SQLi
Monthly
SQL injection in CodeAstro Leave Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `Name` parameter in the admin endpoint `/admin/search_staff_to_assign_pc.php`. Per the CVSS 4.0 vector, impact is limited to low confidentiality, integrity, and availability on the vulnerable system (VC:L/VI:L/VA:L) with no scope change to subsequent systems. Publicly available exploit code exists via a GitHub issue, though no active exploitation is confirmed in CISA KEV, and no vendor-released patch has been identified at time of analysis.
SQL injection in CodeAstro Leave Management System 1.0 exposes the /admin/delete_leave_type.php endpoint to arbitrary database query manipulation via the unsanitized leave_type parameter. The CVSS 4.0 vector (PR:L) confirms that a low-privileged authenticated user can remotely trigger the injection without user interaction or additional attack complexity. A publicly available exploit exists on GitHub (no public exploit identified in CISA KEV), and the CVSS 4.0 score of 2.1 reflects limited confidentiality, integrity, and availability impact confined to the vulnerable component with no lateral scope change.
SQL injection in CodeAstro Leave Management System 1.0 allows remote authenticated attackers to manipulate database queries via the Name parameter in /admin/search_staff_for_deletion.php. The vulnerability is a classic CWE-89 unsanitized input flaw in a PHP-based web application, enabling read, write, and limited availability impact against the underlying database. Publicly available exploit code exists per VulDB disclosure; no KEV listing indicates opportunistic rather than targeted exploitation at this time.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive patient data to remote, unauthenticated attackers via the `ID` parameter in the `/classes/Master.php?f=save_patient` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, attack prerequisites, or user interaction are required, making this trivially exploitable from the network. A publicly available exploit exists (CVSS E:P), elevating real-world risk beyond what the moderate base score of 5.5 suggests; no public exploit identified at time of analysis rises to KEV level, but the POC lowers the barrier for opportunistic attackers targeting healthcare data.
SQL injection in CodeAstro Ingredients Stock Management System 1.0 exposes the `/Ingredients-Stock/add_stock.php` endpoint to authenticated remote attackers who can manipulate the `ID` parameter to execute arbitrary SQL commands against the backend database. The attack is network-accessible with low complexity, enabling unauthorized data exfiltration, record manipulation, and potential escalation within the database tier. Publicly available exploit code exists (E:P in CVSS temporal vector), materially lowering the barrier to exploitation; no CISA KEV listing has been identified at time of analysis.
SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the Category parameter in /Frontend/Search.php to execute arbitrary SQL commands against the backend database. Publicly available exploit code exists (disclosed via GitHub), increasing the practical risk despite the small footprint of this PHP application. No active exploitation has been confirmed in CISA KEV at the time of analysis.
SQL injection in code-projects Online Music Site 1.0 allows remote attackers to manipulate the ID parameter in /Administrator/PHP/AdminDeleteAlbum.php to execute arbitrary database queries. Publicly available exploit code exists (published via GitHub and tracked by VulDB), and the flaw is reachable over the network without authentication per the CVSS vector. There is no public exploit identified as actively used in the wild (not CISA KEV), but the combination of trivial attack complexity and public PoC raises the practical exploitation risk for any exposed deployment.
SQL injection in code-projects Simple Flight Ticket Booking System 1.0 allows remote unauthenticated attackers to manipulate database queries via the Username POST parameter in checkUser.php. Publicly available exploit code exists (disclosed via GitHub), increasing the likelihood of opportunistic attacks against exposed instances, though the issue is not listed in CISA KEV. The CVSS 3.1 base score of 7.3 reflects network-reachable, low-complexity exploitation with no privileges or user interaction required.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive1.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists per VulDB submission 369106, raising the practical risk despite the moderate CVSS 7.3 score. No KEV listing and no public exploitation campaigns identified at time of analysis.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive2.php to execute arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub), though there is no confirmed active exploitation in CISA KEV. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial impact across confidentiality, integrity, and availability.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive3.php to execute arbitrary database queries. Publicly available exploit code exists, increasing immediate risk to any exposed deployment, though no CISA KEV listing or EPSS data has been provided to indicate widespread active exploitation. The flaw carries a CVSS 7.3 rating reflecting network reachability with no authentication or user interaction required.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `sy` parameter in `/archive5.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and exploit code is publicly available (E:P), lowering the bar for opportunistic exploitation. Impact is assessed as low across confidentiality, integrity, and availability - consistent with a partial data-disclosure or limited-manipulation SQL injection rather than full database takeover.
Second-order SQL injection in BeikeShop's Admin Design Builder endpoint (versions up to 1.6.0.22) allows authenticated admin-panel users to manipulate the `settings.value` argument in `beike/Admin/Routes/admin.php` to inject arbitrary SQL. The root cause spans multiple PHP repository classes - `DesignService.php`, `BrandRepo.php`, and `ProductRepo.php` - where brand and product ID arrays were passed to database queries without integer casting or sanitization. A public proof-of-concept exploit exists; the CVSS 4.0 score of 2.1 reflects the administrative authentication prerequisite that meaningfully constrains real-world exposure.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive4.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the risk of opportunistic exploitation against exposed deployments, though no active exploitation has been confirmed via CISA KEV.
SQL injection in the `getStatus` function of `controllers/GradeController.php` within Kushan2k's student-management-system exposes the Certificate Verification Endpoint to database manipulation by low-privileged remote attackers via the `nic` parameter. A publicly available exploit (proof-of-concept via GitHub issue) lowers the practical bar for abuse despite the CVSS 4.0 base score of 2.1. No patch has been released, and the maintainer has not responded to responsible disclosure, leaving all deployments through commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a unprotected.
SQL injection in jflyfox jfinal_cms through version 5.1.0 exposes database contents to remote, low-privileged attackers via an unsanitized `orderBy` parameter in the `list` function of `AdvicefeedbackController.java`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation requiring only a low-privileged account, with limited but real confidentiality, integrity, and availability impact. The project was notified via GitHub issue #62 but has not responded, and no vendor-released patch exists at time of analysis. No public exploit code or confirmed active exploitation has been identified.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index1.php to unauthenticated remote exploitation via an unsanitized Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier indicates a publicly available proof-of-concept - confirmed via a GitHub issue disclosure. An attacker can manipulate the Password argument to inject arbitrary SQL, potentially bypassing authentication or exfiltrating database contents. No CISA KEV listing is present, and no vendor patch has been identified at time of analysis.
Unauthenticated remote SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index2.php to arbitrary query manipulation via the Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special attack complexity, making this trivially reachable from the network. Publicly available exploit code exists (POC confirmed via GitHub), though no CISA KEV listing has been issued, meaning widespread active exploitation is not confirmed at time of analysis.
SQL injection in Chanjet CRM 1.0 allows remote unauthenticated attackers to manipulate the gblOrgID parameter of /tools/jxf_dump_systable.php to inject arbitrary SQL into the backend database. Publicly available exploit code exists (referenced via a public gist), and the vendor did not respond to disclosure attempts, leaving deployments exposed without official remediation. EPSS data was not provided and the issue is not in CISA KEV, but the combination of network-reachable HTTP GET handler, no authentication requirement, and a public POC makes opportunistic exploitation realistic.
SQL injection in Tiobon Employee Self-Service System versions up to 7.2 allows authenticated remote attackers to manipulate the Keyword parameter in /Blog/BlogSearch.aspx, executing arbitrary SQL against the underlying database with low impact across confidentiality, integrity, and availability. Publicly available exploit code exists and has been disclosed via VulDB, while the vendor failed to respond to responsible disclosure, leaving no vendor-released patch at time of analysis. This is not confirmed as actively exploited (not in CISA KEV), but the low-complexity, network-reachable nature combined with a public proof-of-concept represents a credible opportunistic risk for organizations running this HR application.
SQL injection in Jinher OA 1.0 allows remote unauthenticated attackers to manipulate the httpOID parameter of nextselectplan.aspx to inject arbitrary SQL statements. Publicly available exploit code exists per VulDB disclosure, and the vendor did not respond to coordinated disclosure attempts, increasing the window of exposure. CVSS 7.3 reflects network-reachable, low-complexity exploitation with limited confidentiality, integrity, and availability impact on the database backend.
