Skip to main content

SQLi

15160 CVEs technique

Monthly

CVE-2026-52697 HIGH This Week

SQL injection in the Taskbuilder WordPress plugin versions 5.0.7 and earlier allows authenticated Subscriber-level users to inject malicious SQL into backend database queries, enabling exposure of sensitive data including credential hashes and limited integrity/availability impact on the underlying WordPress site. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 8.5 driven by a scope change to the database tier; there is no public exploit identified at time of analysis and the issue is not on CISA KEV.

SQLi Taskbuilder
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-52693 CRITICAL Act Now

Unauthenticated SQL injection in the implecode eCommerce Product Catalog WordPress plugin (versions 3.5.5 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact, meaning data outside the plugin's database context can be reached. No public exploit identified at time of analysis, though the Patchstack advisory confirms the vendor-tracked vulnerability class.

SQLi Ecommerce Product Catalog
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-49776 CRITICAL Act Now

Unauthenticated SQL injection in the GPTranslate - Multilingual AI Translation for WordPress plugin (versions 2.32.6 and earlier) by jExtensions Store allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact and low availability impact, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin attack surface make this a high-priority patch.

WordPress SQLi Gptranslate Multilingual Ai Translation For Wordpress
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-49067 CRITICAL Act Now

SQL injection in the Advanced 301 and 302 Redirect WordPress plugin (versions <= 1.6.9) allows remote unauthenticated attackers to inject arbitrary SQL queries into the underlying WordPress database. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating attacker-controlled input crosses a trust boundary. No public exploit identified at time of analysis, and EPSS data was not provided in the input.

SQLi Advanced 301 And 302 Redirect
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-48964 HIGH This Week

SQL injection in the ELEX WordPress HelpDesk & Customer Ticketing System plugin (versions <= 3.3.6) allows authenticated users with low-privilege Subscriber accounts to inject arbitrary SQL into backend database queries. Successful exploitation results in high confidentiality impact with a scope change, enabling access to data beyond the plugin's own tables, plus limited availability impact. No public exploit identified at time of analysis, but the disclosure originates from Patchstack's WordPress plugin vulnerability program.

WordPress SQLi Elex Wordpress Helpdesk Customer Ticketing System
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-48886 CRITICAL Act Now

SQL injection in the JS Help Desk WordPress plugin versions 3.0.9 and earlier allows remote unauthenticated attackers to inject arbitrary SQL into backend database queries. The flaw was disclosed via Patchstack and carries a CVSS 9.3 with scope change, meaning successful exploitation can read database contents beyond the plugin's own data. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Js Help Desk
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-48882 HIGH This Week

SQL injection in the WP Time Slots Booking Form WordPress plugin (versions 1.2.50 and earlier) allows authenticated Subscriber-level users to inject arbitrary SQL into backend database queries. The CVSS 3.1 vector indicates a scope change with high confidentiality impact, meaning an attacker who only holds the lowest WordPress role can read data beyond the plugin's own scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Wp Time Slots Booking Form
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-48874 HIGH This Week

SQL injection in the GamiPress WordPress plugin versions 7.8.7 and earlier allows authenticated users with subscriber-level privileges to inject arbitrary SQL queries against the WordPress database. The flaw was reported by Patchstack and affects standard installations of the plugin, enabling attackers with the lowest authenticated role to read sensitive database contents and cause limited integrity or availability impact via the scope-changed condition. No public exploit identified at time of analysis.

SQLi Gamipress
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-45439 CRITICAL Act Now

Unauthenticated SQL injection in Realtyna Organic IDX WordPress plugin (versions 5.1.0 and earlier) allows remote attackers to inject arbitrary SQL into backend queries without credentials. The flaw carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the plugin's own data boundary, though no public exploit identified at time of analysis. The vulnerability was disclosed via Patchstack and affects WordPress sites running this real-estate listing plugin.

SQLi Realtyna Organic Idx Plugin
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-42665 CRITICAL Act Now

Unauthenticated SQL injection in the WP Data Access WordPress plugin (versions <= 5.5.70) allows remote attackers to inject arbitrary SQL through the plugin's interfaces without authentication. The high CVSS 9.3 score reflects a scope change (S:C) that lets the injection reach beyond the vulnerable component, exposing the entire WordPress database to confidentiality compromise. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Wp Data Access
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-42639 CRITICAL Act Now

Unauthenticated SQL injection in the GD Rating System WordPress plugin (versions <= 3.6.2) allows remote attackers to inject arbitrary SQL queries against the WordPress database without any authentication or user interaction. The flaw carries a CVSS 3.1 score of 9.3 with scope change, indicating database tampering can affect resources beyond the plugin itself. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Gd Rating System
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-42386 CRITICAL Act Now

SQL injection in the Tyche Softwares 'Order Delivery Date for WooCommerce' WordPress plugin (versions up to and including 4.5.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries. Per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) the flaw is network-reachable, requires no privileges or interaction, and results in a scope change with high confidentiality impact and partial availability impact. No public exploit identified at time of analysis, but Patchstack tracking and the CWE-89 classification put this in a well-understood, easily weaponizable bug class for WordPress sites.

WordPress SQLi Order Delivery Date For Woocommerce
NVD VulDB
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-42381 CRITICAL Act Now

SQL injection in the Funnel Builder by FunnelKit WordPress plugin (versions up to and including 3.15.0.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries. The flaw, tracked by Patchstack and rated CVSS 9.3, requires no authentication or user interaction, enabling data exfiltration and limited integrity/availability impact across affected WordPress sites. There is no public exploit identified at time of analysis, but the trivial attack complexity and pre-auth nature make this a high-priority patching target.

SQLi Funnel Builder By Funnelkit
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-40798 CRITICAL Act Now

Unauthenticated SQL injection in the wpForo Forum WordPress plugin (versions 3.0.4 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 and a scope-changing vector, exploitation can expose data beyond the plugin's own context, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

SQLi Wpforo Forum
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-40771 CRITICAL Act Now

Unauthenticated SQL injection in the Contest Gallery WordPress plugin (versions ≤28.1.6) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36980; no public exploit identified at time of analysis, but the CVSS 9.3 score and PR:N attack vector make it a high-priority issue for any WordPress site running the plugin.

SQLi Contest Gallery
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-40766 HIGH This Week

SQL injection in the MasterStudy LMS WordPress plugin (versions 3.7.25 and earlier) allows authenticated users at the Subscriber privilege level to inject crafted SQL into backend database queries, leading to high-impact disclosure of confidential database contents and limited availability degradation. The flaw was reported by Patchstack and carries a scope-changed CVSS 3.1 score of 8.5; no public exploit identified at time of analysis.

SQLi Masterstudy Lms
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-40762 HIGH PATCH This Week

Unauthenticated SQL injection in the WPGraphQL WordPress plugin versions prior to 2.11.1 allows remote attackers to inject SQL through the plugin's GraphQL interface without any credentials. The flaw, tracked by Patchstack and assigned CVSS 7.5 with a scope-change impact, can lead to disclosure of database contents and partial availability impact on affected WordPress sites. No public exploit identified at time of analysis, but the unauthenticated nature and broad install base of WPGraphQL make patching urgent.

SQLi Wpgraphql
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-39530 CRITICAL Act Now

Unauthenticated SQL injection in the SpeakOut! Email Petitions WordPress plugin (versions ≤ 4.6.5) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. Reported by Patchstack and tracked as EUVD-2026-36960, the flaw carries a CVSS 3.1 score of 9.3 driven by a changed scope and network-reachable attack surface. No public exploit identified at time of analysis, but the trivial exploitability and WordPress plugin ecosystem make opportunistic mass-scanning likely.

SQLi Speakout Email Petitions
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-39519 CRITICAL Act Now

Unauthenticated SQL injection in the GeekyBot WordPress plugin versions 1.2.0 and earlier allows remote attackers to inject arbitrary SQL queries against the WordPress database without any authentication or user interaction. The flaw was disclosed via Patchstack and carries a high CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the plugin's own security context. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Geekybot
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-39512 CRITICAL Act Now

Unauthenticated SQL injection in the GeoDirectory WordPress plugin (versions up to and including 2.8.152) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36951; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. Given the WordPress plugin ecosystem's history of rapid weaponization for SQLi flaws, this should be treated as a priority despite the absence of confirmed in-the-wild activity.

