SQLi
Monthly
SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the searchtxt parameter in /view_product.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in SourceCodester Sales and Inventory System 1.0 allows remote authenticated attackers to manipulate the searchtxt parameter in /view_payments.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed with low complexity over the network.
SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_customers.php endpoint where the searchtxt parameter is insufficiently sanitized, allowing authenticated attackers to execute arbitrary SQL queries and manipulate database contents. The vulnerability requires valid credentials but can be exploited remotely over the network, and public exploit code is available. No patch is currently available for this vulnerability.
SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_category.php endpoint's searchtxt parameter that allows authenticated attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and there is currently no available patch. The attack requires valid credentials but can be executed remotely over the network.
SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_supplier.php allows authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.
A time-based SQL injection vulnerability exists in the WP Maps - Store Locator plugin for WordPress through version 4.9.1, allowing unauthenticated attackers to extract sensitive database information via the insufficiently sanitized 'orderby' parameter. With a CVSS score of 7.5 (High), this vulnerability requires no privileges or user interaction and can be exploited remotely over the network. No KEV listing or EPSS data is provided, but the vulnerability has been publicly disclosed by Wordfence with technical details and code references available.
SQL injection in Simple Gym Management System up to version 1.0 allows remote attackers with high privileges to manipulate the Trainer_id and fname parameters in /gym/func.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in projectworlds Online Notes Sharing System 1.0 allows unauthenticated remote attackers to manipulate the Benutzer parameter in /login.php, enabling unauthorized data access, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to manipulate the Status parameter in all-tickets.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete database contents. The affected PHP application currently lacks a security patch.
SQL injection in apconw Aix-DB through the terminology_retriever.py module allows local attackers to manipulate the Description argument and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected versions include Aix-DB up to 1.2.3.
SQL injection in vanna-ai vanna versions up to 2.0.2 allows authenticated remote attackers to manipulate the ask function in vanna/legacy/base/base.py, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
The ElementCamp plugin for WordPress contains a time-based SQL injection vulnerability in the 'tcg_select2_search_post' AJAX action through improper validation of the 'meta_query[compare]' parameter. Authenticated attackers with Author-level privileges or higher can inject arbitrary SQL operators to extract sensitive database information, as the vulnerable code places user-supplied comparison operators directly into SQL queries without allowlist validation, rendering esc_sql() ineffective for operator-level payloads. The CVSS score of 6.5 reflects moderate severity with high confidentiality impact but no integrity or availability impact, limited to authenticated users with elevated privileges.
SQL injection in the Pre* Party Resource Hints WordPress plugin up to version 1.8.20 allows authenticated users with Subscriber-level permissions or higher to execute arbitrary database queries through the unescaped 'hint_ids' parameter in the pprh_update_hints AJAX action. An attacker can exploit this to extract sensitive information from the WordPress database without user interaction. No patch is currently available for this vulnerability.
The Quentn WP plugin for WordPress contains an SQL Injection vulnerability that allows unauthenticated attackers to extract sensitive database information through a malicious 'qntn_wp_access' cookie value. All versions up to and including 1.2.12 are affected. With a CVSS score of 7.5 and requiring no authentication or user interaction, this represents a significant risk for WordPress sites using this plugin, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.
The Fonts Manager | Custom Fonts plugin for WordPress contains a time-based SQL injection vulnerability in versions up to and including 1.2. Unauthenticated attackers can exploit the vulnerable 'fmcfIdSelectedFnt' parameter to extract sensitive database information without requiring any privileges or user interaction. The vulnerability has a CVSS score of 7.5, indicating high confidentiality impact, though no KEV listing or EPSS score is provided in the available data.
The CMS Commander plugin for WordPress contains an SQL Injection vulnerability in all versions up to and including 2.288. Authenticated attackers with API key access can exploit the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in the restore workflow to append malicious SQL queries and extract sensitive database information. With a CVSS score of 8.8, this represents a high-severity vulnerability requiring low attack complexity and low privileges, though no active exploitation (KEV) or public POC has been reported at this time.
The myLinksDump plugin for WordPress contains a SQL injection vulnerability in the 'sort_by' and 'sort_order' parameters affecting all versions up to and including 1.6. Authenticated attackers with administrator-level access can exploit insufficient input escaping and inadequate SQL query preparation to append malicious SQL queries and extract sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 7.2 with high impact to confidentiality, integrity, and availability.
SQL injection in PbootCMS versions up to 3.2.12 allows unauthenticated remote attackers to manipulate the Username parameter in the Member Login function, potentially enabling unauthorized database access and data manipulation. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in Mindinventory MindSQL versions up to 0.2.1 allows authenticated remote attackers to execute arbitrary SQL commands through the ask_db function. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure attempts. Attackers with valid credentials can manipulate database queries to access, modify, or delete sensitive data.
Ory Keto, an open-source authorization service, contains a SQL injection vulnerability in its GetRelationships API due to insecure pagination token handling. Attackers who know or can exploit the default hard-coded pagination encryption secret can craft malicious tokens to execute arbitrary SQL queries. The CVSS score of 7.2 reflects high privileges required (PR:H), though the actual risk is elevated when default secrets remain unchanged in production deployments.
Ory Hydra, an OAuth 2.0 and OpenID Connect provider, contains a SQL injection vulnerability in three admin APIs (listOAuth2Clients, listOAuth2ConsentSessions, listTrustedOAuth2JwtGrantIssuers) due to insecure pagination token handling. Attackers who know the pagination secret can craft malicious encrypted tokens to execute arbitrary SQL queries. The CVSS score of 7.2 requires high privileges (PR:H), but successful exploitation grants full database access with high confidentiality, integrity, and availability impact.
Ory Kratos, an open-source identity and user management system, contains a SQL injection vulnerability in its ListCourierMessages Admin API through malicious pagination tokens. Attackers who know or can exploit the default pagination encryption secret can craft tokens to execute arbitrary SQL queries against the backend database. The vulnerability requires high privileges (PR:H) but is network-exploitable (AV:N) with low complexity (AC:L), scoring CVSS 7.2.
Kysely, a TypeScript SQL query builder for Node.js, contains a SQL injection vulnerability in its MySQL dialect due to incomplete string escaping in the DefaultQueryCompiler.sanitizeStringLiteral() method. Applications using kysely (npm package) with MySQL that pass user-controlled input to CreateIndexBuilder.where() or CreateViewBuilder.as() methods are vulnerable to SQL injection attacks that can lead to data exfiltration, modification, or authentication bypass. A proof-of-concept exploit is publicly available demonstrating how backslash-escaped single quotes bypass the sanitization logic when NO_BACKSLASH_ESCAPES is disabled (MySQL default).