SQL injection in Jinher OA C6's GetFormSn.aspx endpoint allows remote low-privilege authenticated attackers to manipulate the queryID parameter, potentially reading, modifying, or deleting backend database records. A public proof-of-concept exploit is available on GitHub, lowering the barrier to exploitation. No patch exists - the vendor was notified early but did not respond, leaving no official remediation path.
Time-based SQL injection in the Photo Gallery by 10Web WordPress plugin (all versions through 1.8.41) enables authenticated contributors to exfiltrate arbitrary data from the WordPress database via a stored shortcode payload that is subsequently triggered without authentication. The attack exploits the 'compact_album_order_by' parameter passed through the 'shortcode_bwg' AJAX handler, where insufficient escaping and absent query preparation allow appended SQL clauses to survive into execution. Critically, the stored malicious shortcode can be activated by the unauthenticated 'bwg_frontend_data' AJAX handler, collapsing the effective authentication barrier after the initial store step. No public exploit code or CISA KEV listing has been identified at time of analysis.
SQL Injection in OptinCraft (Drag & Drop Optins & Popup Builder for WordPress) versions up to and including 1.2.0 allows authenticated attackers with administrator-level access to extract sensitive data from the underlying WordPress database. The vulnerability exists in the 'order_by' parameter, which is passed without sufficient escaping or parameterized query preparation through the plugin's internal SQL compiler, enabling appending of arbitrary SQL to existing queries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact and network-accessible attack vector make it a meaningful data-disclosure risk in multi-administrator WordPress environments.
Time-based blind SQL injection in the Quiz and Survey Master (QSM) WordPress plugin versions through 11.1.2 allows authenticated administrators to extract sensitive database contents via the unsanitized 'order' parameter in the quiz API. The vulnerability resides in class-qsm-quiz-api.php at multiple query construction points (lines 126, 131, 164, 243, 374), where user-supplied sort order values are concatenated directly into SQL without prepared statements. Critically, if the plugin's secret key is exposed, this privilege barrier drops, enabling lower-privileged users to exploit the same injection path. No public exploit code or CISA KEV listing is identified at time of analysis.
SQL injection in Open XDMoD versions prior to 10.0.3 allows remote unauthenticated attackers to execute arbitrary SQL statements against the underlying database of this HPC metrics framework. The flaw requires no authentication or user interaction (CVSS 4.0 score 9.3) and can result in full database compromise. No public exploit identified at time of analysis and no evidence of in-the-wild exploitation per the vendor advisory.
SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the 'room' parameter of /details.php to inject arbitrary SQL queries. Publicly available exploit code exists (published via GitHub by researcher and indexed by VulDB), increasing the likelihood of opportunistic exploitation against exposed instances. The flaw is reachable over the network with no privileges or user interaction, making any internet-facing deployment of this PHP application a viable target.
SQL injection in NocoDB's bulk groupBy endpoint allows authenticated users holding column-create or column-rename permissions to read arbitrary data from the connected database by crafting a malicious column title. Affected versions are all NocoDB npm releases up to and including 2026.05.0; a vendor-released patch is available in 2026.05.1. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low complexity of exploitation once authenticated and the direct database read impact make prompt patching a priority for any internet-exposed NocoDB deployment.
SQL injection in NocoDB's Postgres formula engine exposes authenticated creators to arbitrary SQL execution via the unvalidated `direction` argument of the `ARRAYSORT(...)` formula function. All NocoDB instances on npm/nocodb versions prior to 2026.04.1 using Postgres-backed bases are affected; MySQL and SQLite backends are not. An attacker holding creator/owner-level `columnAdd` permission can inject persistent SQL that executes during column creation and re-executes on every subsequent read of the formula column, enabling confirmed denial-of-service and potentially broader data access depending on database-level permissions. No public exploit identified at time of analysis; this vulnerability is not listed in CISA KEV.
SQL injection in tittuvarghese CollegeManagementSystem (rolling-release PHP project) allows remote unauthenticated attackers to manipulate the department_code parameter in dashboard_page/forms/fetch.php to inject arbitrary SQL. Publicly available exploit code exists (disclosed via VulDB and a GitHub issue), and because the project uses continuous delivery with no tagged versions, defenders cannot pin a fixed release. The maintainer has been notified but has not responded, increasing operational risk for any deployment.
SQL injection in SourceCodester Ship Ferry Ticket Reservation System 1.0 exposes the admin login panel to unauthenticated remote attackers via a crafted Username parameter in /admin/login.php, enabling authentication bypass and backend database manipulation. Publicly available exploit code (POC) has been published on Medium demonstrating the authentication bypass technique, elevating real-world risk despite the moderate CVSS 4.0 score of 5.5. No KEV listing at time of analysis, but the zero-prerequisite network attack vector combined with a public POC makes this a credible threat to any internet-facing deployment.
SQL injection in projectworlds Online Art Gallery Shop 1.0 exposes the admin panel to database manipulation via the unsanitized `social_twitter` parameter in `/admin/adminHome.ph`. Authenticated remote attackers with low-privilege credentials can craft malicious SQL payloads to read, modify, or corrupt backend database contents. A publicly available proof-of-concept exploit exists per the CVSS 4.0 E:P metric and the CVE description; however, no active exploitation has been confirmed in CISA KEV, and the overall CVSS 4.0 score of 2.1 reflects limited blast radius confined to the vulnerable system.
SQL injection in projectworlds Online Art Gallery Shop 1.0 enables remote low-privileged attackers to manipulate the `social_insta` parameter within `/admin/adminHome.php`, achieving limited read, write, and availability impact against the underlying database. Publicly available exploit code exists (CVSS 4.0 E:P), though the overall CVSS 4.0 score of 2.1 reflects a constrained impact scope - no subsequent system compromise is possible. This is not listed in the CISA KEV catalog; exploitation requires authenticated access rather than open unauthenticated attack.
SQL injection in OpenMeter's meter creation API allows any authenticated tenant to execute arbitrary ClickHouse SQL against a shared database with no row-level security, enabling full cross-tenant data exfiltration. The vulnerable endpoint is POST /api/v1/meters, where the valueProperty and groupBy fields are interpolated directly into ClickHouse SELECT statements via fmt.Sprintf without parameterization, and the sanitization function (sqlbuilder.Escape) only escapes library-internal placeholder characters - not single quotes. A publicly available exploit code (PoC) exists demonstrating confirmed time-based blind injection, and no public exploit identified at time of analysis in the CISA KEV sense, though the PoC lowers the barrier to exploitation significantly.
Authentication bypass via SQL injection in OSNexus QuantaStor SDS Manager allows unauthenticated remote attackers to log in as administrator by injecting crafted input into the login endpoint's username field. The flaw carries a CVSS 9.8 rating and grants full administrative control over the storage management plane without any valid credentials. No public exploit identified at time of analysis, though the vulnerability was disclosed by researchers at Black Lantern Security (BLSOPS).
SQL injection in itsourcecode Fees Management System 1.0 exposes the `/receipt.php` endpoint to database manipulation by authenticated remote attackers via the `ef_id` parameter. The CVSS temporal metric E:P confirms a publicly available exploit, disclosed via a GitHub issue, meaning exploitation is accessible to low-skilled attackers. No CISA KEV listing is present, but the combination of public POC, network-reachable attack vector, and low attack complexity makes this a credible threat for any internet-facing deployment of this PHP application.
Improper input validation in MISP's over-correlations endpoint allows an authenticated high-privileged attacker to inject arbitrary ordering clauses into database queries via the user-controlled `order` request parameter. All MISP instances running version 2.5.38 and earlier are affected. While direct impact is bounded by query-ordering manipulation, the vulnerability carries SQLi tags and high subsequent system impact scores (SC:H/SI:H/SA:H in CVSS 4.0), suggesting that a successfully crafted ordering expression could escalate to unsafe query construction or unintended data exposure. No public exploit has been identified at time of analysis.
WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in itsourcecode Fees Management System 1.0 allows authenticated remote attackers with low privileges to manipulate database queries via the `ID` parameter in `/manage_user.php`. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-accessible exploitation requiring only a low-privilege account, with confidentiality, integrity, and availability all partially impacted. A public proof-of-concept exploit is available (E:P in CVSS temporal metrics, corroborated by a GitHub issue), though no active exploitation has been confirmed via CISA KEV. No vendor-released patch has been identified at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the `ID` parameter in `/manage_student.php`, resulting in partial compromise of confidentiality, integrity, and availability. The affected product is a PHP-based academic fee tracking application; exploitation requires a valid low-privilege account but no additional user interaction. A publicly available proof-of-concept exploit (referenced via GitHub) lowers the bar for opportunistic exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
SQL injection in Akmer Informatics TeknoPass versions 20210501 through 20260429 allows remote unauthenticated attackers to bypass authorization by manipulating a user-controlled SQL primary key. With a CVSS 9.8 score and full CIA impact under network-reachable, low-complexity conditions, successful exploitation can yield database compromise and authorization bypass. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Blind SQL injection in the Photo Gallery by 10Web WordPress plugin (versions up to and including 1.8.41) allows high-privileged authenticated users to inject crafted SQL fragments into a vulnerable query, exfiltrate database contents, and affect availability. CVSS 7.6 (Scope:Changed) reflects the cross-component impact possible from a successful injection within the WordPress database context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in MasterStudy LMS Pro Plus for WordPress exposes database contents to authenticated instructors through the unsanitized 'columns' parameter, affecting all versions up to and including 4.8.20. The vulnerability stems from insufficient input escaping and absent parameterized query preparation, enabling authenticated attackers with at minimum instructor-level access to append arbitrary SQL to existing queries and extract sensitive data. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and high confidentiality impact make this a meaningful risk for multi-tenant LMS deployments where instructors are semi-trusted external parties.
SQL injection in Mojoomla School Management plugin for WordPress (versions up to and including 93.2.0) allows high-privileged authenticated attackers to inject crafted SQL through unsanitized input, leading to confidentiality compromise of the underlying database and limited availability impact. The scope-changed CVSS 7.6 rating reflects that exploitation can affect resources beyond the vulnerable component, such as the shared WordPress database hosting other plugins or sites. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter sent to the Login function in /admin/admin_class_novo.php, compromising the administrative authentication flow. Publicly available exploit code exists per the referenced GitHub proof-of-concept, raising opportunistic exploitation risk despite the limited deployment footprint of this small-scale PHP e-commerce application. No KEV listing or EPSS score is provided, so exploitation appears opportunistic rather than confirmed active.
SQL injection in code-projects Student Admission System 1.0 allows remote unauthenticated attackers to manipulate the 'eid' and 'did' parameters in /index.php to inject arbitrary SQL queries. Publicly available exploit code exists (referenced via GitHub issue tracker), increasing the likelihood of opportunistic attacks against exposed deployments. The vulnerability carries a CVSS 3.1 base score of 7.3, with low impact across confidentiality, integrity, and availability, but no special prerequisites for exploitation.
Unauthenticated SQL injection in the ARMember Premium WordPress plugin (versions up to and including 7.3.1) allows remote attackers to extract sensitive database contents by injecting crafted values into the 'order' and 'orderby' parameters of the arm_directory_paging_action AJAX endpoint. With CVSS 7.5 reflecting confidentiality-only impact and no public exploit identified at time of analysis, the bug is reachable without credentials but EPSS data was not provided to estimate exploitation likelihood.
SQL Injection in ARMember Premium WordPress membership plugin (versions up to and including 7.3.1) enables authenticated attackers with Subscriber-level access to extract sensitive database contents via the `get_private_content_data` AJAX action. The flaw resides in the `sSortDir_0` parameter, which is concatenated unsanitized into an ORDER BY clause - a notoriously difficult injection point to parameterize, requiring explicit allowlist validation that is absent here. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the low authentication bar (subscriber accounts) and network-accessible attack vector make it a meaningful risk where the addon is active.
Account takeover in the ARMember Premium WordPress plugin through version 7.3.1 stems from the plugin storing a plaintext password reset key in the `arm_reset_password_key` user meta field alongside WordPress core's properly hashed token. When chained with the companion SQL injection issues CVE-2026-5073/5074, an unauthenticated attacker can extract the plaintext key and invoke the plugin's `armrp` reset action to set a new password for any user, including administrators. No public exploit identified at time of analysis, though the chain is described in detail by Wordfence and the CVSS 9.8 rating reflects unauthenticated remote compromise.
SQL injection in DedeCMS 5.7.88 allows remote unauthenticated attackers to manipulate the database through the carbuyaction.php endpoint by supplying crafted postname or des parameter values that bypass the RemoveXSS sanitization function. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no complexity, and no special conditions are required for exploitation. A public proof-of-concept exploit has been released (CVSS E:P modifier), though no CISA KEV listing exists, indicating no confirmed widespread active exploitation at time of analysis.
SQL injection in DedeCMS 5.7.88 allows remote unauthenticated attackers to manipulate database queries via the `msg` parameter in `/plus/flink.php`, where the `dede_htmlspecialchars` function fails to adequately sanitize input before use in SQL operations. The CVSS 4.0 vector confirms no authentication, no user interaction, and low complexity - making this trivially reachable over the network. Publicly available exploit code exists (CVSS E:P), though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
SQL injection in DedeCMS 5.7.88 exposes the feedback submission endpoint to unauthenticated remote attackers who can manipulate the `msg` parameter passed to the `TrimMsg` function in `/plus/feedback.php`. The CVSS 4.0 vector (PR:N/UI:N/AC:L/AT:N) confirms no authentication or user interaction is required, and the E:P modifier indicates exploit code has been publicly disclosed per VulDB submission 829413. No CISA KEV listing was identified at time of analysis, but the combination of unauthenticated network access and a public POC elevates practical risk above the moderate base score of 5.5.
Blind SQL injection in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote unauthenticated attackers to manipulate backend database queries by sending crafted input to vulnerable parameters. The flaw carries a CVSS 9.3 rating due to network-reachable, no-privileges, no-user-interaction exploitation with scope change, and no public exploit code has been identified at time of analysis. The vulnerability was reported through Patchstack's WordPress security program, with no CISA KEV listing.
SQL injection in itsourcecode Fees Management System 1.0 exposes database contents and integrity to authenticated low-privilege remote attackers via the unsanitized `ID` parameter in `/manage_payment.php`. The CVSS vector (PR:L) confirms exploitation requires a valid user account, but no elevated privileges are needed beyond basic authentication. A publicly available proof-of-concept exploit exists (GitHub), raising the practical exploitation risk; no vendor-released patch has been identified at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 exposes authenticated low-privileged users a pathway to manipulate database content via the `id` parameter in `/manage_fee.php`. The vulnerability allows remote attackers with valid application credentials to read, modify, or partially disrupt database records. Publicly available exploit code exists (CVSS 4.0 E:P modifier confirmed), though no active exploitation has been confirmed by CISA KEV. The overall severity is low (CVSS 4.0: 2.1), reflecting limited scope and confidentiality impact.
SQL injection in itsourcecode Fees Management System 1.0 exposes the /manage_course.php endpoint to database manipulation via an unsanitized ID parameter, reachable by any low-privileged authenticated user over the network. The CVSS 6.3 medium score reflects limited impact scope (C:L/I:L/A:L), but the availability of public proof-of-concept exploit code materially elevates operational risk for internet-facing deployments. No public exploit identified at time of analysis maps to CISA KEV; however, the E:P CVSS modifier confirms exploit code is circulating.
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuilder role to read and tamper with other users' form definitions and certain global configuration parameters. The flaw affects the Kiteworks private data network platform, carries a CVSS 7.6 (high) severity rating, and no public exploit identified at time of analysis. Exploitation requires valid credentials with a specific role, narrowing the threat to insiders or attackers who have already obtained role-bearing accounts.
SQL injection in itsourcecode Fees Management System 1.0 exposes the /ajax.php endpoint to database manipulation via the Username parameter, allowing authenticated remote attackers with low-privilege credentials to read, modify, or corrupt application data. The CVSS vector (AV:N/AC:L/PR:L) confirms this is network-exploitable at low complexity with a low-privilege account requirement. A publicly available proof-of-concept exploit exists (confirmed by CVSS temporal modifier E:P and a GitHub disclosure), though no active exploitation has been confirmed by CISA KEV at the time of analysis.