SQLi Geodirectory
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-39511 CRITICAL Act Now

Unauthenticated SQL injection in the WP Photo Album Plus WordPress plugin (versions ≤ 9.1.08.001) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 (scope-changed) and no public exploit identified at time of analysis, the flaw exposes WordPress sites running the plugin to database content disclosure and limited integrity/availability impact. Patchstack reported the issue and it carries CWE-89 (SQL Injection).

SQLi Wp Photo Album Plus
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-39502 CRITICAL Act Now

Unauthenticated SQL injection in the Form Maker by 10Web WordPress plugin (versions ≤ 1.15.38) allows remote attackers to inject arbitrary SQL into backend queries without credentials, leading to database content disclosure and partial integrity/availability impact across a changed security scope. No public exploit identified at time of analysis, but the CVSS 9.3 and trivial network-reachable attack profile make this a high-priority issue for any WordPress site running the plugin. The Patchstack-coordinated disclosure indicates a vendor-tracked flaw, though no fixed version is confirmed in the supplied data.

SQLi Form Maker By 10Web
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-39493 CRITICAL Act Now

Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote attackers to inject crafted SQL through plugin endpoints without authentication. The flaw carries a CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the vulnerable component, though only confidentiality (High) and availability (Low) are affected per the vector. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

SQLi Simply Schedule Appointments
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-39492 CRITICAL Act Now

Unauthenticated SQL injection in the WP Maps WordPress plugin (versions 4.9.1 and earlier, by Flipper Code) allows remote attackers to inject arbitrary SQL queries against the underlying WordPress database without any authentication or user interaction. With a CVSS 3.1 score of 9.3 and a scope-changed vector, successful exploitation can disclose sensitive database contents (users, hashed credentials, secrets) and affect availability. No public exploit identified at time of analysis, but the unauthenticated nature and trivial complexity make weaponization likely once technical details circulate.

SQLi Wp Maps
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-39441 CRITICAL Act Now

Unauthenticated SQL injection in the Feed KuantoKusta for WooCommerce Free WordPress plugin (versions n/a through 5.3) allows remote attackers to inject crafted SQL statements without prior authentication. Disclosed via Patchstack and tracked as EUVD-2026-36926, the flaw carries a CVSS 3.1 score of 9.3 with a changed scope, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, and no EPSS or KEV signal was provided in the input.

WordPress SQLi Feed Kuantokusta For Woocommerce Free
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-24637 HIGH This Week

SQL injection in the Blubrry PowerPress Podcasting WordPress plugin through version 11.15.10 allows authenticated users with Contributor-level privileges to inject arbitrary SQL into backend queries. The flaw, reported by Patchstack and tracked as EUVD-2026-36910, scores CVSS 8.5 due to scope change reaching the underlying database, but no public exploit identified at time of analysis. Confidentiality impact is high while integrity is unaffected, suggesting data exfiltration rather than tampering is the primary risk.

SQLi Powerpress Podcasting
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-48114 CRITICAL PATCH Act Now

Unauthenticated SQL injection in NCEAS Metacat 2.0.0 through pre-3.0.0 allows remote attackers to read, modify, and execute arbitrary statements against the PostgreSQL backend by sending crafted parameters to the /harvesterRegistration endpoint. The flaw stems from string-concatenated INSERTs in HarvesterRegistration.dbInsert() combined with a missing LDAP identity check, and because the backend permits stacked queries via Statement.executeUpdate() the injection escalates to full database compromise. No public exploit identified at time of analysis, but the CVSS 9.8 vector and trivial trigger via three reachable parameters (unit, contactEmail, documentListURL) make exploitation straightforward once the endpoint is reachable.

PostgreSQL SQLi Metacat
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2016-20068 HIGH POC This Week

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Booking Calendar Contact Form
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2019-25746 HIGH POC This Week

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post'. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Sliced Invoices
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2016-20073 HIGH POC Monitor

Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Answer My Question
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20072 HIGH POC Monitor

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Information Disclosure Bbs E Franchise
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20071 HIGH POC Monitor

The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi 404 Redirection Manager
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20069 HIGH POC This Week

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Booking Calendar Contact Form
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-12206 LOW POC Monitor

SQL injection in Grit42 Grit through version 0.11.0 allows remote low-privileged attackers to manipulate database queries via the DataTableEntity function in the assays module backend. The CVSS 4.0 vector (AV:N/PR:L/E:P) indicates network-exploitable, low-complexity exploitation by authenticated users with a publicly available proof-of-concept. The vendor was notified but did not respond, leaving no official patch available at time of analysis.

SQLi Grit
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-36670 HIGH This Week

Authenticated SQL injection in OpenSIPS Control Panel (opensips-cp) versions prior to 9.3.3 allows attackers with valid panel credentials to execute arbitrary SQL via the 'table' GET parameter in alias_management.php using time-based blind techniques. The flaw resides in the alias_management module and yields full database confidentiality, integrity, and availability impact per CVSS 8.8. No public exploit identified at time of analysis, and EPSS is low (0.28%, 19th percentile), but a third-party advisory documents the issue on GitHub.

PHP SQLi N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-50890 CRITICAL Act Now

Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.

SQLi N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-39196 CRITICAL Act Now

Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection vulnerability in the set_uri_query parameter in the KeyPartitioner::partition function. This vulnerability allows attackers to access sensitive database information via crafted SQL statements.

SQLi N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-38812 CRITICAL Act Now

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information.

SQLi N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-12188 LOW POC Monitor

SQL injection in Grit42 Grit up to version 0.11.0 allows authenticated low-privilege remote attackers to query or manipulate the backend database through a CSV export endpoint handled by the GritEntityController Rails concern. The vulnerable code path resides in shared controller logic at modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb, meaning the injection surface may extend across multiple entity types rather than a single isolated route. A public proof-of-concept exploit exists via a researcher's GitHub repository, no vendor patch has been released, and the vendor was unresponsive to responsible disclosure - leaving deployments without an official remediation path.

SQLi Grit
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12175 LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 enables authenticated administrators to manipulate the `admissionNumber` parameter in `/attendance-php/Admin/createStudents.php`, allowing arbitrary SQL commands to be passed to the underlying database. Exploitation is constrained to actors who already hold high-privilege admin credentials (PR:H per the CVSS 4.0 vector), but impact spans database confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub; the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

PHP SQLi Student Attendance Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6428 MEDIUM PATCH This Month

SQL injection in Koha's reports/catalogue_out.pl grants authenticated staff with the Reports module flag full read access to the Koha MariaDB database, including borrower password hashes, 2FA secrets, API keys, session tokens, and patron PII. The vulnerability traces to a 2008 commit and was overlooked when CVE-2015-4633 patched the same injection class in sibling files. A working single-request proof-of-concept using EXTRACTVALUE error-based extraction has been publicly disclosed; no CISA KEV listing has been confirmed at time of analysis, but the low exploitation barrier for credentialed staff makes this a high-priority remediation.

SQLi Koha
NVD VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2026-9848 HIGH This Week

SQL injection in the WP Ticket WordPress plugin (versions up to and including 6.0.4) allows unauthenticated remote attackers to inject arbitrary SQL via the WordPress front-end search query parameter `s`, enabling extraction of sensitive database contents. The flaw stems from concatenating the unslashed search term into a UNION sub-SELECT without using `$wpdb->prepare()`. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network attack vector keeps risk meaningful on exposed sites.

WordPress SQLi Customer Support Ticket System Helpdesk
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-12131 LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 enables authenticated remote attackers to manipulate the unsanitized `ID` parameter within the `Invoice` function of `application/controllers/Payroll.php`, allowing arbitrary database reads and writes against the underlying HR and payroll data store. A public proof-of-concept exploit is hosted on GitHub, confirming the vulnerability is actively weaponizable by any attacker holding a low-privilege account. No vendor patch has been identified; the CVE is not in CISA KEV, but the CVSS 4.0 vector carries E:P (exploit published), reflecting confirmed public exploit availability.