SQL injection in PostgreSQL via unsafe backslash handling in Kysely's query compiler allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting backslashes into JSON path string literals that bypass quote escaping. The vulnerability affects systems using the default BACKSLASH_ESCAPES SQL mode, where attackers can break out of sanitized JSON path expressions through specially crafted input. No patch is currently available.
An unauthenticated SQL injection vulnerability exists in the AVideo platform's RTMP on_publish callback, allowing remote attackers to extract the entire database via time-based blind SQL injection. The vulnerability affects the wwbn_avideo composer package and can be exploited without authentication to steal user password hashes, email addresses, and API keys. A detailed proof-of-concept is publicly available in the GitHub Security Advisory, and the vulnerability has a CVSS score of 7.5 (High) with network attack vector and low complexity.
SQL injection in eosphoros-ai db-gpt versions up to 0.7.5 allows unauthenticated remote attackers to manipulate the /api/v1/editor/ endpoint and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. This vulnerability impacts confidentiality, integrity, and availability of affected systems.
An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unauthorized code or commands through SQL injection techniques. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires an attacker to first obtain legitimate administrator credentials on the affected device. While no CVSS score or EPSS data is currently published, the SQL injection classification (CWE-89) combined with code execution impact represents a critical risk for compromised administrator accounts.
SQL injection in the College Management System 1.0 admin search_student.php endpoint allows authenticated attackers to manipulate the Search parameter and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to potentially extract, modify, or delete sensitive student data. The vulnerability affects PHP-based installations and currently lacks an available patch.
WeGIA, a web manager for charitable institutions, contains an authenticated SQL injection vulnerability in versions 3.6.5 and below via the id_producto parameter in the restaurar_produto.php endpoint. An authenticated attacker can execute arbitrary SQL commands to fully compromise the database, extracting sensitive donor information, beneficiary records, and administrative credentials. No evidence of active exploitation (not in CISA KEV) is currently available, though proof-of-concept details are publicly disclosed in the GitHub security advisory.
WeGIA versions 3.6.5 and 3.6.6 contain an unauthenticated SQL injection vulnerability in the loadBackupDB() function that fails to validate SQL content within uploaded backup archives. An attacker can craft a malicious backup file to execute arbitrary SQL statements, including creation of rogue administrator accounts, password modification, or complete database compromise. The vulnerability was introduced in commit 370104c and patched in version 3.6.7; no active exploitation in the wild has been confirmed, but the simplicity of the attack vector and availability of proof-of-concept references via GitHub advisory suggest moderate real-world risk.
SQL injection in itsourcecode Online Doctor Appointment System 1.0 allows remote attackers with high privileges to manipulate the appointment_id parameter in /admin/appointment_action.php, potentially compromising data confidentiality and integrity. Public exploit code exists for this vulnerability, though no patch is currently available for PHP-based deployments.
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated remote attackers to manipulate the Supplier_Name parameter in /admin/admin_edit_supplier.php, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated administrators to manipulate the First_Name parameter in /admin/admin_edit_employee.php, enabling remote database compromise. Public exploit code exists for this vulnerability, which requires high-level privileges but carries low complexity for exploitation. The affected system currently lacks an available patch.
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high privileges to manipulate the product_name parameter in /admin/admin_edit_menu.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The affected PHP application currently lacks an available patch.
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high-level privileges to manipulate the product_name parameter in /admin/admin_edit_menu_action.php, potentially exposing or modifying sensitive database information. Public exploit code for this vulnerability exists, though no patch is currently available.
Unauthenticated SQL injection in AVideo versions before 8.0 allows authenticated attackers to manipulate database queries through unsanitized sort parameters in POST requests, potentially leading to unauthorized data access or modification. The vulnerability stems from improper use of real_escape_string() on SQL identifiers rather than string literals, rendering the escaping mechanism ineffective. Affected organizations should upgrade to version 8.0 or implement WAF rules restricting sort parameter characters to alphanumeric and underscore values.
A blind SQL injection vulnerability exists in ERPNext, a free and open-source Enterprise Resource Planning system, affecting versions prior to 15.100.0 and beta versions 16.0.0-beta.1 through 16.7.x. The vulnerability allows authenticated attackers with low-level privileges to perform time-based and boolean-based blind SQL injection attacks through insufficiently validated parameters on certain endpoints, enabling them to infer and extract sensitive database information. This is tagged as an SQLi vulnerability and has been assigned EUVD-2026-13547 by ENISA, with patches available in versions 15.100.0 and 16.8.0.
SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.
Open Source Point of Sale (opensourcepos) contains a critical SQL Injection vulnerability in the Items search functionality when custom attribute search is enabled. An authenticated attacker with basic item search permissions can execute arbitrary SQL queries by manipulating the search GET parameter, which is directly interpolated into a HAVING clause without sanitization. The vulnerability affects all versions up to and including 3.4.1, carries a CVSS score of 8.8 (High), and had no patch available at the time of publication.
SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected, with no patch currently available.
SQL injection in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to execute arbitrary SQL queries through improper input validation in the EmailUIAjax module's retrieve() function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete sensitive database records without restrictions. The vulnerability requires authentication but has no patch currently available.
A second-order SQL injection vulnerability exists in the Reports module of SuiteCRM, allowing authenticated users with reporting privileges to execute arbitrary SQL queries when viewing reports. The vulnerability affects SuiteCRM versions before 7.15.1 and 8.9.3, enabling attackers to extract sensitive database contents including password hashes, API tokens, and configuration values, with potential for remote code execution on MySQL installations with FILE privileges. While no public exploits or active exploitation have been reported, the vulnerability has a high CVSS score of 8.1 due to the potential for both data theft and system compromise.
An unauthenticated SQL injection vulnerability in AVideo allows remote attackers to execute arbitrary SQL queries through the doNotShowCats parameter in the getAllCategories() method. The vulnerability bypasses quote-stripping sanitization using backslash escape techniques, enabling attackers to extract sensitive data including user credentials, modify database contents, or potentially achieve remote code execution. No active exploitation has been reported in KEV, but proof-of-concept exploitation details are publicly available in the GitHub advisory.