SQL injection across multiple contacts database functions in Google Android enables local privilege escalation on Android 14, 15, 16, and 16-qpr2 without requiring any elevated privileges or user interaction. The flaw allows an unprivileged local process or malicious application to inject arbitrary SQL into contacts database queries, resulting in unauthorized read, write, and partial denial-of-service impact against contact data. No public exploit has been identified at time of analysis, and EPSS probability stands at 0.01%, consistent with a local-only attack surface, though the absence of any privilege prerequisite (PR:N) lowers the bar for any attacker already on the device.
Unauthenticated SQL injection in Pixa Bank 2.0 allows remote attackers to exfiltrate database contents by submitting UNION-based payloads in the 'rib' parameter of the agence-ajax.php endpoint. Publicly available exploit code exists (Packet Storm) and the issue was disclosed by VulnCheck, making opportunistic exploitation likely against any internet-exposed instance. No public exploit identified at time of analysis as actively exploited in the wild (not on CISA KEV), but the trivial attack complexity and existing PoC elevate practical risk.
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
No-Cms 1.0 contains an SQL injection vulnerability in the order_by parameter of the manage_privilege export endpoint that allows authenticated attackers to manipulate database queries. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the `tour` GET parameter in `tour.php` to inject arbitrary SQL into backend database queries. Publicly available exploit code exists (hosted on GitHub), enabling low-skilled attackers to extract or modify database contents, though no CISA KEV listing or EPSS signal indicates widespread active exploitation at this time.
SQL injection in CodeAstro Payroll System 1.0 allows remote authenticated attackers with low-privilege credentials to manipulate database queries via the emp_id parameter in /home_employee.php. Exploitation can result in unauthorized read access to confidential payroll records, limited data manipulation, and potential availability impact against the underlying database. Publicly available exploit code exists (referenced via GitHub), elevating real-world risk beyond the moderate CVSS score of 6.3; no public patch is available at time of analysis.
Blind SQL injection in the Nextcloud Tables app affects versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1, allowing authenticated users with access to the Tables app to inject SQL into the ORDER BY clause of database queries. The flaw permits bit-by-bit data extraction or time-based exfiltration against the underlying database, and no public exploit identified at time of analysis. Patches are available in versions 0.9.7 and 1.0.2.
SQL injection in the Nextcloud Tables app allows authenticated users with access to the Tables feature to execute arbitrary SQL queries against the backend database via a stored injection vector. Although a 20-byte length limit is imposed on the injected payload, carefully crafted input can break out of this restriction, enabling data extraction and modification. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.1) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, enabling extraction of database contents and limited tampering with site availability. The CVSS 9.3 score reflects network-reachable exploitation with no privileges or user interaction and a scope change into the WordPress database context; no public exploit identified at time of analysis, though Patchstack has cataloged the flaw.
SQL injection in itsourcecode Content Management System 1.0 allows authenticated remote attackers to manipulate database queries via the topic_id parameter in /admin/edit_topic.php. The CVSS 4.0 vector (PR:L) confirms a low-privileged authenticated account is sufficient to trigger the injection, which yields limited but real confidentiality, integrity, and availability impact against the underlying database component. Publicly available exploit code exists (E:P), though no active exploitation has been confirmed by CISA KEV.
SQL injection in SourceCodester Computer Repair Shop Management System 1.0 exposes the admin product management endpoint to unauthenticated remote attackers who can manipulate the 'ID' parameter in /admin/products/manage_product.php to execute arbitrary SQL statements. The CVSS 4.0 vector confirms no privileges or user interaction are required (PR:N, UI:N, AV:N), and a proof-of-concept exploit has been publicly disclosed (E:P), lowering the bar for exploitation. Impact is assessed as low-to-moderate across confidentiality, integrity, and availability on the vulnerable system, with no lateral scope change to subsequent systems.
Unauthenticated SQL injection in code-projects Real State Services 1.0 exposes the login endpoint to remote database manipulation. The Username parameter passed to /loginuser.php is unsanitized and directly interpolated into SQL queries (CWE-74), enabling unauthenticated remote attackers to extract data, bypass authentication, or alter database contents. Exploit code has been publicly disclosed via a GitHub issue report, elevating practical risk despite the moderate CVSS 4.0 score of 5.5.
SQL injection in CodeAstro Online Job Portal 1.0 exposes the /users/application_status.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to inject arbitrary SQL into backend database queries, resulting in partial confidentiality, integrity, and availability impact. A proof-of-concept exploit has been published (CVSS 4.0 E:P confirmed), lowering the barrier to exploitation significantly despite the medium overall score. No public KEV listing exists, meaning active widespread exploitation is not confirmed at time of analysis, but the combination of a public POC and zero authentication requirements makes this a credible near-term risk for any internet-exposed deployment.
SQL injection in CodeAstro Online Job Portal 1.0 exposes the `/admin/jobs-admins/delete-jobs.php` endpoint to remote database manipulation via an unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication, no complexity, and no user interaction are required to exploit this flaw from the network, though the admin panel context of the vulnerable endpoint warrants verification of actual auth enforcement. Publicly available exploit code exists (E:P), elevating practical risk above what the medium CVSS score of 5.5 alone might suggest.
SQL injection in itsourcecode Content Management System 1.0 allows remote authenticated attackers to manipulate the backend database via the topic_id parameter in /admin/add_sub_topic.php. The CVSS vector (PR:L) confirms exploitation requires low-privilege authentication, limiting opportunistic attack surface but not eliminating risk in multi-tenant or shared-admin environments. Publicly available exploit code exists, elevating practical risk above what the moderate CVSS score of 6.3 alone suggests.
SQL injection in itsourcecode Content Management System 1.0 exposes the admin-facing endpoint /admin/update_ss_img.php to database manipulation via the unsanitized topic_id parameter. Low-privilege authenticated attackers can exploit this remotely with no user interaction required, achieving partial read, write, and availability impact against the underlying database. A public exploit is available (CVSS temporal E:P; GitHub PoC linked in references), elevating practical risk despite the moderate 6.3 base score. No active exploitation confirmed via CISA KEV at time of analysis.
SQL injection in itsourcecode Content Management System 1.0 exposes the database to read, modify, and partial denial-of-service via a crafted comment submission. The vulnerable endpoint /save_comment.php fails to sanitize the Name parameter before incorporating it into SQL queries, allowing an authenticated low-privilege attacker to manipulate database logic directly. A publicly available proof-of-concept exploit exists (GitHub issue linked in VulDB entry), elevating real-world risk despite the absence of a CISA KEV listing.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_payment.php to execute arbitrary database queries. Publicly available exploit code exists, increasing the likelihood of opportunistic attacks against exposed deployments. The flaw was reported by VulDB and impacts a PHP-based rental management application commonly deployed by small operators and educational projects.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_tenant.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub issue tracker and indexed by VulDB), making opportunistic exploitation feasible against any internet-exposed instance. The vulnerability impacts a PHP-based property management application typically deployed by small landlords or as a learning/demonstration project.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter of the /ajax.php?action=login endpoint to inject arbitrary SQL. Publicly available exploit code exists (VulDB-referenced PoC on GitHub), increasing the practical risk despite the application's limited deployment footprint. No CISA KEV listing is present, so this represents publicly available exploit code without confirmed active exploitation.
SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'hospital' parameter in /admin/campsdetails.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the practical risk despite the application being a relatively niche PHP-based healthcare management product. No CISA KEV listing or EPSS score is provided in the source intelligence, so widespread automated exploitation is not confirmed.
SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter on /admin/viewrequest.php to inject arbitrary SQL into backend database queries. Publicly available exploit code exists per VulDB, raising the practical risk despite the moderate CVSS 7.3 score. No CISA KEV listing or EPSS data was provided, so widespread automated exploitation cannot be confirmed at this time.
SQL injection in SOPlanning 1.55 and earlier allows authenticated low-privileged users to inject arbitrary SQL commands across multiple endpoints and parameters, potentially leading to full database compromise. The flaw was reported by CERT Polska and carries a CVSS 4.0 score of 8.7, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
SQL injection in itsourcecode Content Management System 1.0 exposes the /instructions.php endpoint to database manipulation via the unsanitized topic_id parameter. Low-privileged remote attackers can read, modify, or delete data within the application's database scope. A public proof-of-concept exploit has been published (VulDB submission 823558 / GitHub issue), lowering the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects limited blast radius due to low-impact CIA triad ratings and the low-privilege prerequisite.