PHP SQLi Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-46371 Go MEDIUM PATCH GHSA This Month

Blind SQL injection in Fleet MDM's Apple MDM commands endpoint allows authenticated Observer-role users to exfiltrate sensitive database column values - including host enrollment secrets, node_key, orbit_node_key, and APNS tokens - via a cursor-based binary search oracle. The `GET /api/v1/fleet/mdm/apple/commands` endpoint accepted an unsanitized `order_key` parameter injected directly into an SQL ORDER BY clause without column validation, exposing all columns on the joined `hosts` and `nano_enrollments` tables. Extracted node_key values enable full host impersonation against Fleet's osquery and Orbit endpoints, making the effective impact materially higher than the 6.5 CVSS base score implies. No public exploit has been identified at time of analysis; vendor-released patch is available in Fleet 4.84.2.

Apple SQLi Oracle
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46370 Go MEDIUM PATCH GHSA This Month

{id}/hosts accepts the attacker-controlled order_key parameter without column allowlist validation, enabling character-by-character secret reconstruction without secrets ever appearing in response bodies. No public exploit has been identified at time of analysis and no CISA KEV listing was provided, but the attack is deterministic and scriptable against any Fleet deployment where Observer role is broadly granted.

SQLi Oracle
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-41581 MEDIUM PATCH This Month

SQL Injection in the Frappe full-stack web framework's get_blog_list function allows unauthenticated remote attackers to manipulate database queries, leading to limited data read and write access. Frappe versions prior to 15.106.0 (v15 branch) and 16.16.0 (v16 branch) are affected across all deployments that expose the blog module. No public exploit code has been identified and exploitation probability is very low per EPSS (0.02%), though the network-accessible, unauthenticated attack surface warrants prompt patching for internet-facing instances.

SQLi Frappe
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-48613 MEDIUM This Month

SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profile field migration routine. Only forums that were upgraded from a pre-3.3.8 release and have not yet reached 3.3.11 are affected, narrowing the exposed population to a specific upgrade window. No public exploit identified at time of analysis, and EPSS data was not provided.

SQLi Phpbb
NVD VulDB
CVSS 3.0
5.9
EPSS
0.0%
CVE-2026-45060 CRITICAL Act Now

Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate arbitrary database contents via the ids parameter of the actions/progress_video.php endpoint. The flaw carries a critical CVSS 9.8 score and no public exploit identified at time of analysis, but the trivial network-reachable attack surface on a public-facing video sharing platform makes opportunistic scanning likely. Vendor patch is available in 5.5.3 - #129 per the GHSA advisory.

PHP SQLi Information Disclosure Clipbucket V5
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-45418 HIGH This Week

Authenticated SQL injection in ClipBucket v5 prior to release 5.5.3 - #132 allows any user with video-upload privileges to exfiltrate database contents via the POST /actions/subtitle_edit.php endpoint. The vulnerable 'number' parameter handling enables boolean-based blind SQLi, and no public exploit is identified at time of analysis though the GitHub Security Advisory (GHSA-q233-m544-6jqr) documents the issue in detail.

PHP SQLi Information Disclosure Clipbucket V5
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-39494 CRITICAL Act Now

Blind SQL injection in the WordPress plugin Product Filter by WBW (versions up to and including 3.1.2) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries via crafted filter parameters. The CVSS 9.3 score reflects a scope-changed impact (S:C) where the WordPress database can be queried beyond the plugin's own context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Product Filter By Wbw
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-42647 CRITICAL POC Act Now

Blind SQL injection in Beardev JoomSport (WordPress plugin) through version 5.7.7 allows remote unauthenticated attackers to inject crafted SQL into backend database queries. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality exposure and partial availability impact, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue.

SQLi Joomsport
NVD GitHub
CVSS 3.1
9.3
EPSS
5.2%
CVE-2026-46622 HIGH PATCH This Week

Plaintext credential exposure in SolidInvoice open-source invoicing platform prior to 2.3.17 allows any actor with read access to the application database to harvest every user's REST API token directly from the api_tokens table. Because tokens are stored unhashed, secondary exposures such as SQL injection, stolen backups, replicated databases, or insider access become full account-takeover paths against the API. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the patch in 2.3.17 (commit 8645391) introduces HMAC-SHA256 token hashing keyed by SOLIDINVOICE_APP_SECRET.

SQLi Solidinvoice
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-11945 HIGH PATCH This Week

Privilege escalation in PostgreSQL Anonymizer versions prior to 3.1.1 allows a low-privileged database user to achieve superuser execution by embedding malicious code in a crafted JSON key-value pair that is later processed by the import_database_rules() or import_roles_rules() functions when invoked by a superuser. The attack is a stored payload that requires a superuser to trigger import of attacker-controlled rules, and no public exploit identified at time of analysis. SSVC marks exploitation as none and not automatable, but technical impact is total once the trigger condition is met.

PostgreSQL SQLi Postgresql Anonymizer
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-38581 CRITICAL Act Now

SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-53474 MEDIUM This Month

SQL injection in Red Hat's kubev2v migration-planner allows a remote authenticated attacker to upload a crafted RVTools .xlsx file whose cluster-name cells are interpolated unsanitized into DuckDB queries, enabling arbitrary file reads on the host. Because the tool runs as a SaaS migration assessment service, leaked Kubernetes service account tokens or other credentials can pivot to full environment compromise. No public exploit identified at time of analysis, but an upstream fix is available via PR #1231.

SQLi Kubernetes Migration Assessment
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-52758 HIGH PATCH This Week

SQL injection in Ghidra's BSim binary-similarity component (versions before 12.1) allows authenticated remote attackers to inject arbitrary SQL via filter types that concatenate user-supplied values directly into PostgreSQL queries. Successful exploitation lets an attacker read, modify, or delete contents of the backing BSim PostgreSQL database used to store function signatures. No public exploit identified at time of analysis, though a vendor security advisory has been published by NSA on GitHub.

PostgreSQL SQLi Ghidra
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-49498 HIGH PATCH This Week

SQL injection in Ghidra's PostgreSQL collaboration backend (versions 11.0 through pre-12.1) allows authenticated users to escalate to PostgreSQL superuser by injecting crafted username strings into ALTER ROLE statements issued by the changePassword() method. Exploitation requires only low-privileged authenticated access to the Ghidra server, and no public exploit has been identified at time of analysis despite a working proof-of-concept being implied by the detailed vendor advisory from VulnCheck and NSA.

PostgreSQL SQLi Ghidra
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-3018 HIGH POC This Week

Unauthenticated time-based SQL injection in the Newsletters plugin for WordPress (versions up to and including 4.13) allows remote attackers to extract sensitive database contents via the 'wpmlsubscriber_id' parameter. The flaw stems from insufficient input escaping and lack of prepared statements, and no public exploit identified at time of analysis. The CVSS 7.5 score reflects confidentiality-only impact with no required authentication or user interaction.

SQLi WordPress
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3326 HIGH POC PATCH This Week

Unauthenticated SQL injection in the XStore WordPress theme before 9.7.3 allows remote attackers to inject arbitrary SQL queries through an AJAX action that fails to sanitise and escape a user-supplied parameter. Publicly available exploit code exists per WPScan, and the changed scope (S:C) with high confidentiality impact indicates an attacker can extract sensitive data across security boundaries - including WordPress user records, password hashes, and configuration secrets - without any credentials or user interaction.

SQLi WordPress
NVD WPScan
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-50636 HIGH PATCH This Week

SQL injection in LimeSurvey's RemoteControl API (invite_participants and remind_participants methods) allows an authenticated attacker with tokens/update permission on a survey to execute arbitrary stacked SQL queries against the application database. Because PDO emulated prepared statements are enabled and MySQL multi-statements are not disabled, attackers can read administrator bcrypt hashes via time-based blind techniques or directly overwrite credentials for instant account takeover. No public exploit identified at time of analysis; the upstream fix is published as LimeSurvey PR #5031, which replaces unsafe string concatenation with parameterized addInCondition().