Authenticated attackers can execute arbitrary SQL queries in Devome GRR v4.5.0 through injection vulnerabilities in the referer and user-agent parameters within include/session.inc.php, enabling full database compromise including data exfiltration, modification, and potential remote code execution. The vulnerability carries a CVSS score of 8.8 (High) with low attack complexity requiring only low-level privileges and no user interaction. EPSS probability of exploitation is extremely low at 0.01% (2nd percentile), and no public exploit identified at time of analysis beyond technical disclosure and audit documentation.
Unauthenticated attackers can exploit SQL injection in the Simply Schedule Appointments Booking Plugin for WordPress (versions up to 1.6.10.0) through the 'fields' parameter to extract sensitive database information including usernames, email addresses, and password hashes. The vulnerability stems from insufficient input escaping and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.
A Blind SQL Injection vulnerability exists in the Profile Builder Pro WordPress plugin that allows unauthenticated remote attackers to extract sensitive database information. Cozmoslabs Profile Builder Pro versions through 3.13.9 are affected. The vulnerability has a critical CVSS score of 9.3 due to network-based exploitation requiring no privileges or user interaction, with changed scope enabling attackers to access resources beyond the vulnerable component.
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.
An authenticated time-based blind SQL injection vulnerability exists in the ClipBucket v5 open source video sharing platform, affecting versions prior to 5.5.3 #80. The vulnerability resides in the actions/ajax.php endpoint where the userid parameter lacks proper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries. This can lead to full database disclosure and potential administrative account takeover with a CVSS score of 8.8.
SQL injection in PostgreSQL StatementGenerator allows authenticated attackers to execute arbitrary SQL commands through unsanitized object keys in sort, select, and groupBy parameters on analytics endpoints. The vulnerability exists because column name validation was incompletely applied during a previous fix, leaving three query construction methods vulnerable to direct identifier injection. An attacker with valid credentials can exploit this to access or manipulate database contents without requiring user interaction.
Kysely through version 0.28.11 contains a SQL injection vulnerability in JSON path compilation affecting MySQL and SQLite dialects. The visitJSONPathLeg() function appends user-controlled values from .key() and .at() methods directly into single-quoted JSON path string literals without escaping single quotes, enabling attackers to break out of the string context and inject arbitrary SQL. A working proof-of-concept demonstrates UNION-based data exfiltration from SQLite databases. The vulnerability has CVSS score 8.2 and patches are available from the vendor.
A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter component allows authenticated attackers to bypass metadata-based access controls and execute arbitrary SQL commands due to missing input sanitization. VMware Spring AI versions 1.0.x prior to 1.0.4 and 1.1.x prior to 1.1.3 are affected. With a CVSS score of 8.8, this vulnerability enables attackers with low-level privileges to compromise confidentiality, integrity, and availability of the database system through network-based attacks with low complexity.
An authenticated SQL injection vulnerability exists in Kanboard project management software prior to version 1.2.51. Authenticated attackers with permission to add users to a project can exploit this vulnerability to dump the entire Kanboard database, potentially exposing sensitive project data, user credentials, and application secrets. The vulnerability is confirmed under active tracking by Debian (2 releases) and Ubuntu (medium priority), with a GitHub Security Advisory published.
A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS before version 10.1.14, specifically in the getQuery function's sortby parameter. An attacker can inject arbitrary SQL commands through the sortby parameter to extract, modify, or delete database contents. The vulnerability affects Mura CMS installations running versions prior to 10.1.14.
A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS, specifically in the getQuery function's sortDirection parameter, affecting versions prior to 10.1.14. An attacker can inject arbitrary SQL commands through the sortDirection parameter to read, modify, or delete database contents without requiring authentication. The vulnerability is classified as SQL injection (SQLi) and patches are available in version 10.1.14 and later.
SQL injection in GLPI Inventory Plugin versions before 1.6.6 allows authenticated users with sufficient privileges to execute arbitrary SQL queries through unvalidated input in report functionality. An attacker with report access can extract or modify sensitive database information, though code execution is not possible through this vector. A patch is available in version 1.6.6 and later.
An unauthenticated attacker can leverage an exposed password hashing endpoint in PHP applications to obtain hashed versions of arbitrary passwords, facilitating offline cracking attacks against compromised database credentials. The vulnerable `/objects/encryptPass.json.php` file accepts user-supplied passwords via request parameters and returns their encrypted equivalents without authentication, effectively disclosing the application's hashing algorithm and salt to potential adversaries. This information disclosure has a CVSS score of 5.3 and patches are available.
A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.
GLPI versions 11.0.0 through 11.0.5 contain an authenticated SQL injection vulnerability that allows authenticated users to read sensitive database contents without modification or denial-of-service capabilities. The vulnerability affects the free Asset and IT management software package GLPI and is resolved in version 11.0.6. While the CVSS score of 6.5 reflects moderate severity, the impact is limited to confidentiality breach due to the read-only nature of the exploit and the requirement for prior authentication.
SQL injection in Cockpit CMS version 2.13.4 and earlier allows attackers with a valid read-only API key to inject arbitrary SQL through the `/api/content/aggregate/{model}` endpoint and extract unauthorized data from the SQLite database, including unpublished content. The vulnerability requires network access and low-privilege API credentials, enabling data exfiltration without administrative privileges. No patch is currently available.
SQL injection in Simple Food Order System 1.0's /routers/add-item.php endpoint allows unauthenticated remote attackers to manipulate the price parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and could lead to unauthorized data access, modification, or deletion.
SQL injection in the Katello plugin for Red Hat Satellite 6 allows authenticated remote attackers to execute arbitrary SQL commands via the sort_by parameter in the /api/hosts/bootc_images endpoint. An attacker can exploit this flaw to trigger database errors causing denial of service or conduct blind SQL injection attacks to extract sensitive information from the database. No patch is currently available for this vulnerability.
Unauthenticated attackers can exploit SQL injection in the WowStore plugin for WordPress (versions up to 4.4.3) through the unescaped 'search' parameter to extract sensitive data from the underlying database. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to append malicious SQL commands without authentication. No patch is currently available for this high-severity issue affecting all users of the affected plugin versions.
SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 allows unauthenticated remote attackers to manipulate the areaId parameter in the /rest/devStatus/queryResources endpoint and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Successful exploitation could result in unauthorized data access, modification, or system disruption.
SQL injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 allows unauthenticated remote attackers to manipulate the ID parameter in the /rest/preSetTemplate/getRecByTemplateId endpoint, potentially enabling unauthorized data access, modification, or service disruption. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an SQL injection vulnerability in the /rest/devStatus/getDevDetailedInfo endpoint that allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. The vulnerability enables unauthorized access to, modification of, and disruption of sensitive data, with public exploit code already available. No patch has been released despite early vendor notification.