SQL injection in CodeAstro Leave Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `Name` parameter in the admin endpoint `/admin/search_staff_to_assign_pc.php`. Per the CVSS 4.0 vector, impact is limited to low confidentiality, integrity, and availability on the vulnerable system (VC:L/VI:L/VA:L) with no scope change to subsequent systems. Publicly available exploit code exists via a GitHub issue, though no active exploitation is confirmed in CISA KEV, and no vendor-released patch has been identified at time of analysis.
SQL injection in CodeAstro Leave Management System 1.0 exposes the /admin/delete_leave_type.php endpoint to arbitrary database query manipulation via the unsanitized leave_type parameter. The CVSS 4.0 vector (PR:L) confirms that a low-privileged authenticated user can remotely trigger the injection without user interaction or additional attack complexity. A publicly available exploit exists on GitHub (no public exploit identified in CISA KEV), and the CVSS 4.0 score of 2.1 reflects limited confidentiality, integrity, and availability impact confined to the vulnerable component with no lateral scope change.
SQL injection in CodeAstro Leave Management System 1.0 allows remote authenticated attackers to manipulate database queries via the Name parameter in /admin/search_staff_for_deletion.php. The vulnerability is a classic CWE-89 unsanitized input flaw in a PHP-based web application, enabling read, write, and limited availability impact against the underlying database. Publicly available exploit code exists per VulDB disclosure; no KEV listing indicates opportunistic rather than targeted exploitation at this time.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive patient data to remote, unauthenticated attackers via the `ID` parameter in the `/classes/Master.php?f=save_patient` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, attack prerequisites, or user interaction are required, making this trivially exploitable from the network. A publicly available exploit exists (CVSS E:P), elevating real-world risk beyond what the moderate base score of 5.5 suggests; no public exploit identified at time of analysis rises to KEV level, but the POC lowers the barrier for opportunistic attackers targeting healthcare data.
SQL injection in CodeAstro Ingredients Stock Management System 1.0 exposes the `/Ingredients-Stock/add_stock.php` endpoint to authenticated remote attackers who can manipulate the `ID` parameter to execute arbitrary SQL commands against the backend database. The attack is network-accessible with low complexity, enabling unauthorized data exfiltration, record manipulation, and potential escalation within the database tier. Publicly available exploit code exists (E:P in CVSS temporal vector), materially lowering the barrier to exploitation; no CISA KEV listing has been identified at time of analysis.
SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the Category parameter in /Frontend/Search.php to execute arbitrary SQL commands against the backend database. Publicly available exploit code exists (disclosed via GitHub), increasing the practical risk despite the small footprint of this PHP application. No active exploitation has been confirmed in CISA KEV at the time of analysis.
SQL injection in code-projects Online Music Site 1.0 allows remote attackers to manipulate the ID parameter in /Administrator/PHP/AdminDeleteAlbum.php to execute arbitrary database queries. Publicly available exploit code exists (published via GitHub and tracked by VulDB), and the flaw is reachable over the network without authentication per the CVSS vector. There is no public exploit identified as actively used in the wild (not CISA KEV), but the combination of trivial attack complexity and public PoC raises the practical exploitation risk for any exposed deployment.
SQL injection in code-projects Simple Flight Ticket Booking System 1.0 allows remote unauthenticated attackers to manipulate database queries via the Username POST parameter in checkUser.php. Publicly available exploit code exists (disclosed via GitHub), increasing the likelihood of opportunistic attacks against exposed instances, though the issue is not listed in CISA KEV. The CVSS 3.1 base score of 7.3 reflects network-reachable, low-complexity exploitation with no privileges or user interaction required.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive1.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists per VulDB submission 369106, raising the practical risk despite the moderate CVSS 7.3 score. No KEV listing and no public exploitation campaigns identified at time of analysis.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive2.php to execute arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub), though there is no confirmed active exploitation in CISA KEV. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial impact across confidentiality, integrity, and availability.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive3.php to execute arbitrary database queries. Publicly available exploit code exists, increasing immediate risk to any exposed deployment, though no CISA KEV listing or EPSS data has been provided to indicate widespread active exploitation. The flaw carries a CVSS 7.3 rating reflecting network reachability with no authentication or user interaction required.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `sy` parameter in `/archive5.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and exploit code is publicly available (E:P), lowering the bar for opportunistic exploitation. Impact is assessed as low across confidentiality, integrity, and availability - consistent with a partial data-disclosure or limited-manipulation SQL injection rather than full database takeover.
Second-order SQL injection in BeikeShop's Admin Design Builder endpoint (versions up to 1.6.0.22) allows authenticated admin-panel users to manipulate the `settings.value` argument in `beike/Admin/Routes/admin.php` to inject arbitrary SQL. The root cause spans multiple PHP repository classes - `DesignService.php`, `BrandRepo.php`, and `ProductRepo.php` - where brand and product ID arrays were passed to database queries without integer casting or sanitization. A public proof-of-concept exploit exists; the CVSS 4.0 score of 2.1 reflects the administrative authentication prerequisite that meaningfully constrains real-world exposure.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive4.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the risk of opportunistic exploitation against exposed deployments, though no active exploitation has been confirmed via CISA KEV.
SQL injection in the `getStatus` function of `controllers/GradeController.php` within Kushan2k's student-management-system exposes the Certificate Verification Endpoint to database manipulation by low-privileged remote attackers via the `nic` parameter. A publicly available exploit (proof-of-concept via GitHub issue) lowers the practical bar for abuse despite the CVSS 4.0 base score of 2.1. No patch has been released, and the maintainer has not responded to responsible disclosure, leaving all deployments through commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a unprotected.
SQL injection in jflyfox jfinal_cms through version 5.1.0 exposes database contents to remote, low-privileged attackers via an unsanitized `orderBy` parameter in the `list` function of `AdvicefeedbackController.java`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation requiring only a low-privileged account, with limited but real confidentiality, integrity, and availability impact. The project was notified via GitHub issue #62 but has not responded, and no vendor-released patch exists at time of analysis. No public exploit code or confirmed active exploitation has been identified.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index1.php to unauthenticated remote exploitation via an unsanitized Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier indicates a publicly available proof-of-concept - confirmed via a GitHub issue disclosure. An attacker can manipulate the Password argument to inject arbitrary SQL, potentially bypassing authentication or exfiltrating database contents. No CISA KEV listing is present, and no vendor patch has been identified at time of analysis.
Unauthenticated remote SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index2.php to arbitrary query manipulation via the Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special attack complexity, making this trivially reachable from the network. Publicly available exploit code exists (POC confirmed via GitHub), though no CISA KEV listing has been issued, meaning widespread active exploitation is not confirmed at time of analysis.
SQL injection in Chanjet CRM 1.0 allows remote unauthenticated attackers to manipulate the gblOrgID parameter of /tools/jxf_dump_systable.php to inject arbitrary SQL into the backend database. Publicly available exploit code exists (referenced via a public gist), and the vendor did not respond to disclosure attempts, leaving deployments exposed without official remediation. EPSS data was not provided and the issue is not in CISA KEV, but the combination of network-reachable HTTP GET handler, no authentication requirement, and a public POC makes opportunistic exploitation realistic.
SQL injection in Tiobon Employee Self-Service System versions up to 7.2 allows authenticated remote attackers to manipulate the Keyword parameter in /Blog/BlogSearch.aspx, executing arbitrary SQL against the underlying database with low impact across confidentiality, integrity, and availability. Publicly available exploit code exists and has been disclosed via VulDB, while the vendor failed to respond to responsible disclosure, leaving no vendor-released patch at time of analysis. This is not confirmed as actively exploited (not in CISA KEV), but the low-complexity, network-reachable nature combined with a public proof-of-concept represents a credible opportunistic risk for organizations running this HR application.
SQL injection in Jinher OA 1.0 allows remote unauthenticated attackers to manipulate the httpOID parameter of nextselectplan.aspx to inject arbitrary SQL statements. Publicly available exploit code exists per VulDB disclosure, and the vendor did not respond to coordinated disclosure attempts, increasing the window of exposure. CVSS 7.3 reflects network-reachable, low-complexity exploitation with limited confidentiality, integrity, and availability impact on the database backend.