Oracle SQLi
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-8025 CRITICAL Act Now

Remote SQL injection in MOSK Information Technologies CBS Platform (versions through 09062026) allows unauthenticated attackers to inject arbitrary SQL commands over the network without user interaction, yielding full confidentiality, integrity, and availability impact (CVSS 9.8). The vendor confirmed to TR-CERT that the product is no longer supported, so no official fix will be issued. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

SQLi Cbs Platform
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-7486 CRITICAL PATCH Act Now

SQL injection in Netcad Software's E-İmar urban planning/permit management platform (versions 2.10.1.0 through 3.0.2) allows remote unauthenticated attackers to manipulate backend database queries via crafted input. The CVSS 9.8 rating reflects network-reachable exploitation with no authentication or user interaction required, leading to full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, but the disclosure by Turkey's national CERT (TR-CERT) indicates coordinated vendor notification.

SQLi E I Mar
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2017-20249 HIGH POC This Week

Apptha Slider Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the albid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Apptha Slider Gallery
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20247 HIGH POC This Week

WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20246 HIGH POC Monitor

KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20245 HIGH POC This Week

Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20244 HIGH POC This Week

Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20243 HIGH POC This Week

WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2016-20065 HIGH POC Monitor

Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2016-20063 HIGH POC Monitor

Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Single Personal Message
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2016-20062 HIGH POC This Week

Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-49741 PHP HIGH PATCH GHSA This Week

SQL injection and privilege escalation in TYPO3 CMS 14.0.0 through 14.3.3 allow authenticated backend users holding write permissions on the form_definition table to bypass the Form Framework's persistence validation by submitting form configurations directly through DataHandler. Successful exploitation re-opens the attack class originally fixed in TYPO3-CORE-SA-2018-003, enabling injection of arbitrary form configurations that yield SQLi and elevation of privileges. No public exploit identified at time of analysis; not listed in CISA KEV.

Privilege Escalation SQLi
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-10731 CRITICAL PATCH Act Now

Unauthenticated SQL injection in Nemon Trade Energy and Nemon Trade Energy CRM allows remote attackers to execute arbitrary SQL queries through the 'two_steps_auth_code' parameter on the '/user-login' endpoint. The 2FA verification flow is reachable without prior authentication, enabling full database compromise; no public exploit identified at time of analysis, but a vendor patch is available per the INCIBE advisory.

SQLi Nemon Trade Energy Nemon Trade Energy Crm
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-44744 MEDIUM This Month

SQL injection in SAP S/4HANA (On-Premise) exposes sensitive ERP database content to authenticated network attackers via a vulnerable remote-enabled function module. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity network exploitation requiring only a low-privilege SAP user account, with high confidentiality impact and no effect on data integrity or system availability. No public exploit or CISA KEV listing has been identified at time of analysis; SAP has issued a security note addressing the issue.

SAP SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47720 npm MEDIUM GHSA This Month

SQL injection in FUXA's TDengine DAQ storage connector allows unauthenticated remote attackers to read the complete historical PLC tag archive from any FUXA instance using TDengine as its storage backend. The flaw resides in `escapeTdString` (`server/runtime/storage/tdengine/index.js:10`), which doubles single quotes but fails to escape backslashes — enabling backslash-bypass injection via the `sids` parameter on `GET /api/daq` or the Socket.IO `DAQ_QUERY` event. Critically, enabling FUXA's own authentication layer does not close this gap: the Socket.IO handler carries no authorization check and the REST endpoint accepts guest-level requests by design, meaning the authentication bypass and SQLi are compounding issues. No public exploit identified at time of analysis; vendor-released fix confirmed in v1.3.2.

Authentication Bypass SQLi
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-11585 LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 exposes the backend database to manipulation by authenticated remote attackers via the `classId` parameter in `/attendance-php/Admin/createClassArms.php`. An attacker with low-privilege authenticated access to the admin panel can craft malicious SQL payloads to read, alter, or delete database records - impacting confidentiality, integrity, and availability (C:L/I:L/A:L per CVSS). A public proof-of-concept exploit exists (GitHub issue, VulDB reference), elevating practical risk beyond the moderate CVSS score of 6.3 alone. No CISA KEV listing has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11584 LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 exposes the /attendance-php/Admin/createClass.php?action=edit endpoint to database manipulation via an unsanitized ID parameter. Authenticated remote attackers with low-privilege access can exploit this to read, modify, or partially disrupt database contents. A public exploit exists (reported via GitHub), though the CVSS 4.0 score of 2.1 reflects constrained real-world impact due to limited scope change and low-severity confidentiality/integrity/availability ratings - no public exploit identified in CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11583 LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized `className` parameter in `/attendance-php/Admin/createClass.php`. A publicly available proof-of-concept exploit (CVSS E:P) lowers the barrier to exploitation, though the CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - all confidentiality, integrity, and availability impacts are rated Low with no scope change. No confirmed active exploitation (not in CISA KEV) has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11582 MEDIUM POC This Month

SQL injection in CodeAstro Student Attendance Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter at /attendance-php/index.php to inject arbitrary SQL. Publicly available exploit code exists per VulDB reference, raising the practical risk despite the moderate 7.3 CVSS score. No CISA KEV listing and no EPSS score were supplied, so exploitation appears opportunistic against this small-vendor PHP application rather than mass-targeted.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11559 LOW POC Monitor

SQL injection in CodeAstro Payroll System 1.0 exposes database records to manipulation via the ID parameter in /view_account.php, allowing a low-privileged authenticated remote attacker to read, alter, or partially disrupt payroll data. A public proof-of-concept exploit is available via GitHub, as reported by VulDB. Despite network accessibility and public PoC, the CVSS 4.0 score of 2.1 reflects constrained impact - limited to the vulnerable component with no lateral scope - and a mandatory low-privilege authentication prerequisite that tempers broad exploitation risk.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11558 LOW POC Monitor

SQL injection in CodeAstro Payroll System 1.0 exposes payroll data to manipulation by authenticated low-privilege users via unsanitized input in the salary calculation endpoint. The vulnerability affects the `rate` and `salary_rate` parameters of `/home_salary.php`, where attacker-controlled values are passed directly into SQL queries without sanitization. Publicly available exploit code exists per GitHub references, though the vulnerability is not listed in the CISA KEV catalog and carries a CVSS 4.0 base score of only 2.1, reflecting constrained real-world impact due to authentication requirements and limited CIA impact ratings.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11531 MEDIUM POC This Month

SQL injection at the Administrator Login Endpoint of imvks786's student_management_system (PHP) allows unauthenticated remote attackers to manipulate the a_usr and a_pwd parameters in admin/admin_login.php to inject arbitrary SQL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no privileges or user interaction required. A public proof-of-concept exploit has been released via GitHub issue tracker; the project maintainer has not responded to disclosure, and no patch is available at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11530 MEDIUM POC This Month

SQL injection in imvks786 Student Management System (rolling release up to commit 9599b560) allows remote unauthenticated attackers to manipulate the usr and pwd parameters of /index.ph in the Login component to inject arbitrary SQL. Publicly available exploit code exists per VulDB, though the project is on a rolling release with no tagged fix and the maintainer has not responded to the issue report. No CISA KEV listing and no EPSS score is provided, but the trivial network-reachable login vector makes opportunistic scanning likely.

SQLi Student Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11529 LOW POC PATCH Monitor

SQL injection in designcomputer mysql-mcp-server (versions up to 0.2.2) allows authenticated remote attackers to execute arbitrary SQL via a crafted mysql:// URI passed to the read_resource function in server.py. The vulnerability stems from insufficient validation of the table-name segment in mysql://database/<name> URIs before interpolation into MySQL queries. A publicly available proof-of-concept exploit exists (GitHub issue #89); the issue is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis. An official fix was released as v0.3.0 (also backported to v0.2.3).