A second-order SQL injection vulnerability exists in Admidio's MyList configuration feature, allowing authenticated users to inject arbitrary SQL commands through list column configurations that are safely stored but unsafely read back. The vulnerability enables attackers to read sensitive data including password hashes, modify database contents, or achieve full database compromise. A detailed proof-of-concept is available demonstrating exploitation requiring only standard user privileges.
An authorization bypass vulnerability in SiYuan Note v3.6.0 and earlier allows any authenticated user, including those with read-only 'Reader' role privileges, to execute arbitrary SQL commands through the /api/search/fullTextSearchBlock endpoint when the method parameter is set to 2. This enables attackers to read, modify, or delete all data in the application's SQLite database, completely bypassing the application's role-based access controls. A detailed proof-of-concept demonstrates how Reader-role users can execute destructive SQL operations including dropping tables.
Authenticated attackers can exploit SQL injection in Chamilo LMS 1.11.34 and earlier through the statistics AJAX endpoint, where insufficient input sanitization allows bypassing of database escaping mechanisms via the date_start and date_end parameters. This vulnerability enables blind time-based SQL injection attacks to extract or manipulate sensitive data from the underlying database. Version 1.11.36 contains the patch; versions 1.11.35 and earlier remain vulnerable.
Unauthenticated SQL injection in Chamilo LMS versions prior to 1.11.34 enables remote attackers to execute arbitrary database queries through the custom_dates parameter and escalate to full administrative account takeover by exploiting a predictable password reset mechanism. This critical vulnerability exposes the entire database including personally identifiable information and system configurations without requiring any credentials or user interaction. No patch is currently available for affected installations.
SiYuan Note contains an unrestricted path traversal vulnerability in the POST /api/import/importStdMd endpoint that allows authenticated administrators to recursively import arbitrary files from the host filesystem into the workspace database without any validation or blocklisting. Affected versions of SiYuan (pkg:go/github.com_siyuan-note_siyuan) allow admin users to permanently store sensitive files such as /proc/, /etc/, /run/secrets/, and other system directories as searchable note content, making them accessible to other workspace users including those with limited privileges. A proof-of-concept has been published demonstrating import of /proc/1/ and /run/secrets/, and when chained with separate SQL injection vulnerabilities in the renderSprig template function, non-admin users can retrieve imported secrets without additional privileges.
SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component
SQL injection in Python's Glances DuckDB export module allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting malicious data through unparameterized table and column name interpolation in DDL statements. While INSERT values use parameterized queries, identifier names are directly embedded via f-strings, enabling attackers over the network to manipulate database structure and access sensitive monitoring data. A patch is available.
A Boolean-based SQL injection vulnerability exists in HCL Unica that allows remote attackers to manipulate backend database queries through specially crafted input fields. The vulnerability affects HCL Unica version 25.1.1 and below, enabling unauthenticated attackers to extract sensitive data, modify database contents, or potentially compromise the entire system. With a critical CVSS score of 9.8 and network-based attack vector requiring no authentication, this represents a severe risk to organizations using affected Unica installations.
HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries.
SQL injection in itsourcecode College Management System 1.0 allows authenticated attackers to manipulate the course_code parameter in /admin/time-table.php and execute arbitrary SQL commands remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can lead to unauthorized data access, modification, or deletion within the application database.
SQL injection in itsourcecode College Management System 1.0 via the course_code parameter in /admin/courses.php allows authenticated administrators to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but could enable data exfiltration or manipulation.
HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.
SQL injection in Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to manipulate the Home parameter in /hotel/admin/mod_reports/index.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems running the vulnerable PHP application are at immediate risk of data theft and database compromise.
SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate parameters in the enrollment module via the txtsearch, deptname, or name arguments. Public exploit code exists for this vulnerability, which enables attackers to read, modify, or delete database contents. No patch is currently available.
SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the user_email parameter in /sms/login.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to read, modify, or delete sensitive enrollment data without authentication. No patch is currently available.
SQL injection in SSCMS 7.4.0 via the tableHandWrite parameter in SitesAddController.Submit.cs allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application's 'vets.wakyma.com/pets/print-tags' endpoint that allows authenticated users to inject NoSQL commands via manipulated POST requests. An attacker with valid credentials can exploit this vulnerability to extract sensitive information including pet names and owner names from the backend database. With a CVSS score of 5.3 and low attack complexity, this represents a moderate confidentiality risk requiring prompt remediation despite the requirement for authentication.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in the hospitalization summary generation endpoint at vets.wakyma.com. Authenticated users with low privileges can inject NoSQL commands into POST requests to exfiltrate customer reports containing sensitive veterinary and pet owner data. The vulnerability has a high CVSS score of 7.1 but requires authentication, limiting the attack surface to users with valid credentials.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.com/centro/equipo/empleado' that allows authenticated users to inject NoSQL commands and enumerate sensitive employee data. The vulnerability has a CVSS 4.0 score of 7.1 (High) with network attack vector requiring low privileges. No proof-of-concept code, EPSS data, or KEV listing information is currently available for this vulnerability.
SQL injection in Tiandy Integrated Management Platform 7.17.0 via the /rest/user/getAuthorityByUserId endpoint allows unauthenticated remote attackers to manipulate the userId parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation could enable unauthorized data access, modification, or system disruption.
SQL injection in Vanna up to version 2.0.2 allows authenticated remote attackers to execute arbitrary SQL queries through the update_sql endpoint function. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An authenticated attacker can leverage this to read, modify, or delete database contents depending on the application's database permissions.
SQL injection in Vanna AI's BigQuery integration (versions up to 2.0.2) allows unauthenticated remote attackers to manipulate the remove_training_data function through unsanitized ID parameters. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation enables attackers to read, modify, or delete database contents with limited impact on confidentiality, integrity, and availability.
SQL injection in itsourcecode Payroll Management System 1.0 via the ID parameter in /manage_employee.php allows unauthenticated remote attackers to execute arbitrary SQL queries and access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running this system should implement network-level protections and consider upgrading to a patched version once released.
SQL injection in the User.getAll function of node-api-postgres up to version 2.5 allows remote attackers to manipulate the sort parameter and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. Affected deployments using PostgreSQL with the vulnerable Node.js API library face risks of unauthorized data access, modification, and potential service disruption.
SQL injection in phpIPAM versions up to 1.7.4 allows authenticated administrators to manipulate the subnetOrdering parameter in the Section Handler component, enabling remote database compromise. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.
SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the searchtxt parameter in /view_product.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in SourceCodester Sales and Inventory System 1.0 allows remote authenticated attackers to manipulate the searchtxt parameter in /view_payments.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed with low complexity over the network.
SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_customers.php endpoint where the searchtxt parameter is insufficiently sanitized, allowing authenticated attackers to execute arbitrary SQL queries and manipulate database contents. The vulnerability requires valid credentials but can be exploited remotely over the network, and public exploit code is available. No patch is currently available for this vulnerability.
SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_category.php endpoint's searchtxt parameter that allows authenticated attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and there is currently no available patch. The attack requires valid credentials but can be executed remotely over the network.
SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_supplier.php allows authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.
A time-based SQL injection vulnerability exists in the WP Maps - Store Locator plugin for WordPress through version 4.9.1, allowing unauthenticated attackers to extract sensitive database information via the insufficiently sanitized 'orderby' parameter. With a CVSS score of 7.5 (High), this vulnerability requires no privileges or user interaction and can be exploited remotely over the network. No KEV listing or EPSS data is provided, but the vulnerability has been publicly disclosed by Wordfence with technical details and code references available.
SQL injection in Simple Gym Management System up to version 1.0 allows remote attackers with high privileges to manipulate the Trainer_id and fname parameters in /gym/func.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in projectworlds Online Notes Sharing System 1.0 allows unauthenticated remote attackers to manipulate the Benutzer parameter in /login.php, enabling unauthorized data access, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to manipulate the Status parameter in all-tickets.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete database contents. The affected PHP application currently lacks a security patch.
SQL injection in apconw Aix-DB through the terminology_retriever.py module allows local attackers to manipulate the Description argument and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected versions include Aix-DB up to 1.2.3.
SQL injection in vanna-ai vanna versions up to 2.0.2 allows authenticated remote attackers to manipulate the ask function in vanna/legacy/base/base.py, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
The ElementCamp plugin for WordPress contains a time-based SQL injection vulnerability in the 'tcg_select2_search_post' AJAX action through improper validation of the 'meta_query[compare]' parameter. Authenticated attackers with Author-level privileges or higher can inject arbitrary SQL operators to extract sensitive database information, as the vulnerable code places user-supplied comparison operators directly into SQL queries without allowlist validation, rendering esc_sql() ineffective for operator-level payloads. The CVSS score of 6.5 reflects moderate severity with high confidentiality impact but no integrity or availability impact, limited to authenticated users with elevated privileges.
SQL injection in the Pre* Party Resource Hints WordPress plugin up to version 1.8.20 allows authenticated users with Subscriber-level permissions or higher to execute arbitrary database queries through the unescaped 'hint_ids' parameter in the pprh_update_hints AJAX action. An attacker can exploit this to extract sensitive information from the WordPress database without user interaction. No patch is currently available for this vulnerability.
The Quentn WP plugin for WordPress contains an SQL Injection vulnerability that allows unauthenticated attackers to extract sensitive database information through a malicious 'qntn_wp_access' cookie value. All versions up to and including 1.2.12 are affected. With a CVSS score of 7.5 and requiring no authentication or user interaction, this represents a significant risk for WordPress sites using this plugin, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.
The Fonts Manager | Custom Fonts plugin for WordPress contains a time-based SQL injection vulnerability in versions up to and including 1.2. Unauthenticated attackers can exploit the vulnerable 'fmcfIdSelectedFnt' parameter to extract sensitive database information without requiring any privileges or user interaction. The vulnerability has a CVSS score of 7.5, indicating high confidentiality impact, though no KEV listing or EPSS score is provided in the available data.
The CMS Commander plugin for WordPress contains an SQL Injection vulnerability in all versions up to and including 2.288. Authenticated attackers with API key access can exploit the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in the restore workflow to append malicious SQL queries and extract sensitive database information. With a CVSS score of 8.8, this represents a high-severity vulnerability requiring low attack complexity and low privileges, though no active exploitation (KEV) or public POC has been reported at this time.
The myLinksDump plugin for WordPress contains a SQL injection vulnerability in the 'sort_by' and 'sort_order' parameters affecting all versions up to and including 1.6. Authenticated attackers with administrator-level access can exploit insufficient input escaping and inadequate SQL query preparation to append malicious SQL queries and extract sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 7.2 with high impact to confidentiality, integrity, and availability.
SQL injection in PbootCMS versions up to 3.2.12 allows unauthenticated remote attackers to manipulate the Username parameter in the Member Login function, potentially enabling unauthorized database access and data manipulation. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in Mindinventory MindSQL versions up to 0.2.1 allows authenticated remote attackers to execute arbitrary SQL commands through the ask_db function. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure attempts. Attackers with valid credentials can manipulate database queries to access, modify, or delete sensitive data.
Ory Keto, an open-source authorization service, contains a SQL injection vulnerability in its GetRelationships API due to insecure pagination token handling. Attackers who know or can exploit the default hard-coded pagination encryption secret can craft malicious tokens to execute arbitrary SQL queries. The CVSS score of 7.2 reflects high privileges required (PR:H), though the actual risk is elevated when default secrets remain unchanged in production deployments.
Ory Hydra, an OAuth 2.0 and OpenID Connect provider, contains a SQL injection vulnerability in three admin APIs (listOAuth2Clients, listOAuth2ConsentSessions, listTrustedOAuth2JwtGrantIssuers) due to insecure pagination token handling. Attackers who know the pagination secret can craft malicious encrypted tokens to execute arbitrary SQL queries. The CVSS score of 7.2 requires high privileges (PR:H), but successful exploitation grants full database access with high confidentiality, integrity, and availability impact.
Ory Kratos, an open-source identity and user management system, contains a SQL injection vulnerability in its ListCourierMessages Admin API through malicious pagination tokens. Attackers who know or can exploit the default pagination encryption secret can craft tokens to execute arbitrary SQL queries against the backend database. The vulnerability requires high privileges (PR:H) but is network-exploitable (AV:N) with low complexity (AC:L), scoring CVSS 7.2.
Kysely, a TypeScript SQL query builder for Node.js, contains a SQL injection vulnerability in its MySQL dialect due to incomplete string escaping in the DefaultQueryCompiler.sanitizeStringLiteral() method. Applications using kysely (npm package) with MySQL that pass user-controlled input to CreateIndexBuilder.where() or CreateViewBuilder.as() methods are vulnerable to SQL injection attacks that can lead to data exfiltration, modification, or authentication bypass. A proof-of-concept exploit is publicly available demonstrating how backslash-escaped single quotes bypass the sanitization logic when NO_BACKSLASH_ESCAPES is disabled (MySQL default).