SQL injection in Jinher OA C6's GetFormSn.aspx endpoint allows remote low-privilege authenticated attackers to manipulate the queryID parameter, potentially reading, modifying, or deleting backend database records. A public proof-of-concept exploit is available on GitHub, lowering the barrier to exploitation. No patch exists - the vendor was notified early but did not respond, leaving no official remediation path.
Time-based SQL injection in the Photo Gallery by 10Web WordPress plugin (all versions through 1.8.41) enables authenticated contributors to exfiltrate arbitrary data from the WordPress database via a stored shortcode payload that is subsequently triggered without authentication. The attack exploits the 'compact_album_order_by' parameter passed through the 'shortcode_bwg' AJAX handler, where insufficient escaping and absent query preparation allow appended SQL clauses to survive into execution. Critically, the stored malicious shortcode can be activated by the unauthenticated 'bwg_frontend_data' AJAX handler, collapsing the effective authentication barrier after the initial store step. No public exploit code or CISA KEV listing has been identified at time of analysis.
SQL Injection in OptinCraft (Drag & Drop Optins & Popup Builder for WordPress) versions up to and including 1.2.0 allows authenticated attackers with administrator-level access to extract sensitive data from the underlying WordPress database. The vulnerability exists in the 'order_by' parameter, which is passed without sufficient escaping or parameterized query preparation through the plugin's internal SQL compiler, enabling appending of arbitrary SQL to existing queries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact and network-accessible attack vector make it a meaningful data-disclosure risk in multi-administrator WordPress environments.
Time-based blind SQL injection in the Quiz and Survey Master (QSM) WordPress plugin versions through 11.1.2 allows authenticated administrators to extract sensitive database contents via the unsanitized 'order' parameter in the quiz API. The vulnerability resides in class-qsm-quiz-api.php at multiple query construction points (lines 126, 131, 164, 243, 374), where user-supplied sort order values are concatenated directly into SQL without prepared statements. Critically, if the plugin's secret key is exposed, this privilege barrier drops, enabling lower-privileged users to exploit the same injection path. No public exploit code or CISA KEV listing is identified at time of analysis.
SQL injection in Open XDMoD versions prior to 10.0.3 allows remote unauthenticated attackers to execute arbitrary SQL statements against the underlying database of this HPC metrics framework. The flaw requires no authentication or user interaction (CVSS 4.0 score 9.3) and can result in full database compromise. No public exploit identified at time of analysis and no evidence of in-the-wild exploitation per the vendor advisory.
SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the 'room' parameter of /details.php to inject arbitrary SQL queries. Publicly available exploit code exists (published via GitHub by researcher and indexed by VulDB), increasing the likelihood of opportunistic exploitation against exposed instances. The flaw is reachable over the network with no privileges or user interaction, making any internet-facing deployment of this PHP application a viable target.
SQL injection in NocoDB's bulk groupBy endpoint allows authenticated users holding column-create or column-rename permissions to read arbitrary data from the connected database by crafting a malicious column title. Affected versions are all NocoDB npm releases up to and including 2026.05.0; a vendor-released patch is available in 2026.05.1. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low complexity of exploitation once authenticated and the direct database read impact make prompt patching a priority for any internet-exposed NocoDB deployment.
SQL injection in NocoDB's Postgres formula engine exposes authenticated creators to arbitrary SQL execution via the unvalidated `direction` argument of the `ARRAYSORT(...)` formula function. All NocoDB instances on npm/nocodb versions prior to 2026.04.1 using Postgres-backed bases are affected; MySQL and SQLite backends are not. An attacker holding creator/owner-level `columnAdd` permission can inject persistent SQL that executes during column creation and re-executes on every subsequent read of the formula column, enabling confirmed denial-of-service and potentially broader data access depending on database-level permissions. No public exploit identified at time of analysis; this vulnerability is not listed in CISA KEV.
SQL injection in tittuvarghese CollegeManagementSystem (rolling-release PHP project) allows remote unauthenticated attackers to manipulate the department_code parameter in dashboard_page/forms/fetch.php to inject arbitrary SQL. Publicly available exploit code exists (disclosed via VulDB and a GitHub issue), and because the project uses continuous delivery with no tagged versions, defenders cannot pin a fixed release. The maintainer has been notified but has not responded, increasing operational risk for any deployment.
SQL injection in SourceCodester Ship Ferry Ticket Reservation System 1.0 exposes the admin login panel to unauthenticated remote attackers via a crafted Username parameter in /admin/login.php, enabling authentication bypass and backend database manipulation. Publicly available exploit code (POC) has been published on Medium demonstrating the authentication bypass technique, elevating real-world risk despite the moderate CVSS 4.0 score of 5.5. No KEV listing at time of analysis, but the zero-prerequisite network attack vector combined with a public POC makes this a credible threat to any internet-facing deployment.
SQL injection in projectworlds Online Art Gallery Shop 1.0 exposes the admin panel to database manipulation via the unsanitized `social_twitter` parameter in `/admin/adminHome.ph`. Authenticated remote attackers with low-privilege credentials can craft malicious SQL payloads to read, modify, or corrupt backend database contents. A publicly available proof-of-concept exploit exists per the CVSS 4.0 E:P metric and the CVE description; however, no active exploitation has been confirmed in CISA KEV, and the overall CVSS 4.0 score of 2.1 reflects limited blast radius confined to the vulnerable system.
SQL injection in projectworlds Online Art Gallery Shop 1.0 enables remote low-privileged attackers to manipulate the `social_insta` parameter within `/admin/adminHome.php`, achieving limited read, write, and availability impact against the underlying database. Publicly available exploit code exists (CVSS 4.0 E:P), though the overall CVSS 4.0 score of 2.1 reflects a constrained impact scope - no subsequent system compromise is possible. This is not listed in the CISA KEV catalog; exploitation requires authenticated access rather than open unauthenticated attack.
SQL injection in OpenMeter's meter creation API allows any authenticated tenant to execute arbitrary ClickHouse SQL against a shared database with no row-level security, enabling full cross-tenant data exfiltration. The vulnerable endpoint is POST /api/v1/meters, where the valueProperty and groupBy fields are interpolated directly into ClickHouse SELECT statements via fmt.Sprintf without parameterization, and the sanitization function (sqlbuilder.Escape) only escapes library-internal placeholder characters - not single quotes. A publicly available exploit code (PoC) exists demonstrating confirmed time-based blind injection, and no public exploit identified at time of analysis in the CISA KEV sense, though the PoC lowers the barrier to exploitation significantly.
Authentication bypass via SQL injection in OSNexus QuantaStor SDS Manager allows unauthenticated remote attackers to log in as administrator by injecting crafted input into the login endpoint's username field. The flaw carries a CVSS 9.8 rating and grants full administrative control over the storage management plane without any valid credentials. No public exploit identified at time of analysis, though the vulnerability was disclosed by researchers at Black Lantern Security (BLSOPS).
SQL injection in itsourcecode Fees Management System 1.0 exposes the `/receipt.php` endpoint to database manipulation by authenticated remote attackers via the `ef_id` parameter. The CVSS temporal metric E:P confirms a publicly available exploit, disclosed via a GitHub issue, meaning exploitation is accessible to low-skilled attackers. No CISA KEV listing is present, but the combination of public POC, network-reachable attack vector, and low attack complexity makes this a credible threat for any internet-facing deployment of this PHP application.
Improper input validation in MISP's over-correlations endpoint allows an authenticated high-privileged attacker to inject arbitrary ordering clauses into database queries via the user-controlled `order` request parameter. All MISP instances running version 2.5.38 and earlier are affected. While direct impact is bounded by query-ordering manipulation, the vulnerability carries SQLi tags and high subsequent system impact scores (SC:H/SI:H/SA:H in CVSS 4.0), suggesting that a successfully crafted ordering expression could escalate to unsafe query construction or unintended data exposure. No public exploit has been identified at time of analysis.
WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in itsourcecode Fees Management System 1.0 allows authenticated remote attackers with low privileges to manipulate database queries via the `ID` parameter in `/manage_user.php`. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-accessible exploitation requiring only a low-privilege account, with confidentiality, integrity, and availability all partially impacted. A public proof-of-concept exploit is available (E:P in CVSS temporal metrics, corroborated by a GitHub issue), though no active exploitation has been confirmed via CISA KEV. No vendor-released patch has been identified at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the `ID` parameter in `/manage_student.php`, resulting in partial compromise of confidentiality, integrity, and availability. The affected product is a PHP-based academic fee tracking application; exploitation requires a valid low-privilege account but no additional user interaction. A publicly available proof-of-concept exploit (referenced via GitHub) lowers the bar for opportunistic exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
SQL injection in Akmer Informatics TeknoPass versions 20210501 through 20260429 allows remote unauthenticated attackers to bypass authorization by manipulating a user-controlled SQL primary key. With a CVSS 9.8 score and full CIA impact under network-reachable, low-complexity conditions, successful exploitation can yield database compromise and authorization bypass. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Blind SQL injection in the Photo Gallery by 10Web WordPress plugin (versions up to and including 1.8.41) allows high-privileged authenticated users to inject crafted SQL fragments into a vulnerable query, exfiltrate database contents, and affect availability. CVSS 7.6 (Scope:Changed) reflects the cross-component impact possible from a successful injection within the WordPress database context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in MasterStudy LMS Pro Plus for WordPress exposes database contents to authenticated instructors through the unsanitized 'columns' parameter, affecting all versions up to and including 4.8.20. The vulnerability stems from insufficient input escaping and absent parameterized query preparation, enabling authenticated attackers with at minimum instructor-level access to append arbitrary SQL to existing queries and extract sensitive data. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and high confidentiality impact make this a meaningful risk for multi-tenant LMS deployments where instructors are semi-trusted external parties.
SQL injection in Mojoomla School Management plugin for WordPress (versions up to and including 93.2.0) allows high-privileged authenticated attackers to inject crafted SQL through unsanitized input, leading to confidentiality compromise of the underlying database and limited availability impact. The scope-changed CVSS 7.6 rating reflects that exploitation can affect resources beyond the vulnerable component, such as the shared WordPress database hosting other plugins or sites. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter sent to the Login function in /admin/admin_class_novo.php, compromising the administrative authentication flow. Publicly available exploit code exists per the referenced GitHub proof-of-concept, raising opportunistic exploitation risk despite the limited deployment footprint of this small-scale PHP e-commerce application. No KEV listing or EPSS score is provided, so exploitation appears opportunistic rather than confirmed active.
SQL injection in code-projects Student Admission System 1.0 allows remote unauthenticated attackers to manipulate the 'eid' and 'did' parameters in /index.php to inject arbitrary SQL queries. Publicly available exploit code exists (referenced via GitHub issue tracker), increasing the likelihood of opportunistic attacks against exposed deployments. The vulnerability carries a CVSS 3.1 base score of 7.3, with low impact across confidentiality, integrity, and availability, but no special prerequisites for exploitation.
Unauthenticated SQL injection in the ARMember Premium WordPress plugin (versions up to and including 7.3.1) allows remote attackers to extract sensitive database contents by injecting crafted values into the 'order' and 'orderby' parameters of the arm_directory_paging_action AJAX endpoint. With CVSS 7.5 reflecting confidentiality-only impact and no public exploit identified at time of analysis, the bug is reachable without credentials but EPSS data was not provided to estimate exploitation likelihood.
SQL Injection in ARMember Premium WordPress membership plugin (versions up to and including 7.3.1) enables authenticated attackers with Subscriber-level access to extract sensitive database contents via the `get_private_content_data` AJAX action. The flaw resides in the `sSortDir_0` parameter, which is concatenated unsanitized into an ORDER BY clause - a notoriously difficult injection point to parameterize, requiring explicit allowlist validation that is absent here. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the low authentication bar (subscriber accounts) and network-accessible attack vector make it a meaningful risk where the addon is active.
Account takeover in the ARMember Premium WordPress plugin through version 7.3.1 stems from the plugin storing a plaintext password reset key in the `arm_reset_password_key` user meta field alongside WordPress core's properly hashed token. When chained with the companion SQL injection issues CVE-2026-5073/5074, an unauthenticated attacker can extract the plaintext key and invoke the plugin's `armrp` reset action to set a new password for any user, including administrators. No public exploit identified at time of analysis, though the chain is described in detail by Wordfence and the CVSS 9.8 rating reflects unauthenticated remote compromise.
SQL injection in DedeCMS 5.7.88 allows remote unauthenticated attackers to manipulate the database through the carbuyaction.php endpoint by supplying crafted postname or des parameter values that bypass the RemoveXSS sanitization function. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no complexity, and no special conditions are required for exploitation. A public proof-of-concept exploit has been released (CVSS E:P modifier), though no CISA KEV listing exists, indicating no confirmed widespread active exploitation at time of analysis.
SQL injection in DedeCMS 5.7.88 allows remote unauthenticated attackers to manipulate database queries via the `msg` parameter in `/plus/flink.php`, where the `dede_htmlspecialchars` function fails to adequately sanitize input before use in SQL operations. The CVSS 4.0 vector confirms no authentication, no user interaction, and low complexity - making this trivially reachable over the network. Publicly available exploit code exists (CVSS E:P), though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
SQL injection in DedeCMS 5.7.88 exposes the feedback submission endpoint to unauthenticated remote attackers who can manipulate the `msg` parameter passed to the `TrimMsg` function in `/plus/feedback.php`. The CVSS 4.0 vector (PR:N/UI:N/AC:L/AT:N) confirms no authentication or user interaction is required, and the E:P modifier indicates exploit code has been publicly disclosed per VulDB submission 829413. No CISA KEV listing was identified at time of analysis, but the combination of unauthenticated network access and a public POC elevates practical risk above the moderate base score of 5.5.
Blind SQL injection in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote unauthenticated attackers to manipulate backend database queries by sending crafted input to vulnerable parameters. The flaw carries a CVSS 9.3 rating due to network-reachable, no-privileges, no-user-interaction exploitation with scope change, and no public exploit code has been identified at time of analysis. The vulnerability was reported through Patchstack's WordPress security program, with no CISA KEV listing.
SQL injection in itsourcecode Fees Management System 1.0 exposes database contents and integrity to authenticated low-privilege remote attackers via the unsanitized `ID` parameter in `/manage_payment.php`. The CVSS vector (PR:L) confirms exploitation requires a valid user account, but no elevated privileges are needed beyond basic authentication. A publicly available proof-of-concept exploit exists (GitHub), raising the practical exploitation risk; no vendor-released patch has been identified at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 exposes authenticated low-privileged users a pathway to manipulate database content via the `id` parameter in `/manage_fee.php`. The vulnerability allows remote attackers with valid application credentials to read, modify, or partially disrupt database records. Publicly available exploit code exists (CVSS 4.0 E:P modifier confirmed), though no active exploitation has been confirmed by CISA KEV. The overall severity is low (CVSS 4.0: 2.1), reflecting limited scope and confidentiality impact.
SQL injection in itsourcecode Fees Management System 1.0 exposes the /manage_course.php endpoint to database manipulation via an unsanitized ID parameter, reachable by any low-privileged authenticated user over the network. The CVSS 6.3 medium score reflects limited impact scope (C:L/I:L/A:L), but the availability of public proof-of-concept exploit code materially elevates operational risk for internet-facing deployments. No public exploit identified at time of analysis maps to CISA KEV; however, the E:P CVSS modifier confirms exploit code is circulating.
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuilder role to read and tamper with other users' form definitions and certain global configuration parameters. The flaw affects the Kiteworks private data network platform, carries a CVSS 7.6 (high) severity rating, and no public exploit identified at time of analysis. Exploitation requires valid credentials with a specific role, narrowing the threat to insiders or attackers who have already obtained role-bearing accounts.
SQL injection in itsourcecode Fees Management System 1.0 exposes the /ajax.php endpoint to database manipulation via the Username parameter, allowing authenticated remote attackers with low-privilege credentials to read, modify, or corrupt application data. The CVSS vector (AV:N/AC:L/PR:L) confirms this is network-exploitable at low complexity with a low-privilege account requirement. A publicly available proof-of-concept exploit exists (confirmed by CVSS temporal modifier E:P and a GitHub disclosure), though no active exploitation has been confirmed by CISA KEV at the time of analysis.