SQLi Mysql Mcp Server
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11514 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient database records to authenticated remote attackers via the unsanitized `admissiontme` parameter in `/addpatient.php`. A publicly available proof-of-concept (published on GitHub) lowers the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects constrained impact - limited to partial data read/write with no scope change to subsequent systems. No active exploitation has been confirmed (not in CISA KEV), but the healthcare context amplifies regulatory significance even for low-severity data exposure.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11513 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows remote low-privileged attackers to manipulate backend database queries via the 'Date' parameter in /adminaccount.php. The vulnerability is PHP-based (CWE-89) and publicly exploitable code exists via a GitHub submission linked through VulDB. Despite remote reachability, the CVSS 4.0 score of 2.1 reflects constrained real-world impact: low privileges are required, and the scope is fully contained with only low-level confidentiality, integrity, and availability consequences. No public patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11510 LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 exposes the application's database to remote authenticated attackers via the `type_of_leave` parameter in `/admin/add_leave.php`. The vulnerability (CWE-89) allows manipulation of backend SQL queries, potentially enabling data extraction, modification, or destruction. A publicly available exploit exists per VulDB report and a referenced GitHub proof-of-concept, elevating practical risk despite the low CVSS 4.0 base score of 2.1.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11509 MEDIUM This Month

SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate database queries via the Name parameter in /admin/search_staff_for_updation.php. The vulnerability enables read, write, and denial-of-service impact against the underlying database with low complexity and no user interaction required. No public exploit code or active exploitation has been identified at time of analysis.

PHP SQLi
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11508 LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `Name` parameter in the admin endpoint `/admin/search_staff_to_assign_pc.php`. Per the CVSS 4.0 vector, impact is limited to low confidentiality, integrity, and availability on the vulnerable system (VC:L/VI:L/VA:L) with no scope change to subsequent systems. Publicly available exploit code exists via a GitHub issue, though no active exploitation is confirmed in CISA KEV, and no vendor-released patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11507 LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 exposes the /admin/delete_leave_type.php endpoint to arbitrary database query manipulation via the unsanitized leave_type parameter. The CVSS 4.0 vector (PR:L) confirms that a low-privileged authenticated user can remotely trigger the injection without user interaction or additional attack complexity. A publicly available exploit exists on GitHub (no public exploit identified in CISA KEV), and the CVSS 4.0 score of 2.1 reflects limited confidentiality, integrity, and availability impact confined to the vulnerable component with no lateral scope change.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the Taskbuilder WordPress plugin versions 5.0.7 and earlier allows authenticated Subscriber-level users to inject malicious SQL into backend database queries, enabling exposure of sensitive data including credential hashes and limited integrity/availability impact on the underlying WordPress site. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 8.5 driven by a scope change to the database tier; there is no public exploit identified at time of analysis and the issue is not on CISA KEV.

SQLi Taskbuilder
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the implecode eCommerce Product Catalog WordPress plugin (versions 3.5.5 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact, meaning data outside the plugin's database context can be reached. No public exploit identified at time of analysis, though the Patchstack advisory confirms the vendor-tracked vulnerability class.

SQLi Ecommerce Product Catalog
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the GPTranslate - Multilingual AI Translation for WordPress plugin (versions 2.32.6 and earlier) by jExtensions Store allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact and low availability impact, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin attack surface make this a high-priority patch.

WordPress SQLi Gptranslate Multilingual Ai Translation For Wordpress
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the Advanced 301 and 302 Redirect WordPress plugin (versions <= 1.6.9) allows remote unauthenticated attackers to inject arbitrary SQL queries into the underlying WordPress database. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating attacker-controlled input crosses a trust boundary. No public exploit identified at time of analysis, and EPSS data was not provided in the input.

SQLi Advanced 301 And 302 Redirect
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the ELEX WordPress HelpDesk & Customer Ticketing System plugin (versions <= 3.3.6) allows authenticated users with low-privilege Subscriber accounts to inject arbitrary SQL into backend database queries. Successful exploitation results in high confidentiality impact with a scope change, enabling access to data beyond the plugin's own tables, plus limited availability impact. No public exploit identified at time of analysis, but the disclosure originates from Patchstack's WordPress plugin vulnerability program.

WordPress SQLi Elex Wordpress Helpdesk Customer Ticketing System
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the JS Help Desk WordPress plugin versions 3.0.9 and earlier allows remote unauthenticated attackers to inject arbitrary SQL into backend database queries. The flaw was disclosed via Patchstack and carries a CVSS 9.3 with scope change, meaning successful exploitation can read database contents beyond the plugin's own data. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Js Help Desk
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the WP Time Slots Booking Form WordPress plugin (versions 1.2.50 and earlier) allows authenticated Subscriber-level users to inject arbitrary SQL into backend database queries. The CVSS 3.1 vector indicates a scope change with high confidentiality impact, meaning an attacker who only holds the lowest WordPress role can read data beyond the plugin's own scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Wp Time Slots Booking Form
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the GamiPress WordPress plugin versions 7.8.7 and earlier allows authenticated users with subscriber-level privileges to inject arbitrary SQL queries against the WordPress database. The flaw was reported by Patchstack and affects standard installations of the plugin, enabling attackers with the lowest authenticated role to read sensitive database contents and cause limited integrity or availability impact via the scope-changed condition. No public exploit identified at time of analysis.

SQLi Gamipress
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in Realtyna Organic IDX WordPress plugin (versions 5.1.0 and earlier) allows remote attackers to inject arbitrary SQL into backend queries without credentials. The flaw carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the plugin's own data boundary, though no public exploit identified at time of analysis. The vulnerability was disclosed via Patchstack and affects WordPress sites running this real-estate listing plugin.

SQLi Realtyna Organic Idx Plugin
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the WP Data Access WordPress plugin (versions <= 5.5.70) allows remote attackers to inject arbitrary SQL through the plugin's interfaces without authentication. The high CVSS 9.3 score reflects a scope change (S:C) that lets the injection reach beyond the vulnerable component, exposing the entire WordPress database to confidentiality compromise. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Wp Data Access
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the GD Rating System WordPress plugin (versions <= 3.6.2) allows remote attackers to inject arbitrary SQL queries against the WordPress database without any authentication or user interaction. The flaw carries a CVSS 3.1 score of 9.3 with scope change, indicating database tampering can affect resources beyond the plugin itself. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Gd Rating System
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the Tyche Softwares 'Order Delivery Date for WooCommerce' WordPress plugin (versions up to and including 4.5.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries. Per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) the flaw is network-reachable, requires no privileges or interaction, and results in a scope change with high confidentiality impact and partial availability impact. No public exploit identified at time of analysis, but Patchstack tracking and the CWE-89 classification put this in a well-understood, easily weaponizable bug class for WordPress sites.

WordPress SQLi Order Delivery Date For Woocommerce
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the Funnel Builder by FunnelKit WordPress plugin (versions up to and including 3.15.0.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries. The flaw, tracked by Patchstack and rated CVSS 9.3, requires no authentication or user interaction, enabling data exfiltration and limited integrity/availability impact across affected WordPress sites. There is no public exploit identified at time of analysis, but the trivial attack complexity and pre-auth nature make this a high-priority patching target.

SQLi Funnel Builder By Funnelkit
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the wpForo Forum WordPress plugin (versions 3.0.4 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 and a scope-changing vector, exploitation can expose data beyond the plugin's own context, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

SQLi Wpforo Forum
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the Contest Gallery WordPress plugin (versions ≤28.1.6) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36980; no public exploit identified at time of analysis, but the CVSS 9.3 score and PR:N attack vector make it a high-priority issue for any WordPress site running the plugin.

SQLi Contest Gallery
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the MasterStudy LMS WordPress plugin (versions 3.7.25 and earlier) allows authenticated users at the Subscriber privilege level to inject crafted SQL into backend database queries, leading to high-impact disclosure of confidential database contents and limited availability degradation. The flaw was reported by Patchstack and carries a scope-changed CVSS 3.1 score of 8.5; no public exploit identified at time of analysis.

SQLi Masterstudy Lms
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated SQL injection in the WPGraphQL WordPress plugin versions prior to 2.11.1 allows remote attackers to inject SQL through the plugin's GraphQL interface without any credentials. The flaw, tracked by Patchstack and assigned CVSS 7.5 with a scope-change impact, can lead to disclosure of database contents and partial availability impact on affected WordPress sites. No public exploit identified at time of analysis, but the unauthenticated nature and broad install base of WPGraphQL make patching urgent.

SQLi Wpgraphql
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the SpeakOut! Email Petitions WordPress plugin (versions ≤ 4.6.5) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. Reported by Patchstack and tracked as EUVD-2026-36960, the flaw carries a CVSS 3.1 score of 9.3 driven by a changed scope and network-reachable attack surface. No public exploit identified at time of analysis, but the trivial exploitability and WordPress plugin ecosystem make opportunistic mass-scanning likely.

SQLi Speakout Email Petitions
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the GeekyBot WordPress plugin versions 1.2.0 and earlier allows remote attackers to inject arbitrary SQL queries against the WordPress database without any authentication or user interaction. The flaw was disclosed via Patchstack and carries a high CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the plugin's own security context. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Geekybot
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the GeoDirectory WordPress plugin (versions up to and including 2.8.152) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36951; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. Given the WordPress plugin ecosystem's history of rapid weaponization for SQLi flaws, this should be treated as a priority despite the absence of confirmed in-the-wild activity.

SQLi Geodirectory
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the WP Photo Album Plus WordPress plugin (versions ≤ 9.1.08.001) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 (scope-changed) and no public exploit identified at time of analysis, the flaw exposes WordPress sites running the plugin to database content disclosure and limited integrity/availability impact. Patchstack reported the issue and it carries CWE-89 (SQL Injection).

SQLi Wp Photo Album Plus
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the Form Maker by 10Web WordPress plugin (versions ≤ 1.15.38) allows remote attackers to inject arbitrary SQL into backend queries without credentials, leading to database content disclosure and partial integrity/availability impact across a changed security scope. No public exploit identified at time of analysis, but the CVSS 9.3 and trivial network-reachable attack profile make this a high-priority issue for any WordPress site running the plugin. The Patchstack-coordinated disclosure indicates a vendor-tracked flaw, though no fixed version is confirmed in the supplied data.

SQLi Form Maker By 10Web
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote attackers to inject crafted SQL through plugin endpoints without authentication. The flaw carries a CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the vulnerable component, though only confidentiality (High) and availability (Low) are affected per the vector. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

SQLi Simply Schedule Appointments
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the WP Maps WordPress plugin (versions 4.9.1 and earlier, by Flipper Code) allows remote attackers to inject arbitrary SQL queries against the underlying WordPress database without any authentication or user interaction. With a CVSS 3.1 score of 9.3 and a scope-changed vector, successful exploitation can disclose sensitive database contents (users, hashed credentials, secrets) and affect availability. No public exploit identified at time of analysis, but the unauthenticated nature and trivial complexity make weaponization likely once technical details circulate.

SQLi Wp Maps
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the Feed KuantoKusta for WooCommerce Free WordPress plugin (versions n/a through 5.3) allows remote attackers to inject crafted SQL statements without prior authentication. Disclosed via Patchstack and tracked as EUVD-2026-36926, the flaw carries a CVSS 3.1 score of 9.3 with a changed scope, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, and no EPSS or KEV signal was provided in the input.

WordPress SQLi Feed Kuantokusta For Woocommerce Free
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the Blubrry PowerPress Podcasting WordPress plugin through version 11.15.10 allows authenticated users with Contributor-level privileges to inject arbitrary SQL into backend queries. The flaw, reported by Patchstack and tracked as EUVD-2026-36910, scores CVSS 8.5 due to scope change reaching the underlying database, but no public exploit identified at time of analysis. Confidentiality impact is high while integrity is unaffected, suggesting data exfiltration rather than tampering is the primary risk.

SQLi Powerpress Podcasting
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated SQL injection in NCEAS Metacat 2.0.0 through pre-3.0.0 allows remote attackers to read, modify, and execute arbitrary statements against the PostgreSQL backend by sending crafted parameters to the /harvesterRegistration endpoint. The flaw stems from string-concatenated INSERTs in HarvesterRegistration.dbInsert() combined with a missing LDAP identity check, and because the backend permits stacked queries via Statement.executeUpdate() the injection escalates to full database compromise. No public exploit identified at time of analysis, but the CVSS 9.8 vector and trivial trigger via three reachable parameters (unit, contactEmail, documentListURL) make exploitation straightforward once the endpoint is reachable.

PostgreSQL SQLi Metacat
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi +1
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post'. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC Monitor

Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC Monitor

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Information Disclosure +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC Monitor

The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi 404 Redirection Manager
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Booking Calendar Contact Form
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Grit42 Grit through version 0.11.0 allows remote low-privileged attackers to manipulate database queries via the DataTableEntity function in the assays module backend. The CVSS 4.0 vector (AV:N/PR:L/E:P) indicates network-exploitable, low-complexity exploitation by authenticated users with a publicly available proof-of-concept. The vendor was notified but did not respond, leaving no official patch available at time of analysis.

SQLi Grit
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated SQL injection in OpenSIPS Control Panel (opensips-cp) versions prior to 9.3.3 allows attackers with valid panel credentials to execute arbitrary SQL via the 'table' GET parameter in alias_management.php using time-based blind techniques. The flaw resides in the alias_management module and yields full database confidentiality, integrity, and availability impact per CVSS 8.8. No public exploit identified at time of analysis, and EPSS is low (0.28%, 19th percentile), but a third-party advisory documents the issue on GitHub.

PHP SQLi N A
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.

SQLi N A
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection vulnerability in the set_uri_query parameter in the KeyPartitioner::partition function. This vulnerability allows attackers to access sensitive database information via crafted SQL statements.

SQLi N A
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information.

SQLi N A
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Grit42 Grit up to version 0.11.0 allows authenticated low-privilege remote attackers to query or manipulate the backend database through a CSV export endpoint handled by the GritEntityController Rails concern. The vulnerable code path resides in shared controller logic at modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb, meaning the injection surface may extend across multiple entity types rather than a single isolated route. A public proof-of-concept exploit exists via a researcher's GitHub repository, no vendor patch has been released, and the vendor was unresponsive to responsible disclosure - leaving deployments without an official remediation path.

SQLi Grit
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 enables authenticated administrators to manipulate the `admissionNumber` parameter in `/attendance-php/Admin/createStudents.php`, allowing arbitrary SQL commands to be passed to the underlying database. Exploitation is constrained to actors who already hold high-privilege admin credentials (PR:H per the CVSS 4.0 vector), but impact spans database confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub; the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

PHP SQLi Student Attendance Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

SQL injection in Koha's reports/catalogue_out.pl grants authenticated staff with the Reports module flag full read access to the Koha MariaDB database, including borrower password hashes, 2FA secrets, API keys, session tokens, and patron PII. The vulnerability traces to a 2008 commit and was overlooked when CVE-2015-4633 patched the same injection class in sibling files. A working single-request proof-of-concept using EXTRACTVALUE error-based extraction has been publicly disclosed; no CISA KEV listing has been confirmed at time of analysis, but the low exploitation barrier for credentialed staff makes this a high-priority remediation.

SQLi Koha
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the WP Ticket WordPress plugin (versions up to and including 6.0.4) allows unauthenticated remote attackers to inject arbitrary SQL via the WordPress front-end search query parameter `s`, enabling extraction of sensitive database contents. The flaw stems from concatenating the unslashed search term into a UNION sub-SELECT without using `$wpdb->prepare()`. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network attack vector keeps risk meaningful on exposed sites.

WordPress SQLi Customer Support Ticket System Helpdesk
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 enables authenticated remote attackers to manipulate the unsanitized `ID` parameter within the `Invoice` function of `application/controllers/Payroll.php`, allowing arbitrary database reads and writes against the underlying HR and payroll data store. A public proof-of-concept exploit is hosted on GitHub, confirming the vulnerability is actively weaponizable by any attacker holding a low-privilege account. No vendor patch has been identified; the CVE is not in CISA KEV, but the CVSS 4.0 vector carries E:P (exploit published), reflecting confirmed public exploit availability.