SQL injection in PostgreSQL via unsafe backslash handling in Kysely's query compiler allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting backslashes into JSON path string literals that bypass quote escaping. The vulnerability affects systems using the default BACKSLASH_ESCAPES SQL mode, where attackers can break out of sanitized JSON path expressions through specially crafted input. No patch is currently available.
An unauthenticated SQL injection vulnerability exists in the AVideo platform's RTMP on_publish callback, allowing remote attackers to extract the entire database via time-based blind SQL injection. The vulnerability affects the wwbn_avideo composer package and can be exploited without authentication to steal user password hashes, email addresses, and API keys. A detailed proof-of-concept is publicly available in the GitHub Security Advisory, and the vulnerability has a CVSS score of 7.5 (High) with network attack vector and low complexity.
SQL injection in eosphoros-ai db-gpt versions up to 0.7.5 allows unauthenticated remote attackers to manipulate the /api/v1/editor/ endpoint and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. This vulnerability impacts confidentiality, integrity, and availability of affected systems.
An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unauthorized code or commands through SQL injection techniques. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires an attacker to first obtain legitimate administrator credentials on the affected device. While no CVSS score or EPSS data is currently published, the SQL injection classification (CWE-89) combined with code execution impact represents a critical risk for compromised administrator accounts.
SQL injection in the College Management System 1.0 admin search_student.php endpoint allows authenticated attackers to manipulate the Search parameter and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to potentially extract, modify, or delete sensitive student data. The vulnerability affects PHP-based installations and currently lacks an available patch.
WeGIA, a web manager for charitable institutions, contains an authenticated SQL injection vulnerability in versions 3.6.5 and below via the id_producto parameter in the restaurar_produto.php endpoint. An authenticated attacker can execute arbitrary SQL commands to fully compromise the database, extracting sensitive donor information, beneficiary records, and administrative credentials. No evidence of active exploitation (not in CISA KEV) is currently available, though proof-of-concept details are publicly disclosed in the GitHub security advisory.
WeGIA versions 3.6.5 and 3.6.6 contain an unauthenticated SQL injection vulnerability in the loadBackupDB() function that fails to validate SQL content within uploaded backup archives. An attacker can craft a malicious backup file to execute arbitrary SQL statements, including creation of rogue administrator accounts, password modification, or complete database compromise. The vulnerability was introduced in commit 370104c and patched in version 3.6.7; no active exploitation in the wild has been confirmed, but the simplicity of the attack vector and availability of proof-of-concept references via GitHub advisory suggest moderate real-world risk.
SQL injection in itsourcecode Online Doctor Appointment System 1.0 allows remote attackers with high privileges to manipulate the appointment_id parameter in /admin/appointment_action.php, potentially compromising data confidentiality and integrity. Public exploit code exists for this vulnerability, though no patch is currently available for PHP-based deployments.
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated remote attackers to manipulate the Supplier_Name parameter in /admin/admin_edit_supplier.php, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows authenticated administrators to manipulate the First_Name parameter in /admin/admin_edit_employee.php, enabling remote database compromise. Public exploit code exists for this vulnerability, which requires high-level privileges but carries low complexity for exploitation. The affected system currently lacks an available patch.
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high privileges to manipulate the product_name parameter in /admin/admin_edit_menu.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The affected PHP application currently lacks an available patch.
SQL injection in itsourcecode Online Frozen Foods Ordering System 1.0 allows remote attackers with high-level privileges to manipulate the product_name parameter in /admin/admin_edit_menu_action.php, potentially exposing or modifying sensitive database information. Public exploit code for this vulnerability exists, though no patch is currently available.
Unauthenticated SQL injection in AVideo versions before 8.0 allows authenticated attackers to manipulate database queries through unsanitized sort parameters in POST requests, potentially leading to unauthorized data access or modification. The vulnerability stems from improper use of real_escape_string() on SQL identifiers rather than string literals, rendering the escaping mechanism ineffective. Affected organizations should upgrade to version 8.0 or implement WAF rules restricting sort parameter characters to alphanumeric and underscore values.
A blind SQL injection vulnerability exists in ERPNext, a free and open-source Enterprise Resource Planning system, affecting versions prior to 15.100.0 and beta versions 16.0.0-beta.1 through 16.7.x. The vulnerability allows authenticated attackers with low-level privileges to perform time-based and boolean-based blind SQL injection attacks through insufficiently validated parameters on certain endpoints, enabling them to infer and extract sensitive database information. This is tagged as an SQLi vulnerability and has been assigned EUVD-2026-13547 by ENISA, with patches available in versions 15.100.0 and 16.8.0.
SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.
Open Source Point of Sale (opensourcepos) contains a critical SQL Injection vulnerability in the Items search functionality when custom attribute search is enabled. An authenticated attacker with basic item search permissions can execute arbitrary SQL queries by manipulating the search GET parameter, which is directly interpolated into a HAVING clause without sanitization. The vulnerability affects all versions up to and including 3.4.1, carries a CVSS score of 8.8 (High), and had no patch available at the time of publication.
SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected, with no patch currently available.
SQL injection in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to execute arbitrary SQL queries through improper input validation in the EmailUIAjax module's retrieve() function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete sensitive database records without restrictions. The vulnerability requires authentication but has no patch currently available.
A second-order SQL injection vulnerability exists in the Reports module of SuiteCRM, allowing authenticated users with reporting privileges to execute arbitrary SQL queries when viewing reports. The vulnerability affects SuiteCRM versions before 7.15.1 and 8.9.3, enabling attackers to extract sensitive database contents including password hashes, API tokens, and configuration values, with potential for remote code execution on MySQL installations with FILE privileges. While no public exploits or active exploitation have been reported, the vulnerability has a high CVSS score of 8.1 due to the potential for both data theft and system compromise.
An unauthenticated SQL injection vulnerability in AVideo allows remote attackers to execute arbitrary SQL queries through the doNotShowCats parameter in the getAllCategories() method. The vulnerability bypasses quote-stripping sanitization using backslash escape techniques, enabling attackers to extract sensitive data including user credentials, modify database contents, or potentially achieve remote code execution. No active exploitation has been reported in KEV, but proof-of-concept exploitation details are publicly available in the GitHub advisory.
Authenticated attackers can execute arbitrary SQL queries in Devome GRR v4.5.0 through injection vulnerabilities in the referer and user-agent parameters within include/session.inc.php, enabling full database compromise including data exfiltration, modification, and potential remote code execution. The vulnerability carries a CVSS score of 8.8 (High) with low attack complexity requiring only low-level privileges and no user interaction. EPSS probability of exploitation is extremely low at 0.01% (2nd percentile), and no public exploit identified at time of analysis beyond technical disclosure and audit documentation.
Unauthenticated attackers can exploit SQL injection in the Simply Schedule Appointments Booking Plugin for WordPress (versions up to 1.6.10.0) through the 'fields' parameter to extract sensitive database information including usernames, email addresses, and password hashes. The vulnerability stems from insufficient input escaping and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.
A Blind SQL Injection vulnerability exists in the Profile Builder Pro WordPress plugin that allows unauthenticated remote attackers to extract sensitive database information. Cozmoslabs Profile Builder Pro versions through 3.13.9 are affected. The vulnerability has a critical CVSS score of 9.3 due to network-based exploitation requiring no privileges or user interaction, with changed scope enabling attackers to access resources beyond the vulnerable component.
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.
An authenticated time-based blind SQL injection vulnerability exists in the ClipBucket v5 open source video sharing platform, affecting versions prior to 5.5.3 #80. The vulnerability resides in the actions/ajax.php endpoint where the userid parameter lacks proper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries. This can lead to full database disclosure and potential administrative account takeover with a CVSS score of 8.8.
SQL injection in PostgreSQL StatementGenerator allows authenticated attackers to execute arbitrary SQL commands through unsanitized object keys in sort, select, and groupBy parameters on analytics endpoints. The vulnerability exists because column name validation was incompletely applied during a previous fix, leaving three query construction methods vulnerable to direct identifier injection. An attacker with valid credentials can exploit this to access or manipulate database contents without requiring user interaction.
Kysely through version 0.28.11 contains a SQL injection vulnerability in JSON path compilation affecting MySQL and SQLite dialects. The visitJSONPathLeg() function appends user-controlled values from .key() and .at() methods directly into single-quoted JSON path string literals without escaping single quotes, enabling attackers to break out of the string context and inject arbitrary SQL. A working proof-of-concept demonstrates UNION-based data exfiltration from SQLite databases. The vulnerability has CVSS score 8.2 and patches are available from the vendor.
A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter component allows authenticated attackers to bypass metadata-based access controls and execute arbitrary SQL commands due to missing input sanitization. VMware Spring AI versions 1.0.x prior to 1.0.4 and 1.1.x prior to 1.1.3 are affected. With a CVSS score of 8.8, this vulnerability enables attackers with low-level privileges to compromise confidentiality, integrity, and availability of the database system through network-based attacks with low complexity.
An authenticated SQL injection vulnerability exists in Kanboard project management software prior to version 1.2.51. Authenticated attackers with permission to add users to a project can exploit this vulnerability to dump the entire Kanboard database, potentially exposing sensitive project data, user credentials, and application secrets. The vulnerability is confirmed under active tracking by Debian (2 releases) and Ubuntu (medium priority), with a GitHub Security Advisory published.
A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS before version 10.1.14, specifically in the getQuery function's sortby parameter. An attacker can inject arbitrary SQL commands through the sortby parameter to extract, modify, or delete database contents. The vulnerability affects Mura CMS installations running versions prior to 10.1.14.
A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS, specifically in the getQuery function's sortDirection parameter, affecting versions prior to 10.1.14. An attacker can inject arbitrary SQL commands through the sortDirection parameter to read, modify, or delete database contents without requiring authentication. The vulnerability is classified as SQL injection (SQLi) and patches are available in version 10.1.14 and later.
SQL injection in GLPI Inventory Plugin versions before 1.6.6 allows authenticated users with sufficient privileges to execute arbitrary SQL queries through unvalidated input in report functionality. An attacker with report access can extract or modify sensitive database information, though code execution is not possible through this vector. A patch is available in version 1.6.6 and later.
An unauthenticated attacker can leverage an exposed password hashing endpoint in PHP applications to obtain hashed versions of arbitrary passwords, facilitating offline cracking attacks against compromised database credentials. The vulnerable `/objects/encryptPass.json.php` file accepts user-supplied passwords via request parameters and returns their encrypted equivalents without authentication, effectively disclosing the application's hashing algorithm and salt to potential adversaries. This information disclosure has a CVSS score of 5.3 and patches are available.
A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.
GLPI versions 11.0.0 through 11.0.5 contain an authenticated SQL injection vulnerability that allows authenticated users to read sensitive database contents without modification or denial-of-service capabilities. The vulnerability affects the free Asset and IT management software package GLPI and is resolved in version 11.0.6. While the CVSS score of 6.5 reflects moderate severity, the impact is limited to confidentiality breach due to the read-only nature of the exploit and the requirement for prior authentication.
SQL injection in Cockpit CMS version 2.13.4 and earlier allows attackers with a valid read-only API key to inject arbitrary SQL through the `/api/content/aggregate/{model}` endpoint and extract unauthorized data from the SQLite database, including unpublished content. The vulnerability requires network access and low-privilege API credentials, enabling data exfiltration without administrative privileges. No patch is currently available.
SQL injection in Simple Food Order System 1.0's /routers/add-item.php endpoint allows unauthenticated remote attackers to manipulate the price parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and could lead to unauthorized data access, modification, or deletion.
SQL injection in the Katello plugin for Red Hat Satellite 6 allows authenticated remote attackers to execute arbitrary SQL commands via the sort_by parameter in the /api/hosts/bootc_images endpoint. An attacker can exploit this flaw to trigger database errors causing denial of service or conduct blind SQL injection attacks to extract sensitive information from the database. No patch is currently available for this vulnerability.
Unauthenticated attackers can exploit SQL injection in the WowStore plugin for WordPress (versions up to 4.4.3) through the unescaped 'search' parameter to extract sensitive data from the underlying database. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to append malicious SQL commands without authentication. No patch is currently available for this high-severity issue affecting all users of the affected plugin versions.
SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 allows unauthenticated remote attackers to manipulate the areaId parameter in the /rest/devStatus/queryResources endpoint and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Successful exploitation could result in unauthorized data access, modification, or system disruption.
SQL injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 allows unauthenticated remote attackers to manipulate the ID parameter in the /rest/preSetTemplate/getRecByTemplateId endpoint, potentially enabling unauthorized data access, modification, or service disruption. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an SQL injection vulnerability in the /rest/devStatus/getDevDetailedInfo endpoint that allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. The vulnerability enables unauthorized access to, modification of, and disruption of sensitive data, with public exploit code already available. No patch has been released despite early vendor notification.
A second-order SQL injection vulnerability exists in Admidio's MyList configuration feature, allowing authenticated users to inject arbitrary SQL commands through list column configurations that are safely stored but unsafely read back. The vulnerability enables attackers to read sensitive data including password hashes, modify database contents, or achieve full database compromise. A detailed proof-of-concept is available demonstrating exploitation requiring only standard user privileges.
An authorization bypass vulnerability in SiYuan Note v3.6.0 and earlier allows any authenticated user, including those with read-only 'Reader' role privileges, to execute arbitrary SQL commands through the /api/search/fullTextSearchBlock endpoint when the method parameter is set to 2. This enables attackers to read, modify, or delete all data in the application's SQLite database, completely bypassing the application's role-based access controls. A detailed proof-of-concept demonstrates how Reader-role users can execute destructive SQL operations including dropping tables.
Authenticated attackers can exploit SQL injection in Chamilo LMS 1.11.34 and earlier through the statistics AJAX endpoint, where insufficient input sanitization allows bypassing of database escaping mechanisms via the date_start and date_end parameters. This vulnerability enables blind time-based SQL injection attacks to extract or manipulate sensitive data from the underlying database. Version 1.11.36 contains the patch; versions 1.11.35 and earlier remain vulnerable.
Unauthenticated SQL injection in Chamilo LMS versions prior to 1.11.34 enables remote attackers to execute arbitrary database queries through the custom_dates parameter and escalate to full administrative account takeover by exploiting a predictable password reset mechanism. This critical vulnerability exposes the entire database including personally identifiable information and system configurations without requiring any credentials or user interaction. No patch is currently available for affected installations.
SiYuan Note contains an unrestricted path traversal vulnerability in the POST /api/import/importStdMd endpoint that allows authenticated administrators to recursively import arbitrary files from the host filesystem into the workspace database without any validation or blocklisting. Affected versions of SiYuan (pkg:go/github.com_siyuan-note_siyuan) allow admin users to permanently store sensitive files such as /proc/, /etc/, /run/secrets/, and other system directories as searchable note content, making them accessible to other workspace users including those with limited privileges. A proof-of-concept has been published demonstrating import of /proc/1/ and /run/secrets/, and when chained with separate SQL injection vulnerabilities in the renderSprig template function, non-admin users can retrieve imported secrets without additional privileges.
SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component
SQL injection in Python's Glances DuckDB export module allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting malicious data through unparameterized table and column name interpolation in DDL statements. While INSERT values use parameterized queries, identifier names are directly embedded via f-strings, enabling attackers over the network to manipulate database structure and access sensitive monitoring data. A patch is available.
A Boolean-based SQL injection vulnerability exists in HCL Unica that allows remote attackers to manipulate backend database queries through specially crafted input fields. The vulnerability affects HCL Unica version 25.1.1 and below, enabling unauthenticated attackers to extract sensitive data, modify database contents, or potentially compromise the entire system. With a critical CVSS score of 9.8 and network-based attack vector requiring no authentication, this represents a severe risk to organizations using affected Unica installations.
HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries.
SQL injection in itsourcecode College Management System 1.0 allows authenticated attackers to manipulate the course_code parameter in /admin/time-table.php and execute arbitrary SQL commands remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can lead to unauthorized data access, modification, or deletion within the application database.
SQL injection in itsourcecode College Management System 1.0 via the course_code parameter in /admin/courses.php allows authenticated administrators to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but could enable data exfiltration or manipulation.
HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.
SQL injection in Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to manipulate the Home parameter in /hotel/admin/mod_reports/index.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems running the vulnerable PHP application are at immediate risk of data theft and database compromise.
SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate parameters in the enrollment module via the txtsearch, deptname, or name arguments. Public exploit code exists for this vulnerability, which enables attackers to read, modify, or delete database contents. No patch is currently available.
SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the user_email parameter in /sms/login.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to read, modify, or delete sensitive enrollment data without authentication. No patch is currently available.
SQL injection in SSCMS 7.4.0 via the tableHandWrite parameter in SitesAddController.Submit.cs allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application's 'vets.wakyma.com/pets/print-tags' endpoint that allows authenticated users to inject NoSQL commands via manipulated POST requests. An attacker with valid credentials can exploit this vulnerability to extract sensitive information including pet names and owner names from the backend database. With a CVSS score of 5.3 and low attack complexity, this represents a moderate confidentiality risk requiring prompt remediation despite the requirement for authentication.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in the hospitalization summary generation endpoint at vets.wakyma.com. Authenticated users with low privileges can inject NoSQL commands into POST requests to exfiltrate customer reports containing sensitive veterinary and pet owner data. The vulnerability has a high CVSS score of 7.1 but requires authentication, limiting the attack surface to users with valid credentials.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.com/centro/equipo/empleado' that allows authenticated users to inject NoSQL commands and enumerate sensitive employee data. The vulnerability has a CVSS 4.0 score of 7.1 (High) with network attack vector requiring low privileges. No proof-of-concept code, EPSS data, or KEV listing information is currently available for this vulnerability.
SQL injection in Tiandy Integrated Management Platform 7.17.0 via the /rest/user/getAuthorityByUserId endpoint allows unauthenticated remote attackers to manipulate the userId parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation could enable unauthorized data access, modification, or system disruption.
SQL injection in Vanna up to version 2.0.2 allows authenticated remote attackers to execute arbitrary SQL queries through the update_sql endpoint function. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An authenticated attacker can leverage this to read, modify, or delete database contents depending on the application's database permissions.
SQL injection in Vanna AI's BigQuery integration (versions up to 2.0.2) allows unauthenticated remote attackers to manipulate the remove_training_data function through unsanitized ID parameters. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation enables attackers to read, modify, or delete database contents with limited impact on confidentiality, integrity, and availability.
SQL injection in itsourcecode Payroll Management System 1.0 via the ID parameter in /manage_employee.php allows unauthenticated remote attackers to execute arbitrary SQL queries and access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running this system should implement network-level protections and consider upgrading to a patched version once released.
SQL injection in the User.getAll function of node-api-postgres up to version 2.5 allows remote attackers to manipulate the sort parameter and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. Affected deployments using PostgreSQL with the vulnerable Node.js API library face risks of unauthorized data access, modification, and potential service disruption.
SQL injection in phpIPAM versions up to 1.7.4 allows authenticated administrators to manipulate the subnetOrdering parameter in the Section Handler component, enabling remote database compromise. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.