SQL injection across multiple contacts database functions in Google Android enables local privilege escalation on Android 14, 15, 16, and 16-qpr2 without requiring any elevated privileges or user interaction. The flaw allows an unprivileged local process or malicious application to inject arbitrary SQL into contacts database queries, resulting in unauthorized read, write, and partial denial-of-service impact against contact data. No public exploit has been identified at time of analysis, and EPSS probability stands at 0.01%, consistent with a local-only attack surface, though the absence of any privilege prerequisite (PR:N) lowers the bar for any attacker already on the device.
Unauthenticated SQL injection in Pixa Bank 2.0 allows remote attackers to exfiltrate database contents by submitting UNION-based payloads in the 'rib' parameter of the agence-ajax.php endpoint. Publicly available exploit code exists (Packet Storm) and the issue was disclosed by VulnCheck, making opportunistic exploitation likely against any internet-exposed instance. No public exploit identified at time of analysis as actively exploited in the wild (not on CISA KEV), but the trivial attack complexity and existing PoC elevate practical risk.
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
No-Cms 1.0 contains an SQL injection vulnerability in the order_by parameter of the manage_privilege export endpoint that allows authenticated attackers to manipulate database queries. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the `tour` GET parameter in `tour.php` to inject arbitrary SQL into backend database queries. Publicly available exploit code exists (hosted on GitHub), enabling low-skilled attackers to extract or modify database contents, though no CISA KEV listing or EPSS signal indicates widespread active exploitation at this time.
SQL injection in CodeAstro Payroll System 1.0 allows remote authenticated attackers with low-privilege credentials to manipulate database queries via the emp_id parameter in /home_employee.php. Exploitation can result in unauthorized read access to confidential payroll records, limited data manipulation, and potential availability impact against the underlying database. Publicly available exploit code exists (referenced via GitHub), elevating real-world risk beyond the moderate CVSS score of 6.3; no public patch is available at time of analysis.
Blind SQL injection in the Nextcloud Tables app affects versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1, allowing authenticated users with access to the Tables app to inject SQL into the ORDER BY clause of database queries. The flaw permits bit-by-bit data extraction or time-based exfiltration against the underlying database, and no public exploit identified at time of analysis. Patches are available in versions 0.9.7 and 1.0.2.
SQL injection in the Nextcloud Tables app allows authenticated users with access to the Tables feature to execute arbitrary SQL queries against the backend database via a stored injection vector. Although a 20-byte length limit is imposed on the injected payload, carefully crafted input can break out of this restriction, enabling data extraction and modification. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.1) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, enabling extraction of database contents and limited tampering with site availability. The CVSS 9.3 score reflects network-reachable exploitation with no privileges or user interaction and a scope change into the WordPress database context; no public exploit identified at time of analysis, though Patchstack has cataloged the flaw.
SQL injection in itsourcecode Content Management System 1.0 allows authenticated remote attackers to manipulate database queries via the topic_id parameter in /admin/edit_topic.php. The CVSS 4.0 vector (PR:L) confirms a low-privileged authenticated account is sufficient to trigger the injection, which yields limited but real confidentiality, integrity, and availability impact against the underlying database component. Publicly available exploit code exists (E:P), though no active exploitation has been confirmed by CISA KEV.
SQL injection in SourceCodester Computer Repair Shop Management System 1.0 exposes the admin product management endpoint to unauthenticated remote attackers who can manipulate the 'ID' parameter in /admin/products/manage_product.php to execute arbitrary SQL statements. The CVSS 4.0 vector confirms no privileges or user interaction are required (PR:N, UI:N, AV:N), and a proof-of-concept exploit has been publicly disclosed (E:P), lowering the bar for exploitation. Impact is assessed as low-to-moderate across confidentiality, integrity, and availability on the vulnerable system, with no lateral scope change to subsequent systems.
Unauthenticated SQL injection in code-projects Real State Services 1.0 exposes the login endpoint to remote database manipulation. The Username parameter passed to /loginuser.php is unsanitized and directly interpolated into SQL queries (CWE-74), enabling unauthenticated remote attackers to extract data, bypass authentication, or alter database contents. Exploit code has been publicly disclosed via a GitHub issue report, elevating practical risk despite the moderate CVSS 4.0 score of 5.5.
SQL injection in CodeAstro Online Job Portal 1.0 exposes the /users/application_status.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to inject arbitrary SQL into backend database queries, resulting in partial confidentiality, integrity, and availability impact. A proof-of-concept exploit has been published (CVSS 4.0 E:P confirmed), lowering the barrier to exploitation significantly despite the medium overall score. No public KEV listing exists, meaning active widespread exploitation is not confirmed at time of analysis, but the combination of a public POC and zero authentication requirements makes this a credible near-term risk for any internet-exposed deployment.
SQL injection in CodeAstro Online Job Portal 1.0 exposes the `/admin/jobs-admins/delete-jobs.php` endpoint to remote database manipulation via an unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication, no complexity, and no user interaction are required to exploit this flaw from the network, though the admin panel context of the vulnerable endpoint warrants verification of actual auth enforcement. Publicly available exploit code exists (E:P), elevating practical risk above what the medium CVSS score of 5.5 alone might suggest.
SQL injection in itsourcecode Content Management System 1.0 allows remote authenticated attackers to manipulate the backend database via the topic_id parameter in /admin/add_sub_topic.php. The CVSS vector (PR:L) confirms exploitation requires low-privilege authentication, limiting opportunistic attack surface but not eliminating risk in multi-tenant or shared-admin environments. Publicly available exploit code exists, elevating practical risk above what the moderate CVSS score of 6.3 alone suggests.
SQL injection in itsourcecode Content Management System 1.0 exposes the admin-facing endpoint /admin/update_ss_img.php to database manipulation via the unsanitized topic_id parameter. Low-privilege authenticated attackers can exploit this remotely with no user interaction required, achieving partial read, write, and availability impact against the underlying database. A public exploit is available (CVSS temporal E:P; GitHub PoC linked in references), elevating practical risk despite the moderate 6.3 base score. No active exploitation confirmed via CISA KEV at time of analysis.
SQL injection in itsourcecode Content Management System 1.0 exposes the database to read, modify, and partial denial-of-service via a crafted comment submission. The vulnerable endpoint /save_comment.php fails to sanitize the Name parameter before incorporating it into SQL queries, allowing an authenticated low-privilege attacker to manipulate database logic directly. A publicly available proof-of-concept exploit exists (GitHub issue linked in VulDB entry), elevating real-world risk despite the absence of a CISA KEV listing.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_payment.php to execute arbitrary database queries. Publicly available exploit code exists, increasing the likelihood of opportunistic attacks against exposed deployments. The flaw was reported by VulDB and impacts a PHP-based rental management application commonly deployed by small operators and educational projects.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter of /manage_tenant.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub issue tracker and indexed by VulDB), making opportunistic exploitation feasible against any internet-exposed instance. The vulnerability impacts a PHP-based property management application typically deployed by small landlords or as a learning/demonstration project.
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter of the /ajax.php?action=login endpoint to inject arbitrary SQL. Publicly available exploit code exists (VulDB-referenced PoC on GitHub), increasing the practical risk despite the application's limited deployment footprint. No CISA KEV listing is present, so this represents publicly available exploit code without confirmed active exploitation.
SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'hospital' parameter in /admin/campsdetails.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the practical risk despite the application being a relatively niche PHP-based healthcare management product. No CISA KEV listing or EPSS score is provided in the source intelligence, so widespread automated exploitation is not confirmed.
SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter on /admin/viewrequest.php to inject arbitrary SQL into backend database queries. Publicly available exploit code exists per VulDB, raising the practical risk despite the moderate CVSS 7.3 score. No CISA KEV listing or EPSS data was provided, so widespread automated exploitation cannot be confirmed at this time.
SQL injection in SOPlanning 1.55 and earlier allows authenticated low-privileged users to inject arbitrary SQL commands across multiple endpoints and parameters, potentially leading to full database compromise. The flaw was reported by CERT Polska and carries a CVSS 4.0 score of 8.7, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
SQL injection in itsourcecode Content Management System 1.0 exposes the /instructions.php endpoint to database manipulation via the unsanitized topic_id parameter. Low-privileged remote attackers can read, modify, or delete data within the application's database scope. A public proof-of-concept exploit has been published (VulDB submission 823558 / GitHub issue), lowering the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects limited blast radius due to low-impact CIA triad ratings and the low-privilege prerequisite.