PHP SQLi Human Resource Management System
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Blind SQL injection in Fleet MDM's Apple MDM commands endpoint allows authenticated Observer-role users to exfiltrate sensitive database column values - including host enrollment secrets, node_key, orbit_node_key, and APNS tokens - via a cursor-based binary search oracle. The `GET /api/v1/fleet/mdm/apple/commands` endpoint accepted an unsanitized `order_key` parameter injected directly into an SQL ORDER BY clause without column validation, exposing all columns on the joined `hosts` and `nano_enrollments` tables. Extracted node_key values enable full host impersonation against Fleet's osquery and Orbit endpoints, making the effective impact materially higher than the 6.5 CVSS base score implies. No public exploit has been identified at time of analysis; vendor-released patch is available in Fleet 4.84.2.

Apple SQLi Oracle
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

{id}/hosts accepts the attacker-controlled order_key parameter without column allowlist validation, enabling character-by-character secret reconstruction without secrets ever appearing in response bodies. No public exploit has been identified at time of analysis and no CISA KEV listing was provided, but the attack is deterministic and scriptable against any Fleet deployment where Observer role is broadly granted.

SQLi Oracle
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

SQL Injection in the Frappe full-stack web framework's get_blog_list function allows unauthenticated remote attackers to manipulate database queries, leading to limited data read and write access. Frappe versions prior to 15.106.0 (v15 branch) and 16.16.0 (v16 branch) are affected across all deployments that expose the blog module. No public exploit code has been identified and exploitation probability is very low per EPSS (0.02%), though the network-accessible, unauthenticated attack surface warrants prompt patching for internet-facing instances.

SQLi Frappe
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

SQL injection in phpBB forum software allows authenticated users to execute arbitrary SQL queries through a flawed profile field migration routine. Only forums that were upgraded from a pre-3.3.8 release and have not yet reached 3.3.11 are affected, narrowing the exposed population to a specific upgrade window. No public exploit identified at time of analysis, and EPSS data was not provided.

SQLi Phpbb
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate arbitrary database contents via the ids parameter of the actions/progress_video.php endpoint. The flaw carries a critical CVSS 9.8 score and no public exploit identified at time of analysis, but the trivial network-reachable attack surface on a public-facing video sharing platform makes opportunistic scanning likely. Vendor patch is available in 5.5.3 - #129 per the GHSA advisory.

PHP SQLi Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated SQL injection in ClipBucket v5 prior to release 5.5.3 - #132 allows any user with video-upload privileges to exfiltrate database contents via the POST /actions/subtitle_edit.php endpoint. The vulnerable 'number' parameter handling enables boolean-based blind SQLi, and no public exploit is identified at time of analysis though the GitHub Security Advisory (GHSA-q233-m544-6jqr) documents the issue in detail.

PHP SQLi Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the WordPress plugin Product Filter by WBW (versions up to and including 3.1.2) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries via crafted filter parameters. The CVSS 9.3 score reflects a scope-changed impact (S:C) where the WordPress database can be queried beyond the plugin's own context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Product Filter By Wbw
NVD
EPSS 5% CVSS 9.3
CRITICAL POC Act Now

Blind SQL injection in Beardev JoomSport (WordPress plugin) through version 5.7.7 allows remote unauthenticated attackers to inject crafted SQL into backend database queries. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality exposure and partial availability impact, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue.

SQLi Joomsport
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Plaintext credential exposure in SolidInvoice open-source invoicing platform prior to 2.3.17 allows any actor with read access to the application database to harvest every user's REST API token directly from the api_tokens table. Because tokens are stored unhashed, secondary exposures such as SQL injection, stolen backups, replicated databases, or insider access become full account-takeover paths against the API. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the patch in 2.3.17 (commit 8645391) introduces HMAC-SHA256 token hashing keyed by SOLIDINVOICE_APP_SECRET.

SQLi Solidinvoice
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in PostgreSQL Anonymizer versions prior to 3.1.1 allows a low-privileged database user to achieve superuser execution by embedding malicious code in a crafted JSON key-value pair that is later processed by the import_database_rules() or import_roles_rules() functions when invoked by a superuser. The attack is a stored payload that requires a superuser to trigger import of attacker-controlled rules, and no public exploit identified at time of analysis. SSVC marks exploitation as none and not automatable, but technical impact is total once the trigger condition is met.

PostgreSQL SQLi Postgresql Anonymizer
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in Red Hat's kubev2v migration-planner allows a remote authenticated attacker to upload a crafted RVTools .xlsx file whose cluster-name cells are interpolated unsanitized into DuckDB queries, enabling arbitrary file reads on the host. Because the tool runs as a SaaS migration assessment service, leaked Kubernetes service account tokens or other credentials can pivot to full environment compromise. No public exploit identified at time of analysis, but an upstream fix is available via PR #1231.

SQLi Kubernetes Migration Assessment
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection in Ghidra's BSim binary-similarity component (versions before 12.1) allows authenticated remote attackers to inject arbitrary SQL via filter types that concatenate user-supplied values directly into PostgreSQL queries. Successful exploitation lets an attacker read, modify, or delete contents of the backing BSim PostgreSQL database used to store function signatures. No public exploit identified at time of analysis, though a vendor security advisory has been published by NSA on GitHub.

PostgreSQL SQLi Ghidra
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection in Ghidra's PostgreSQL collaboration backend (versions 11.0 through pre-12.1) allows authenticated users to escalate to PostgreSQL superuser by injecting crafted username strings into ALTER ROLE statements issued by the changePassword() method. Exploitation requires only low-privileged authenticated access to the Ghidra server, and no public exploit has been identified at time of analysis despite a working proof-of-concept being implied by the detailed vendor advisory from VulnCheck and NSA.

PostgreSQL SQLi Ghidra
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Unauthenticated time-based SQL injection in the Newsletters plugin for WordPress (versions up to and including 4.13) allows remote attackers to extract sensitive database contents via the 'wpmlsubscriber_id' parameter. The flaw stems from insufficient input escaping and lack of prepared statements, and no public exploit identified at time of analysis. The CVSS 7.5 score reflects confidentiality-only impact with no required authentication or user interaction.

SQLi WordPress
NVD VulDB GitHub
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Unauthenticated SQL injection in the XStore WordPress theme before 9.7.3 allows remote attackers to inject arbitrary SQL queries through an AJAX action that fails to sanitise and escape a user-supplied parameter. Publicly available exploit code exists per WPScan, and the changed scope (S:C) with high confidentiality impact indicates an attacker can extract sensitive data across security boundaries - including WordPress user records, password hashes, and configuration secrets - without any credentials or user interaction.

SQLi WordPress
NVD WPScan
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection in LimeSurvey's RemoteControl API (invite_participants and remind_participants methods) allows an authenticated attacker with tokens/update permission on a survey to execute arbitrary stacked SQL queries against the application database. Because PDO emulated prepared statements are enabled and MySQL multi-statements are not disabled, attackers can read administrator bcrypt hashes via time-based blind techniques or directly overwrite credentials for instant account takeover. No public exploit identified at time of analysis; the upstream fix is published as LimeSurvey PR #5031, which replaces unsafe string concatenation with parameterized addInCondition().

Oracle SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote SQL injection in MOSK Information Technologies CBS Platform (versions through 09062026) allows unauthenticated attackers to inject arbitrary SQL commands over the network without user interaction, yielding full confidentiality, integrity, and availability impact (CVSS 9.8). The vendor confirmed to TR-CERT that the product is no longer supported, so no official fix will be issued. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

SQLi Cbs Platform
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in Netcad Software's E-İmar urban planning/permit management platform (versions 2.10.1.0 through 3.0.2) allows remote unauthenticated attackers to manipulate backend database queries via crafted input. The CVSS 9.8 rating reflects network-reachable exploitation with no authentication or user interaction required, leading to full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, but the disclosure by Turkey's national CERT (TR-CERT) indicates coordinated vendor notification.

SQLi E I Mar
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

Apptha Slider Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the albid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Apptha Slider Gallery
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC Monitor

KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC Monitor

Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC Monitor

Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Single Personal Message
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection and privilege escalation in TYPO3 CMS 14.0.0 through 14.3.3 allow authenticated backend users holding write permissions on the form_definition table to bypass the Form Framework's persistence validation by submitting form configurations directly through DataHandler. Successful exploitation re-opens the attack class originally fixed in TYPO3-CORE-SA-2018-003, enabling injection of arbitrary form configurations that yield SQLi and elevation of privileges. No public exploit identified at time of analysis; not listed in CISA KEV.

Privilege Escalation SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated SQL injection in Nemon Trade Energy and Nemon Trade Energy CRM allows remote attackers to execute arbitrary SQL queries through the 'two_steps_auth_code' parameter on the '/user-login' endpoint. The 2FA verification flow is reachable without prior authentication, enabling full database compromise; no public exploit identified at time of analysis, but a vendor patch is available per the INCIBE advisory.

SQLi Nemon Trade Energy Nemon Trade Energy Crm
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in SAP S/4HANA (On-Premise) exposes sensitive ERP database content to authenticated network attackers via a vulnerable remote-enabled function module. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity network exploitation requiring only a low-privilege SAP user account, with high confidentiality impact and no effect on data integrity or system availability. No public exploit or CISA KEV listing has been identified at time of analysis; SAP has issued a security note addressing the issue.

SAP SQLi
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

SQL injection in FUXA's TDengine DAQ storage connector allows unauthenticated remote attackers to read the complete historical PLC tag archive from any FUXA instance using TDengine as its storage backend. The flaw resides in `escapeTdString` (`server/runtime/storage/tdengine/index.js:10`), which doubles single quotes but fails to escape backslashes — enabling backslash-bypass injection via the `sids` parameter on `GET /api/daq` or the Socket.IO `DAQ_QUERY` event. Critically, enabling FUXA's own authentication layer does not close this gap: the Socket.IO handler carries no authorization check and the REST endpoint accepts guest-level requests by design, meaning the authentication bypass and SQLi are compounding issues. No public exploit identified at time of analysis; vendor-released fix confirmed in v1.3.2.

Authentication Bypass SQLi
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 exposes the backend database to manipulation by authenticated remote attackers via the `classId` parameter in `/attendance-php/Admin/createClassArms.php`. An attacker with low-privilege authenticated access to the admin panel can craft malicious SQL payloads to read, alter, or delete database records - impacting confidentiality, integrity, and availability (C:L/I:L/A:L per CVSS). A public proof-of-concept exploit exists (GitHub issue, VulDB reference), elevating practical risk beyond the moderate CVSS score of 6.3 alone. No CISA KEV listing has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 exposes the /attendance-php/Admin/createClass.php?action=edit endpoint to database manipulation via an unsanitized ID parameter. Authenticated remote attackers with low-privilege access can exploit this to read, modify, or partially disrupt database contents. A public exploit exists (reported via GitHub), though the CVSS 4.0 score of 2.1 reflects constrained real-world impact due to limited scope change and low-severity confidentiality/integrity/availability ratings - no public exploit identified in CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized `className` parameter in `/attendance-php/Admin/createClass.php`. A publicly available proof-of-concept exploit (CVSS E:P) lowers the barrier to exploitation, though the CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - all confidentiality, integrity, and availability impacts are rated Low with no scope change. No confirmed active exploitation (not in CISA KEV) has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in CodeAstro Student Attendance Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter at /attendance-php/index.php to inject arbitrary SQL. Publicly available exploit code exists per VulDB reference, raising the practical risk despite the moderate 7.3 CVSS score. No CISA KEV listing and no EPSS score were supplied, so exploitation appears opportunistic against this small-vendor PHP application rather than mass-targeted.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Payroll System 1.0 exposes database records to manipulation via the ID parameter in /view_account.php, allowing a low-privileged authenticated remote attacker to read, alter, or partially disrupt payroll data. A public proof-of-concept exploit is available via GitHub, as reported by VulDB. Despite network accessibility and public PoC, the CVSS 4.0 score of 2.1 reflects constrained impact - limited to the vulnerable component with no lateral scope - and a mandatory low-privilege authentication prerequisite that tempers broad exploitation risk.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Payroll System 1.0 exposes payroll data to manipulation by authenticated low-privilege users via unsanitized input in the salary calculation endpoint. The vulnerability affects the `rate` and `salary_rate` parameters of `/home_salary.php`, where attacker-controlled values are passed directly into SQL queries without sanitization. Publicly available exploit code exists per GitHub references, though the vulnerability is not listed in the CISA KEV catalog and carries a CVSS 4.0 base score of only 2.1, reflecting constrained real-world impact due to authentication requirements and limited CIA impact ratings.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection at the Administrator Login Endpoint of imvks786's student_management_system (PHP) allows unauthenticated remote attackers to manipulate the a_usr and a_pwd parameters in admin/admin_login.php to inject arbitrary SQL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no privileges or user interaction required. A public proof-of-concept exploit has been released via GitHub issue tracker; the project maintainer has not responded to disclosure, and no patch is available at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in imvks786 Student Management System (rolling release up to commit 9599b560) allows remote unauthenticated attackers to manipulate the usr and pwd parameters of /index.ph in the Login component to inject arbitrary SQL. Publicly available exploit code exists per VulDB, though the project is on a rolling release with no tagged fix and the maintainer has not responded to the issue report. No CISA KEV listing and no EPSS score is provided, but the trivial network-reachable login vector makes opportunistic scanning likely.

SQLi Student Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

SQL injection in designcomputer mysql-mcp-server (versions up to 0.2.2) allows authenticated remote attackers to execute arbitrary SQL via a crafted mysql:// URI passed to the read_resource function in server.py. The vulnerability stems from insufficient validation of the table-name segment in mysql://database/<name> URIs before interpolation into MySQL queries. A publicly available proof-of-concept exploit exists (GitHub issue #89); the issue is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis. An official fix was released as v0.3.0 (also backported to v0.2.3).

SQLi Mysql Mcp Server
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient database records to authenticated remote attackers via the unsanitized `admissiontme` parameter in `/addpatient.php`. A publicly available proof-of-concept (published on GitHub) lowers the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects constrained impact - limited to partial data read/write with no scope change to subsequent systems. No active exploitation has been confirmed (not in CISA KEV), but the healthcare context amplifies regulatory significance even for low-severity data exposure.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 allows remote low-privileged attackers to manipulate backend database queries via the 'Date' parameter in /adminaccount.php. The vulnerability is PHP-based (CWE-89) and publicly exploitable code exists via a GitHub submission linked through VulDB. Despite remote reachability, the CVSS 4.0 score of 2.1 reflects constrained real-world impact: low privileges are required, and the scope is fully contained with only low-level confidentiality, integrity, and availability consequences. No public patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 exposes the application's database to remote authenticated attackers via the `type_of_leave` parameter in `/admin/add_leave.php`. The vulnerability (CWE-89) allows manipulation of backend SQL queries, potentially enabling data extraction, modification, or destruction. A publicly available exploit exists per VulDB report and a referenced GitHub proof-of-concept, elevating practical risk despite the low CVSS 4.0 base score of 2.1.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate database queries via the Name parameter in /admin/search_staff_for_updation.php. The vulnerability enables read, write, and denial-of-service impact against the underlying database with low complexity and no user interaction required. No public exploit code or active exploitation has been identified at time of analysis.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `Name` parameter in the admin endpoint `/admin/search_staff_to_assign_pc.php`. Per the CVSS 4.0 vector, impact is limited to low confidentiality, integrity, and availability on the vulnerable system (VC:L/VI:L/VA:L) with no scope change to subsequent systems. Publicly available exploit code exists via a GitHub issue, though no active exploitation is confirmed in CISA KEV, and no vendor-released patch has been identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Leave Management System 1.0 exposes the /admin/delete_leave_type.php endpoint to arbitrary database query manipulation via the unsanitized leave_type parameter. The CVSS 4.0 vector (PR:L) confirms that a low-privileged authenticated user can remotely trigger the injection without user interaction or additional attack complexity. A publicly available exploit exists on GitHub (no public exploit identified in CISA KEV), and the CVSS 4.0 score of 2.1 reflects limited confidentiality, integrity, and availability impact confined to the vulnerable component with no lateral scope change.

PHP SQLi
NVD VulDB GitHub
Prev Page 6 of 169 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy