed, so a remote attacker can reach the vulnerable code path and execute arbitrary code in the context of the NETWORK SERVICE account. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9784 HIGH This Week

SQL injection in Quest NetVault Backup's NVBULibraryPort JSON-RPC handler allows remote attackers to execute arbitrary code as NETWORK SERVICE on affected installations. While exploitation nominally requires authentication (CVSS PR:L), the ZDI advisory states the existing authentication mechanism can be bypassed, effectively lowering the barrier to remote attackers. There is no public exploit identified at time of analysis and no CISA KEV listing, but the issue was coordinated through Trend Micro's Zero Day Initiative (ZDI-CAN-27631 / ZDI-26-373) and carries a CVSS 3.0 base score of 8.8.

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9783 HIGH This Week

SQL injection leading to remote code execution affects Quest NetVault Backup, where the NVBURemovableMedia component fails to validate a user-supplied string before constructing SQL queries. Although authentication is nominally required, ZDI notes the existing authentication mechanism can be bypassed, effectively lowering the barrier to network-based attackers who can then execute code in the context of the NETWORK SERVICE account. No public exploit identified at time of analysis; the issue was reported privately by Trend Micro's Zero Day Initiative (ZDI-CAN-27632 / ZDI-26-372).

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9782 HIGH This Week

Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBUDeviceDrive JSON-RPC message handler, where a user-supplied string is concatenated into a SQL query without validation (CWE-89). Although the product requires authentication, the existing authentication mechanism can be bypassed, so remote attackers can reach the flaw and execute arbitrary code in the context of the NETWORK SERVICE account. Discovered and reported through Trend Micro's Zero Day Initiative (ZDI-26-371, formerly ZDI-CAN-27633); no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

SQLi RCE Netvault Backup
NVD VulDB
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-9781 HIGH This Week

Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBURASDevice JSON-RPC message handler, where attacker-controlled input is concatenated into SQL queries. Although authentication is nominally required, ZDI notes the existing authentication mechanism can be bypassed, so attackers can reach the vulnerable endpoint and execute code in the NETWORK SERVICE context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported privately via Trend Micro's Zero Day Initiative (ZDI-26-370 / ZDI-CAN-27648).

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-7570 HIGH This Week

SQL injection leading to remote code execution in Quest NetVault Backup allows attackers to run arbitrary code as the NETWORK SERVICE account by sending crafted JSON-RPC messages to the NVBUDashboard component. While the JSON-RPC interface nominally requires authentication, ZDI reports the existing authentication mechanism can be bypassed, effectively lowering the access barrier. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but it was responsibly disclosed through Trend Micro's Zero Day Initiative (ZDI-26-368, formerly ZDI-CAN-27809).

SQLi RCE Netvault Backup
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2026-37149 HIGH This Week

SQL injection in the open-source Grocery Store Management System (PHP/MySQL, v1.0 by anirudhkannanvp) lets attackers read arbitrary database contents by injecting a crafted SQL payload through the unsanitized 'scost' parameter of /grocery/search_products.php. The flaw (CWE-89) carries a CVSS of 7.7 and exposes credentials, customer records, and other sensitive data; publicly available exploit code exists in a dedicated GitHub repository, though it is not listed in CISA KEV and its EPSS exploitation probability is low (0.24%, 16th percentile).

SQLi PHP N A
NVD GitHub
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-56351 npm MEDIUM PATCH This Month

SQL injection in n8n's MySQL, PostgreSQL, and Microsoft SQL database integration nodes (all versions before 2.4.0) allows authenticated users with workflow creation permissions to execute arbitrary SQL commands against connected databases by supplying crafted identifier values - table or column names - in node configuration parameters. The nodes failed to escape SQL identifiers when constructing queries, bypassing the safety guarantees users expected from parameterized inputs and enabling injection that directly impacts downstream database confidentiality and integrity. Reported by the NATO Cyber Security Centre; vendor-released patch is confirmed in n8n 2.4.0, with no public exploit code or CISA KEV listing identified at time of analysis.

PostgreSQL SQLi Microsoft N8n
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-71332 npm HIGH This Week

SQL injection in Flowise through 2.2.7 allows authenticated users to execute arbitrary SQL via the importChatflows API by supplying a crafted JSON file whose chatflow.id value is concatenated unsanitized into an IN clause. Successful exploitation enables blind and error-based extraction of stored credentials and tampering with application data. Publicly available exploit code exists in the GHSA advisory, though no active exploitation is confirmed.

SQLi Flowise
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.2%
CVE-2026-56052 HIGH This Week

Blind SQL injection in FunnelKit Funnel Builder for WordPress (versions up to and including 3.15.0.5) allows authenticated attackers with high privileges to inject arbitrary SQL queries against the underlying database. The flaw is reported by Patchstack and tracked as CWE-89; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The CVSS scope change combined with confidentiality impact indicates database contents beyond the plugin context can be exfiltrated one bit at a time via blind techniques.

SQLi Funnel Builder By Funnelkit
NVD VulDB
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-8705 HIGH This Week

Unauthenticated SQL injection in the ClearSale Total WordPress plugin (all versions through 3.4.2) allows remote attackers to extract sensitive database contents via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action. The flaw is reachable without authentication because the nopriv AJAX handler ships with a commented-out die() in the nonce-failure branch, and on PHP < 8.0 loose type juggling bypasses the switch/case integer guard. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi PHP WordPress Clearsale Total
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-9179 HIGH This Week

SQL injection in the WP Forms Connector WordPress plugin (versions up to and including 1.8) allows unauthenticated remote attackers to extract sensitive database contents via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint. The endpoint is exposed with permission_callback '__return_true' and only validates a 'Username' header against an administrator account without verifying the corresponding 'Password', making the authentication check trivially bypassable. No public exploit identified at time of analysis, but the trivial bypass and unsanitized ORDER BY concatenation make weaponization straightforward.

SQLi WordPress Wp Forms Connector
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-54350 npm CRITICAL PATCH GHSA Act Now

{$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or JSON-body REST collection. A detailed working POC is published in the advisory; the issue is not in CISA KEV and EPSS is low (0.43%, 34th percentile), so this is publicly demonstrated but not yet confirmed as actively exploited.

SQLi Canonical Docker PostgreSQL Elastic +2
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-34914 HIGH This Week

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary SQL through the clientid parameter of zone-include.php due to missing input sanitisation. The flaw, rated CVSS 8.3 with PR:L, enables attackers with any valid account to exfiltrate or tamper with ad-server data; no public exploit identified at time of analysis, though a HackerOne report describing the issue is publicly referenced.

SQLi PHP Adserver
NVD
CVSS 3.0
8.3
EPSS
0.3%
CVE-2026-34915 MEDIUM This Month

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate database contents via the unsanitized clientid parameter in zone-include.php. The vulnerability is compounded by a concurrent input validation failure that also enables cross-site scripting, reflected in the CWE-79 assignment and CVSS scope-change vector - suggesting the zone-include.php endpoint contains at least two distinct injection classes. No public exploit has been identified at time of analysis, and a fix is available in versions beyond 6.0.6 per the vendor advisory on HackerOne.

SQLi XSS PHP Adserver
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2026-8163 HIGH POC PATCH This Week

SQL injection in the Infility Global WordPress plugin before 2.15.19 allows authenticated users with Subscriber-level access or higher to inject arbitrary SQL via unsanitized parameters. Publicly available exploit code exists (WPScan), and a vendor patch has been released, raising the practical risk on sites that allow open user registration. No CISA KEV listing at time of analysis.

SQLi WordPress Infility Global
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-7842 MEDIUM POC PATCH This Month

Time-based blind SQL injection in the Infility Global WordPress plugin (versions before 2.15.20) enables authenticated attackers holding Editor-level access or higher to extract arbitrary data from the WordPress database. The unsanitized `orderby` and `order` parameters in three admin callbacks - `import_list()`, `url_detail()`, and `file_detail()` - are passed directly into SQL queries without validation or parameterization. A publicly available proof-of-concept exploit exists per WPScan (EUVD-2026-38416), and the CVSS S:C designation confirms that impact extends beyond the plugin itself to the full underlying database; no confirmed active exploitation (CISA KEV) has been documented at time of analysis.

SQLi WordPress Information Disclosure Infility Global
NVD WPScan VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2025-61024 HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_try_in_loop SQL optimizer component. No public exploit identified at time of analysis, though SSVC indicates a proof-of-concept exists in the referenced GitHub issue. The flaw is tagged as SQLi-class (CWE-89) but the demonstrated impact is availability-only, with no confidentiality or integrity loss per the CVSS vector.

SQLi Denial Of Service N A Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-61029 HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting specially crafted SQL statements that trigger a flaw in the sqlo_untry query-optimization component. The CVSS 7.5 score reflects unauthenticated network exploitability with high availability impact, but no public exploit identified at time of analysis and the issue is currently tracked only as an upstream GitHub issue without a released fix.

SQLi Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-61025 HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sslr_qst_get component. The flaw is classified under CWE-89 (SQL injection class) but the documented impact is availability-only with no confidentiality or integrity loss per the CVSS vector. No public exploit identified at time of analysis, and the issue is tracked only via an upstream GitHub issue (#1229) rather than a tagged fixed release.

SQLi Denial Of Service N A Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-61027 HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database engine by submitting crafted SQL statements that mishandle the internal t_set_push routine. The flaw carries availability-only impact (CVSS 7.5, A:H) with no confidentiality or integrity loss. EPSS is low (0.15%, 4th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV - so risk is theoretical rather than actively exploited.

SQLi Denial Of Service N A Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61021 HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_natural_join_cond query-optimizer component. The flaw carries no confidentiality or integrity impact but fully degrades availability (CVSS 7.5, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.15%), indicating limited near-term exploitation likelihood; only a GitHub issue documenting the defect is published.

SQLi Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61028 HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that reach the time_t_to_dt date/time conversion routine. The defect is availability-only (no data exposure or integrity loss) and is tracked publicly via GitHub issue #1233; it carries a CVSS 3.1 base score of 7.5 but a low EPSS of 0.15% (4th percentile), and there is no public exploit identified at time of analysis and no evidence of active exploitation.

SQLi Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-52673 MEDIUM This Month

SQL Injection vulnerability in Cboard v.0.4.2 and before allows a remote attacker to execute arbitrary code via the getDimensionsValues component

SQLi RCE N A
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2025-61022 HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition v7.2.11 allows remote attackers to crash the database engine by submitting crafted SQL statements that mishandle column predicate processing inside the sqlo_tb_col_preds query optimizer component. CVSS 7.5 reflects high availability impact with no authentication required, though no public exploit identified at time of analysis and the issue is tracked only as an upstream GitHub bug report.

SQLi Denial Of Service N A Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-61018 HIGH This Week

An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Denial Of Service N A SQLi
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-61023 HIGH This Week

Denial of service in OpenLink Virtuoso (open-source edition) v7.2.11 allows attackers to crash the database server by submitting crafted SQL statements that mishandle the internal st_compare comparison routine. The flaw affects availability only (CVSS A:H, no confidentiality or integrity impact) and carries a 7.5 base score; EPSS is low (0.15%, 5th percentile) with no public exploit identified at time of analysis and no CISA KEV listing. Despite the CWE-89 (SQL Injection) classification, the reported effect is a service crash rather than data manipulation or extraction.

SQLi Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61019 HIGH This Week

Denial of service in OpenLink Virtuoso Open-Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that mishandle the sqlo_key_part_best query-optimizer routine. The flaw carries no confidentiality or integrity impact (availability-only, CVSS 7.5) and there is no public exploit identified at time of analysis; EPSS is low at 0.15% (4th percentile), and it is not listed in CISA KEV. The only public reference is the upstream GitHub issue (#1222) tracking the crash.

SQLi Denial Of Service N A Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61020 HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote unauthenticated attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_strip_in_join query-optimization component. The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects network-reachable, no-auth exploitation with high availability impact and no confidentiality or integrity loss. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-56221 HIGH PATCH This Week

SQL injection in Capgo (cap-go) before 12.128.2 allows authenticated users with read-level API keys to access analytics data belonging to other tenants by injecting arbitrary SQL through multiple unparameterized parameters in cloudflare.ts. The flaw stems from direct string interpolation of request-body values into Cloudflare Analytics Engine queries, enabling cross-tenant data exposure. No public exploit identified at time of analysis, though a VulnCheck advisory and an upstream GitHub Security Advisory document the issue.

SQLi Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-44271 HIGH PATCH This Week

Authenticated SQL injection (CWE-89) in Dell Wyse Management Suite (WMS) before version 2605 lets a low-privileged remote user inject crafted SQL into application queries, yielding unauthorized read/write access to the management database with high impact to confidentiality, integrity, and availability. Tracked as EUVD-2026-38345 and disclosed by Dell in advisory DSA-2026-247, it carries CVSS 3.1 8.8 but has no public exploit identified at time of analysis and a low EPSS of 0.24% (15th percentile), with CISA SSVC reporting no known exploitation.

SQLi Authentication Bypass Dell Wyse Management Suite Wms
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-44272 HIGH PATCH This Week

SQL injection in Dell Wyse Management Suite (WMS) versions prior to 2605 allows authenticated low-privileged remote attackers to manipulate backend database queries, leading to unauthorized data access and potential integrity or availability impact. The CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability under low attack complexity, though no public exploit identified at time of analysis. The flaw is tagged with 'Authentication Bypass' implications, suggesting the SQLi could be leveraged to escalate beyond the attacker's initial low-privilege context.

SQLi Authentication Bypass Dell Wyse Management Suite Wms
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-66336 HIGH PATCH This Week

SQL injection in Apache Doris MCP Server versions 0.1.0 through 0.6.0 allows authenticated attackers (or anonymous attackers when authentication is disabled) to inject arbitrary SQL through a database-name parameter in a metadata query path, bypassing the caller's authorization context. Because the query executes without the requester's auth context, attackers can read metadata across databases they should not be able to see. No public exploit identified at time of analysis, and SSVC currently marks exploitation as 'none'.

Apache SQLi Doris Mcp Server
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-12789 LOW Monitor

SQL injection in ILIAS Learning Management System 11.0 allows a remote, high-privileged attacker to manipulate database queries via the Learning Progress Tracking component. The `troup_table_nav` argument passed to `ilTrQuery::executeQueries` in `components/ILIAS/Tracking/classes/class.ilTrQuery.php` is incorporated into SQL statements without adequate sanitization, enabling low-impact reads and writes against the underlying database. Publicly available exploit code exists (CVSS 4.0 E:P), and the vendor did not respond to pre-disclosure contact, meaning no official patch has been issued.

SQLi PHP Learning Management System
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-12776 LOW POC Monitor

SQL injection in Montodel House-Rental-Management exposes database contents and integrity to authenticated remote attackers via the unsanitized ID parameter at /index.php?page=houses. All tracked commits up to 90010017b81265eb1ef3810268909f7719a33863 are affected, with no patched release available as the vendor did not respond to coordinated disclosure. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), lowering the bar for exploitation; however, the required authenticated context and limited per-query impact keep the overall risk score low at CVSS 4.0 2.1.

SQLi PHP House Rental Management
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12775 MEDIUM POC This Month

SQL injection in Montodel House-Rental-Management's /login.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and interact with the underlying database without credentials. A public proof-of-concept exploit is available on GitHub, and the vendor was unresponsive to pre-disclosure contact, leaving no patch path. Any internet-exposed deployment of this PHP application should be treated as immediately at risk given the zero-barrier exploitation prerequisites and available exploit code.

SQLi PHP House Rental Management
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-49211 PHP MEDIUM PATCH This Month

Unescaped SQL LIKE wildcards in symfony/ux-autocomplete allow unauthenticated network attackers to turn the autocomplete endpoint into a broad data matcher or blind boolean oracle against all entity columns. Because BaseEntityAutocompleteType defaults to security => false and searchable_fields defaults to all entity properties, versions >= 2.2.0 < 2.36.0 and >= 3.0.0 < 3.1.0 expose potentially sensitive entity data to any caller who sends % or _ as the query parameter. No public exploit has been identified at time of analysis, but the attack requires only standard HTTP tooling; patches are available in 2.36.0 and 3.1.0.

SQLi Information Disclosure Oracle
NVD GitHub
CVE-2019-25761 HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Joomcrm
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2019-25759 HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vbizz
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2019-25757 HIGH POC This Week

Joomla vWishlist 1.0.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vproductid and userid. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vwishlist
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2019-25756 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vaccount
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25755 HIGH POC This Week

Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vreview
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25754 HIGH POC This Week

Joomla Component vRestaurant 1.9.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keysearch. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vrestaurant
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.4%
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in yashpokharna2555's restaurent-management-system exposes the /forgotpassword.php endpoint to unauthenticated remote exploitation via the POST email parameter, allowing attackers to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required, and a public exploit is referenced in GitHub issue #3. The project has no versioning scheme and the maintainer has not responded to the disclosure, meaning no patch is available and all deployed instances remain vulnerable.

SQLi PHP Restaurent Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the appointment management endpoint to remote database manipulation via the unsanitized `editid` parameter in `/appointment.php`. Authenticated low-privileged users can craft malicious SQL payloads to read, modify, or corrupt appointment and patient records in the underlying database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references); no CISA KEV listing at time of analysis.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/ajaxmedicine.php` endpoint to database manipulation via the unsanitized `medicineid` parameter, exploitable by any low-privilege authenticated user over the network. A public proof-of-concept has been published on GitHub, materially lowering the barrier to exploitation. No active exploitation has been confirmed by CISA KEV, but the combination of public exploit code, a medical data context, and low attack complexity makes this a credible risk for any organization running this software.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated administrators to database manipulation via the `loginid` parameter in `/adminprofile.php`. The CVSS 4.0 vector (PR:H) confirms exploitation is constrained to authenticated high-privilege sessions, limiting mass exploitation risk despite network accessibility. A public proof-of-concept exploit has been disclosed on GitHub, lowering the technical barrier for targeted abuse by insiders or credential-compromised actors.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview7.php` endpoint to unauthenticated remote exploitation via unsanitized input in the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote exploitation with no authentication or user interaction required. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists (GitHub issue referenced in references), elevating urgency despite the absence of a CISA KEV listing.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes any publicly reachable deployment to unauthenticated database manipulation via the unsanitized `sy` parameter in /archive.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation with no prerequisites, yielding low-to-moderate impact across confidentiality, integrity, and availability of the underlying database. A publicly available proof-of-concept exploit exists on GitHub (referenced via VulDB submission 838189), lowering attacker skill requirements, though no CISA KEV listing indicates mass exploitation has not been confirmed at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate the `course_year_section` parameter on the `/preview6.php` endpoint, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no special conditions, and a public proof-of-concept has been disclosed on GitHub. While not listed in CISA KEV, the trivially low attack complexity combined with POC availability raises the realistic exploitation risk above what the 5.5 medium score alone implies.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview.php` endpoint to remote unauthenticated exploitation via the unsanitized `course_year_section` parameter, allowing arbitrary SQL query execution against the backend database. A public proof-of-concept exploit has been published on GitHub, materially lowering the barrier to exploitation. Impact is rated low-to-partial across confidentiality, integrity, and availability, bounded by the database account's privileges, and no vendor patch has been identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding Sales Representative-level access or above to extract arbitrary data from the underlying WordPress database via the `query[select]` REST API parameter. The vulnerability is exploitable through a deliberate sanitization bypass: submitting an invalid filter type in `query[filters]` triggers a FilterException that silently redirects execution from the protected `Contact_Query` path to the unprotected `Legacy_Contact_Query` path. No CISA KEV listing or confirmed public exploit code exists at time of analysis, though Wordfence's advisory directly references vulnerable source lines at plugin version 4.5.5, materially lowering the barrier to independent PoC development.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the vulnerability is straightforward to exploit with valid credentials given the low complexity rating.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user inject SQL through the timestamps parameter used to request historic work-package attributes, affecting all versions prior to 17.3.3 and 17.4.1. Rated CVSS 9.9 with a changed scope, it can expose or alter database contents beyond the user's normal authorization. No public exploit identified at time of analysis; the issue is fixed in 17.3.3 and 17.4.1.

SQLi Openproject
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the Groundhogg WordPress CRM/marketing-automation plugin (versions <= 4.5) allows an authenticated low-privileged user holding the Sales Representative role to inject arbitrary SQL into a database query, exposing sensitive data across the WordPress installation. The CVSS 3.1 base score is 8.5 (High) with a scope change, reflecting that compromise of the plugin's data layer reaches beyond its own privilege boundary. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS value supplied in the source data.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the Zip Recipes (Recipe Maker For Your Food Blog) WordPress plugin lets an authenticated Contributor-level user inject arbitrary SQL through the plugin in versions 8.2.7 and earlier, exposing the full WordPress database. Reported by Patchstack, the flaw carries a CVSS 3.1 score of 8.5 with a scope change (S:C) reflecting access beyond the plugin's own data. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the Contest Gallery WordPress plugin (versions <= 30.0.0) allows an authenticated user with Contributor-level access to inject arbitrary SQL through unsanitized input, exposing the contents of the WordPress database. The flaw was disclosed via Patchstack and carries a CVSS 8.5; no public exploit code has been identified at time of analysis and it is not listed in CISA KEV. The CVSS vector indicates a scope change (S:C), meaning the impact reaches beyond the vulnerable component into the underlying database.

SQLi
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the WP Job Portal WordPress plugin (versions 2.5.2 and earlier) lets a low-privileged Contributor-level user inject arbitrary SQL into a backend query, exposing the WordPress database. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H) reflects high confidentiality impact with a scope change, and the issue was reported by Patchstack. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the Restaurant Menu by MotoPress WordPress plugin (versions 2.4.10 and earlier) lets users holding Contributor-level accounts inject crafted SQL into backend database queries. Reported by Patchstack and classified as CWE-89, the flaw carries CVSS 8.5 and primarily threatens confidentiality, allowing a low-privileged authenticated user to read arbitrary data from the WordPress database. No public exploit identified at time of analysis, and EPSS/KEV data were not provided in the source intelligence.

SQLi
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the WP Post Author WordPress plugin (versions 3.9.1 and earlier) allows authenticated users with Contributor-level access to inject arbitrary SQL into the site database. Because exploitation requires only a low-privilege account (PR:L) over the network with no user interaction, any site that permits self-registration or has untrusted contributors is at material risk of database content disclosure. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but Patchstack-reported WordPress plugin SQLi flaws are commonly weaponized after disclosure.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the WordPress 'Gallery' plugin (gallery-plugin) through version 4.7.8 lets authenticated low-privilege users (Contributor role and above) inject crafted SQL via plugin-handled parameters, exposing the WordPress database. Tracked as CVE-2026-57642 (CWE-89) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 8.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A Contributor account is required, which limits exploitation to sites that allow self-registration or otherwise provision contributor-level access.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the wpForo Forum plugin for WordPress (versions 3.0.9 and earlier) allows users holding low-privileged Contributor accounts to inject arbitrary SQL into backend database queries. Reported by Patchstack, the flaw (CWE-89) carries a CVSS 8.5 and a scope-changing vector, meaning an authenticated forum contributor can read sensitive database contents beyond the plugin's own data. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 7.6
HIGH This Week

SQL injection in the AYS Popup Box WordPress plugin (versions 6.0.1 and earlier) lets an authenticated administrator inject arbitrary SQL into the WordPress database through an unsanitized plugin parameter (CWE-89). Because exploitation requires existing high-privilege administrator access per the CVSS PR:H metric, this is primarily a data-exposure/privilege-abuse issue rather than a remote-takeover flaw, and no public exploit has been identified at time of analysis. It was reported by Patchstack rather than discovered in active attacks, and is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 7.6
HIGH This Week

SQL injection in the WP All Import WordPress plugin (versions 4.0.1 and earlier) allows an authenticated administrator to inject arbitrary SQL into backend database queries, enabling extraction of sensitive data beyond what the plugin UI exposes. The CVSS 3.1 vector (AV:N/AC:L/PR:H) confirms it is network-reachable but requires high privileges, and the original vector's S:C/C:H/A:L rates impact as elevated. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the WordPress "Advance Product Search" plugin (slug th-advance-product-search) through version 1.4.4 lets remote attackers inject crafted SQL via a search-facing parameter without any login. Because the CVSS vector marks privileges as none (PR:N) and a scope change (S:C), an attacker can reach and read backend database content reachable from the plugin's queries. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; the high 9.3 score is driven by the unauthenticated network vector and confidentiality impact rather than any confirmed in-the-wild activity.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the Crocoblock JetEngine WordPress plugin (versions 3.8.10.2 and earlier) lets remote unauthenticated attackers inject crafted SQL into backend database queries (CWE-89), per the CVSS:3.1 vector with PR:N/UI:N. The flaw carries a 9.3 critical score driven by network reachability, no required privileges, and a changed scope exposing the underlying WordPress database. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated, low-complexity nature makes it a high-priority patching target for any site running this widely deployed dynamic-content plugin.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the JetSmartFilters WordPress plugin (Crocoblock) affects all versions up to and including 3.8.3, letting remote attackers with no authentication inject crafted SQL through plugin filter parameters and read sensitive database contents. The CVSS 9.3 rating reflects network reachability with no privileges or user interaction required; the issue was reported by Patchstack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the Tourfic WordPress plugin (versions 2.22.5 and earlier) lets authenticated subscriber-level users inject arbitrary SQL through a vulnerable parameter, exposing the WordPress database. Because only a low-privilege account is required and registration is often open on WordPress sites, an attacker can read sensitive data such as user records and credential hashes. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the Quotes llama WordPress plugin (versions 3.1.5 and earlier) lets remote attackers without credentials inject malicious SQL through plugin input handling, exposing the WordPress database. The CVSS 3.1 base score of 9.3 reflects network reachability with no authentication and a scope change, meaning impact can reach beyond the plugin into the underlying database. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

SQLi
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the WordPress payment plugin 워드프레스 결제 심플페이 (SimplePay / pgall-for-woocommerce) version 5.5.6 and earlier lets remote attackers inject arbitrary SQL against the WooCommerce database without any authentication or user interaction. Per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N), exploitation is trivial and network-reachable, with high confidentiality impact and a changed scope. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the Library Management System WordPress plugin (versions 3.5.7 and earlier) lets remote, unauthenticated attackers inject arbitrary SQL through an unsanitized input parameter (CWE-89). The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms network-reachable, no-authentication, low-complexity exploitation with high confidentiality impact, enabling extraction of database contents such as WordPress user records and credential hashes. No public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the GeoDirectory WordPress plugin (versions up to and including 2.8.162) allows remote unauthenticated attackers to inject malicious SQL into backend queries, per Patchstack. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) with PR:N indicates exploitation requires no authentication, and the scope-changed, high-confidentiality rating (S:C/C:H) points to database disclosure beyond the plugin's own data. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the Real Estate 7 WordPress theme (versions up to and including 3.5.9) lets unauthenticated remote attackers inject malicious SQL through an unsanitized parameter, exposing backend database contents. The CVSS 3.1 base score is 9.3 (S:C/C:H) driven by the scope change and high confidentiality impact, with no authentication or user interaction required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported through Patchstack's vulnerability research program.

SQLi
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the wpDataTables WordPress plugin (versions up to and including 7.4) lets remote attackers inject crafted SQL into database queries without any authentication or user interaction, exposing the WordPress backend database. With a CVSS 9.3 (critical) score and a CWE-89 root cause, the flaw enables extraction of sensitive data such as user credentials and configuration secrets. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the JetBooking WordPress plugin (versions 4.0.4.1 and earlier) lets remote attackers inject crafted SQL into a vulnerable query without any login, exposing the WordPress database. Reported by Patchstack with a CVSS 9.3 (scope-changed, high confidentiality impact), the flaw allows extraction of sensitive data such as user credentials and booking records. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

SQL injection in the SALESmanago & Leadoo WordPress plugin before 3.11.3 allows low-privileged authenticated users to inject arbitrary SQL through an unsanitised parameter passed to a vulnerable AJAX action. Because the action enforces no authorisation check, even subscriber-level accounts can reach it, and the CVSS scope-changed, high-confidentiality rating (7.7) reflects the ability to read data across the WordPress database. Publicly available exploit code exists (WPScan), though EPSS is low (0.16%) and SSVC classifies exploitation as proof-of-concept only, not active.

WordPress SQLi Salesmanago Leadoo
NVD WPScan VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Groundhogg WordPress plugin (versions up to and including 4.5.4) allows any authenticated WordPress user - regardless of role - to extract sensitive data from the underlying database via the unsanitized 'after' parameter in the contacts table AJAX handler. The critical amplifier here is that the AJAX handler wp_ajax_groundhogg_get_contacts_table has its role capability check commented out and lacks nonce verification, effectively reducing the privilege bar from Sales Manager (as the CVE description initially implies) to any authenticated user including subscribers on open-registration sites. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation bar and the data exfiltration potential against CRM databases containing customer PII make this a meaningful risk for affected deployments.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD
EPSS 0% CVSS 1.8
LOW POC PATCH Monitor

SQL injection in Tenable Nessus's scan result import functionality allows an attacker to craft a malicious scan file that, when imported by a privileged operator, injects SQL into the scan results database and exfiltrates stored scan data. The attack is entirely dependent on social engineering: the threat actor has no direct access to the Nessus instance and must convince a privileged user to import the weaponized file. A proof-of-concept exists per CVSS temporal indicator E:P, and Tenable has issued an official fix under advisory TNS-2026-17. No active exploitation is confirmed in CISA KEV.

SQLi Nessus
NVD Exploit-DB VulDB
EPSS 0% CVSS 2.9
LOW PATCH Monitor

SQL injection in Tenable Nessus exposes scan-result databases to exfiltration by any remote unauthenticated attacker who controls the reverse DNS (PTR) records for a host being scanned. When Nessus resolves the hostname of a scanned target via PTR lookup, the returned value is incorporated into a SQL query without adequate sanitization, enabling read-level access to the scan results database. A proof-of-concept is indicated by the CVSS temporal metric (E:P), and Tenable has acknowledged the issue via advisory TNS-2026-17; no public active exploitation (CISA KEV) is confirmed at time of analysis.

SQLi Nessus
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Blind SQL injection in the WP Photo Album Plus WordPress plugin (all versions up to and including 9.1.13.005) lets remote attackers inject crafted SQL into a database query, enabling extraction of sensitive data such as user credentials and WordPress secrets. The flaw, reported by Patchstack, is reachable over the network without authentication (CVSS:3.1 PR:N) but carries high attack complexity (AC:H), and there is no public exploit identified at time of analysis. No EPSS score or CISA KEV listing was provided in the source data.

SQLi Wp Photo Album Plus
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the YMC Filter (YMC Smart Filter / Filter Grids) WordPress plugin lets remote attackers inject malicious SQL through unsanitized input, affecting all versions up to and including 3.11.5. Per the CVSS vector (PR:N), exploitation is unauthenticated and network-reachable, enabling database content disclosure and a scope change beyond the plugin's own data. No public exploit identified at time of analysis, and no EPSS score was supplied, so real-world exploitation prevalence is currently unmeasured.

SQLi Ymc Filter
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the Premmerce Wishlist for WooCommerce WordPress plugin (versions 1.1.11 and earlier) lets remote unauthenticated attackers inject crafted SQL into backend database queries, per the CVSS PR:N vector. Reported by Patchstack and rated 9.3 (CVSS 3.1), it allows extraction of sensitive WordPress/WooCommerce data such as user records and credential hashes. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.

WordPress SQLi Premmerce Wishlist For Woocommerce
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the WordPress "Meta Data Filter & Taxonomy Filter" (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.7, allowing remote attackers to inject arbitrary SQL into backend queries without authentication. Per the provided CVSS vector (PR:N), exploitation requires no login, and the high CVSS base score of 9.3 reflects network reachability plus a scope change. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS data supplied, so prioritization rests on the CVSS signal alone.

SQLi Mdtf
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the WC Vendors Marketplace WordPress plugin (versions <= 2.6.8) allows authenticated users holding only a low-privilege Subscriber-level account to inject arbitrary SQL into backend queries. Reported by Patchstack and tracked as CVE-2026-54838 (CWE-89), the flaw carries a CVSS 8.5 with a scope change, reflecting that a minimally-privileged marketplace account can read sensitive data across the WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Wc Vendors Marketplace
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the WordPress SALESmanago & Leadoo plugin (versions 3.11.2 and earlier) lets authenticated users holding only Subscriber-level privileges inject arbitrary SQL into backend database queries, enabling extraction of sensitive data from the WordPress database. Reported by Patchstack and rated CVSS 8.5, it is dangerous because Subscriber is the lowest authenticated role and is frequently self-registerable on WordPress sites. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

SQLi Salesmanago Leadoo
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated SQL injection in the Tourfic WordPress travel-booking plugin (versions through 2.22.7) lets remote attackers read arbitrary database contents via the 'post_id' parameter of the tf_room_availability AJAX action. Because the action is registered for logged-out users (wp_ajax_nopriv) and the required nonce is publicly emitted on single-hotel pages, no authentication is needed in practice. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

WordPress SQLi Tourfic Ai Powered Travel Booking Hotel Booking Car Rental Wordpress Plugin
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based blind SQL injection in the Gravity Forms Booking plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to exfiltrate sensitive data from the underlying WordPress database via the 'staff_id' parameter. All plugin versions through 2.7.1 are affected due to insufficient input escaping and inadequate SQL query preparation on a user-controlled parameter. No public exploit code or active exploitation has been identified at time of analysis, though the low authentication barrier (subscriber-level) meaningfully broadens attacker opportunity on sites with open registration.

WordPress SQLi Gravity Bookings
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the Dokan Pro WordPress multivendor marketplace plugin (all versions ≤ 5.0.4) lets unauthenticated remote attackers inject SQL through the 'latitude' and 'longitude' request parameters, enabling extraction of arbitrary database contents such as user credentials, API keys, and order data. The flaw is time-based (blind) and requires no authentication or user interaction, but no public exploit code or active exploitation has been identified at time of analysis. No EPSS or CISA KEV signal was provided in the source data.

WordPress SQLi Dokan Pro
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based blind SQL injection in the Dokan Pro WordPress plugin allows network-accessible authenticated attackers with Subscriber-level privileges to extract sensitive data from the underlying WordPress database. The flaw resides in the 'orderby' parameter, which is insufficiently escaped and passed into unparameterized SQL queries across all plugin versions through 5.0.4. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar - any registered subscriber - substantially widens the realistic attacker pool on marketplace and multi-vendor WordPress sites.

WordPress SQLi Dokan Pro
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in Quest NetVault Backup arises through SQL injection in the NVBUDashboard component's JSON-RPC message handler, letting attackers run arbitrary code in the NETWORK SERVICE context. While the flaw nominally requires authentication, ZDI reports the product's authentication mechanism can be bypassed, materially lowering the access bar. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but its CVSS 3.0 base score of 8.8 and full-impact (C:H/I:H/A:H) profile mark it as high priority for any exposed deployment.

SQLi RCE Netvault Backup
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in Quest NetVault Backup arises from a SQL injection flaw in the handling of NVBULibrarySlot JSON-RPC messages, where a user-supplied string is concatenated into a SQL query without validation. Although the JSON-RPC interface nominally requires authentication, ZDI notes the existing authentication mechanism can be bypassed, so a remote attacker can reach the vulnerable code path and execute arbitrary code in the context of the NETWORK SERVICE account. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

SQLi RCE Netvault Backup
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SQL injection in Quest NetVault Backup's NVBULibraryPort JSON-RPC handler allows remote attackers to execute arbitrary code as NETWORK SERVICE on affected installations. While exploitation nominally requires authentication (CVSS PR:L), the ZDI advisory states the existing authentication mechanism can be bypassed, effectively lowering the barrier to remote attackers. There is no public exploit identified at time of analysis and no CISA KEV listing, but the issue was coordinated through Trend Micro's Zero Day Initiative (ZDI-CAN-27631 / ZDI-26-373) and carries a CVSS 3.0 base score of 8.8.

SQLi RCE Netvault Backup
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SQL injection leading to remote code execution affects Quest NetVault Backup, where the NVBURemovableMedia component fails to validate a user-supplied string before constructing SQL queries. Although authentication is nominally required, ZDI notes the existing authentication mechanism can be bypassed, effectively lowering the barrier to network-based attackers who can then execute code in the context of the NETWORK SERVICE account. No public exploit identified at time of analysis; the issue was reported privately by Trend Micro's Zero Day Initiative (ZDI-CAN-27632 / ZDI-26-372).

SQLi RCE Netvault Backup
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBUDeviceDrive JSON-RPC message handler, where a user-supplied string is concatenated into a SQL query without validation (CWE-89). Although the product requires authentication, the existing authentication mechanism can be bypassed, so remote attackers can reach the flaw and execute arbitrary code in the context of the NETWORK SERVICE account. Discovered and reported through Trend Micro's Zero Day Initiative (ZDI-26-371, formerly ZDI-CAN-27633); no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

SQLi RCE Netvault Backup
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in Quest NetVault Backup arises from SQL injection in the NVBURASDevice JSON-RPC message handler, where attacker-controlled input is concatenated into SQL queries. Although authentication is nominally required, ZDI notes the existing authentication mechanism can be bypassed, so attackers can reach the vulnerable endpoint and execute code in the NETWORK SERVICE context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported privately via Trend Micro's Zero Day Initiative (ZDI-26-370 / ZDI-CAN-27648).

SQLi RCE Netvault Backup
NVD
EPSS 1% CVSS 8.8
HIGH This Week

SQL injection leading to remote code execution in Quest NetVault Backup allows attackers to run arbitrary code as the NETWORK SERVICE account by sending crafted JSON-RPC messages to the NVBUDashboard component. While the JSON-RPC interface nominally requires authentication, ZDI reports the existing authentication mechanism can be bypassed, effectively lowering the access barrier. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but it was responsibly disclosed through Trend Micro's Zero Day Initiative (ZDI-26-368, formerly ZDI-CAN-27809).

SQLi RCE Netvault Backup
NVD
EPSS 0% CVSS 7.7
HIGH This Week

SQL injection in the open-source Grocery Store Management System (PHP/MySQL, v1.0 by anirudhkannanvp) lets attackers read arbitrary database contents by injecting a crafted SQL payload through the unsanitized 'scost' parameter of /grocery/search_products.php. The flaw (CWE-89) carries a CVSS of 7.7 and exposes credentials, customer records, and other sensitive data; publicly available exploit code exists in a dedicated GitHub repository, though it is not listed in CISA KEV and its EPSS exploitation probability is low (0.24%, 16th percentile).

SQLi PHP N A
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

SQL injection in n8n's MySQL, PostgreSQL, and Microsoft SQL database integration nodes (all versions before 2.4.0) allows authenticated users with workflow creation permissions to execute arbitrary SQL commands against connected databases by supplying crafted identifier values - table or column names - in node configuration parameters. The nodes failed to escape SQL identifiers when constructing queries, bypassing the safety guarantees users expected from parameterized inputs and enabling injection that directly impacts downstream database confidentiality and integrity. Reported by the NATO Cyber Security Centre; vendor-released patch is confirmed in n8n 2.4.0, with no public exploit code or CISA KEV listing identified at time of analysis.

PostgreSQL SQLi Microsoft +1
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in Flowise through 2.2.7 allows authenticated users to execute arbitrary SQL via the importChatflows API by supplying a crafted JSON file whose chatflow.id value is concatenated unsanitized into an IN clause. Successful exploitation enables blind and error-based extraction of stored credentials and tampering with application data. Publicly available exploit code exists in the GHSA advisory, though no active exploitation is confirmed.

SQLi Flowise
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Blind SQL injection in FunnelKit Funnel Builder for WordPress (versions up to and including 3.15.0.5) allows authenticated attackers with high privileges to inject arbitrary SQL queries against the underlying database. The flaw is reported by Patchstack and tracked as CWE-89; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The CVSS scope change combined with confidentiality impact indicates database contents beyond the plugin context can be exfiltrated one bit at a time via blind techniques.

SQLi Funnel Builder By Funnelkit
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Unauthenticated SQL injection in the ClearSale Total WordPress plugin (all versions through 3.4.2) allows remote attackers to extract sensitive database contents via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action. The flaw is reachable without authentication because the nopriv AJAX handler ships with a commented-out die() in the nonce-failure branch, and on PHP < 8.0 loose type juggling bypasses the switch/case integer guard. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi PHP WordPress +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the WP Forms Connector WordPress plugin (versions up to and including 1.8) allows unauthenticated remote attackers to extract sensitive database contents via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint. The endpoint is exposed with permission_callback '__return_true' and only validates a 'Username' header against an administrator account without verifying the corresponding 'Password', making the authentication check trivially bypassable. No public exploit identified at time of analysis, but the trivial bypass and unsanitized ORDER BY concatenation make weaponization straightforward.

SQLi WordPress Wp Forms Connector
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

{$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or JSON-body REST collection. A detailed working POC is published in the advisory; the issue is not in CISA KEV and EPSS is low (0.43%, 34th percentile), so this is publicly demonstrated but not yet confirmed as actively exploited.

SQLi Canonical Docker +4
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary SQL through the clientid parameter of zone-include.php due to missing input sanitisation. The flaw, rated CVSS 8.3 with PR:L, enables attackers with any valid account to exfiltrate or tamper with ad-server data; no public exploit identified at time of analysis, though a HackerOne report describing the issue is publicly referenced.

SQLi PHP Adserver
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate database contents via the unsanitized clientid parameter in zone-include.php. The vulnerability is compounded by a concurrent input validation failure that also enables cross-site scripting, reflected in the CWE-79 assignment and CVSS scope-change vector - suggesting the zone-include.php endpoint contains at least two distinct injection classes. No public exploit has been identified at time of analysis, and a fix is available in versions beyond 6.0.6 per the vendor advisory on HackerOne.

SQLi XSS PHP +1
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

SQL injection in the Infility Global WordPress plugin before 2.15.19 allows authenticated users with Subscriber-level access or higher to inject arbitrary SQL via unsanitized parameters. Publicly available exploit code exists (WPScan), and a vendor patch has been released, raising the practical risk on sites that allow open user registration. No CISA KEV listing at time of analysis.

SQLi WordPress Infility Global
NVD WPScan VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Time-based blind SQL injection in the Infility Global WordPress plugin (versions before 2.15.20) enables authenticated attackers holding Editor-level access or higher to extract arbitrary data from the WordPress database. The unsanitized `orderby` and `order` parameters in three admin callbacks - `import_list()`, `url_detail()`, and `file_detail()` - are passed directly into SQL queries without validation or parameterization. A publicly available proof-of-concept exploit exists per WPScan (EUVD-2026-38416), and the CVSS S:C designation confirms that impact extends beyond the plugin itself to the full underlying database; no confirmed active exploitation (CISA KEV) has been documented at time of analysis.

SQLi WordPress Information Disclosure +1
NVD WPScan VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_try_in_loop SQL optimizer component. No public exploit identified at time of analysis, though SSVC indicates a proof-of-concept exists in the referenced GitHub issue. The flaw is tagged as SQLi-class (CWE-89) but the demonstrated impact is availability-only, with no confidentiality or integrity loss per the CVSS vector.

SQLi Denial Of Service N A +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting specially crafted SQL statements that trigger a flaw in the sqlo_untry query-optimization component. The CVSS 7.5 score reflects unauthenticated network exploitability with high availability impact, but no public exploit identified at time of analysis and the issue is currently tracked only as an upstream GitHub issue without a released fix.

SQLi Denial Of Service N A
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sslr_qst_get component. The flaw is classified under CWE-89 (SQL injection class) but the documented impact is availability-only with no confidentiality or integrity loss per the CVSS vector. No public exploit identified at time of analysis, and the issue is tracked only via an upstream GitHub issue (#1229) rather than a tagged fixed release.

SQLi Denial Of Service N A +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database engine by submitting crafted SQL statements that mishandle the internal t_set_push routine. The flaw carries availability-only impact (CVSS 7.5, A:H) with no confidentiality or integrity loss. EPSS is low (0.15%, 4th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV - so risk is theoretical rather than actively exploited.

SQLi Denial Of Service N A +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_natural_join_cond query-optimizer component. The flaw carries no confidentiality or integrity impact but fully degrades availability (CVSS 7.5, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.15%), indicating limited near-term exploitation likelihood; only a GitHub issue documenting the defect is published.

SQLi Denial Of Service N A
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that reach the time_t_to_dt date/time conversion routine. The defect is availability-only (no data exposure or integrity loss) and is tracked publicly via GitHub issue #1233; it carries a CVSS 3.1 base score of 7.5 but a low EPSS of 0.15% (4th percentile), and there is no public exploit identified at time of analysis and no evidence of active exploitation.

SQLi Denial Of Service N A
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection vulnerability in Cboard v.0.4.2 and before allows a remote attacker to execute arbitrary code via the getDimensionsValues component

SQLi RCE N A
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in OpenLink Virtuoso Open Source Edition v7.2.11 allows remote attackers to crash the database engine by submitting crafted SQL statements that mishandle column predicate processing inside the sqlo_tb_col_preds query optimizer component. CVSS 7.5 reflects high availability impact with no authentication required, though no public exploit identified at time of analysis and the issue is tracked only as an upstream GitHub bug report.

SQLi Denial Of Service N A +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Denial Of Service N A SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in OpenLink Virtuoso (open-source edition) v7.2.11 allows attackers to crash the database server by submitting crafted SQL statements that mishandle the internal st_compare comparison routine. The flaw affects availability only (CVSS A:H, no confidentiality or integrity impact) and carries a 7.5 base score; EPSS is low (0.15%, 5th percentile) with no public exploit identified at time of analysis and no CISA KEV listing. Despite the CWE-89 (SQL Injection) classification, the reported effect is a service crash rather than data manipulation or extraction.

SQLi Denial Of Service N A
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in OpenLink Virtuoso Open-Source Edition 7.2.11 lets attackers crash the database server by submitting crafted SQL statements that mishandle the sqlo_key_part_best query-optimizer routine. The flaw carries no confidentiality or integrity impact (availability-only, CVSS 7.5) and there is no public exploit identified at time of analysis; EPSS is low at 0.15% (4th percentile), and it is not listed in CISA KEV. The only public reference is the upstream GitHub issue (#1222) tracking the crash.

SQLi Denial Of Service N A +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in OpenLink Virtuoso OpenSource v7.2.11 allows remote unauthenticated attackers to crash the database server by submitting crafted SQL statements that trigger a fault in the sqlo_strip_in_join query-optimization component. The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects network-reachable, no-auth exploitation with high availability impact and no confidentiality or integrity loss. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Denial Of Service N A
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Capgo (cap-go) before 12.128.2 allows authenticated users with read-level API keys to access analytics data belonging to other tenants by injecting arbitrary SQL through multiple unparameterized parameters in cloudflare.ts. The flaw stems from direct string interpolation of request-body values into Cloudflare Analytics Engine queries, enabling cross-tenant data exposure. No public exploit identified at time of analysis, though a VulnCheck advisory and an upstream GitHub Security Advisory document the issue.

SQLi Capgo
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authenticated SQL injection (CWE-89) in Dell Wyse Management Suite (WMS) before version 2605 lets a low-privileged remote user inject crafted SQL into application queries, yielding unauthorized read/write access to the management database with high impact to confidentiality, integrity, and availability. Tracked as EUVD-2026-38345 and disclosed by Dell in advisory DSA-2026-247, it carries CVSS 3.1 8.8 but has no public exploit identified at time of analysis and a low EPSS of 0.24% (15th percentile), with CISA SSVC reporting no known exploitation.

SQLi Authentication Bypass Dell +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in Dell Wyse Management Suite (WMS) versions prior to 2605 allows authenticated low-privileged remote attackers to manipulate backend database queries, leading to unauthorized data access and potential integrity or availability impact. The CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability under low attack complexity, though no public exploit identified at time of analysis. The flaw is tagged with 'Authentication Bypass' implications, suggesting the SQLi could be leveraged to escalate beyond the attacker's initial low-privilege context.

SQLi Authentication Bypass Dell +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

SQL injection in Apache Doris MCP Server versions 0.1.0 through 0.6.0 allows authenticated attackers (or anonymous attackers when authentication is disabled) to inject arbitrary SQL through a database-name parameter in a metadata query path, bypassing the caller's authorization context. Because the query executes without the requester's auth context, attackers can read metadata across databases they should not be able to see. No public exploit identified at time of analysis, and SSVC currently marks exploitation as 'none'.

Apache SQLi Doris Mcp Server
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in ILIAS Learning Management System 11.0 allows a remote, high-privileged attacker to manipulate database queries via the Learning Progress Tracking component. The `troup_table_nav` argument passed to `ilTrQuery::executeQueries` in `components/ILIAS/Tracking/classes/class.ilTrQuery.php` is incorporated into SQL statements without adequate sanitization, enabling low-impact reads and writes against the underlying database. Publicly available exploit code exists (CVSS 4.0 E:P), and the vendor did not respond to pre-disclosure contact, meaning no official patch has been issued.

SQLi PHP Learning Management System
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Montodel House-Rental-Management exposes database contents and integrity to authenticated remote attackers via the unsanitized ID parameter at /index.php?page=houses. All tracked commits up to 90010017b81265eb1ef3810268909f7719a33863 are affected, with no patched release available as the vendor did not respond to coordinated disclosure. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), lowering the bar for exploitation; however, the required authenticated context and limited per-query impact keep the overall risk score low at CVSS 4.0 2.1.

SQLi PHP House Rental Management
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Montodel House-Rental-Management's /login.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and interact with the underlying database without credentials. A public proof-of-concept exploit is available on GitHub, and the vendor was unresponsive to pre-disclosure contact, leaving no patch path. Any internet-exposed deployment of this PHP application should be treated as immediately at risk given the zero-barrier exploitation prerequisites and available exploit code.

SQLi PHP House Rental Management
NVD VulDB GitHub
MEDIUM PATCH This Month

Unescaped SQL LIKE wildcards in symfony/ux-autocomplete allow unauthenticated network attackers to turn the autocomplete endpoint into a broad data matcher or blind boolean oracle against all entity columns. Because BaseEntityAutocompleteType defaults to security => false and searchable_fields defaults to all entity properties, versions >= 2.2.0 < 2.36.0 and >= 3.0.0 < 3.1.0 expose potentially sensitive entity data to any caller who sends % or _ as the query parameter. No public exploit has been identified at time of analysis, but the attack requires only standard HTTP tooling; patches are available in 2.36.0 and 3.1.0.

SQLi Information Disclosure Oracle
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Joomcrm
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vbizz
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Joomla vWishlist 1.0.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vproductid and userid. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vwishlist
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vaccount
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vreview
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Joomla Component vRestaurant 1.9.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keysearch. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vrestaurant
NVD Exploit-DB
Prev Page 4 of 169 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy