SQLi
Monthly
SQL injection in the VerifyCreateLicences function of MB connect line's mbCONNECT24 / myREX24 remote-maintenance platforms (including the myREX24V2.virtual and mymbCONNECT24 variants, versions up to and including 2.20.0) lets a remote attacker holding a low-privilege account inject crafted input into a SQL SELECT statement and read arbitrary database contents, causing total loss of confidentiality. The CVSS 4.0 base score is 7.1 with high confidentiality impact but no integrity or availability impact. There is no public exploit identified at time of analysis, and EPSS rates exploitation probability very low at 0.03% (11th percentile).
SQL injection in the getComponentScalings function of MB connect line's mbCONNECT24/myREX24V2 remote-maintenance platforms (all variants at version 2.20.0 and earlier) lets a remote attacker manipulate a backend SQL SELECT statement to read arbitrary database contents, causing a total loss of confidentiality. The flaw was reported by CERT@VDE (advisory VDE-2026-044, EUVD-2026-32138) and the CVSS 4.0 vector indicates the attacker holds at least a low-privilege account (PR:L), although the description text confusingly also calls it 'unauthenticated.' No public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile), indicating no observed mass-exploitation interest.
SQL injection in the mbCONNECT24 industrial remote-access platform (and the sibling products myREX24V2, myREX24V2.virtual and mymbCONNECT24, all versions up to and including 2.20.0) lets a remote attacker abuse the getDeviceScalings function, where user input is concatenated into a SQL SELECT statement without proper neutralization (CWE-89). Successful injection yields a total loss of confidentiality, allowing extraction of arbitrary database contents, though integrity and availability are unaffected per the CVSS 4.0 vector (VC:H/VI:N/VA:N, score 7.1). There is no public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile).
Confidential data disclosure via SQL injection affects the mbCONNECT24 industrial remote-maintenance platform and its related variants (mymbCONNECT24, myREX24V2, myREX24V2.virtual) at versions up to and including 2.20.0. The flaw lives in the getProjectScalings function, where attacker-controlled input reaches a SQL SELECT statement, allowing extraction of arbitrary database contents and a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H). The CVSS vector requires low-privilege access (PR:L), which conflicts with the description's claim of an 'unauthenticated' attack - a discrepancy defenders should resolve against the vendor advisory. There is no public exploit identified at time of analysis, and EPSS is very low (0.03%, 11th percentile), with CISA SSVC rating exploitation as 'none'.
SQL injection in MB connect line's remote-maintenance platforms - mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 at versions up to and including 2.20.0 - lets a low-privileged remote attacker manipulate the SQL DELETE command in the 'inmessage' model to read the entire backend database and delete rows from a non-critical table. The flaw yields full confidentiality loss and partial integrity loss but no availability impact, and is rated CVSS 4.0 7.1. EPSS is very low (0.03%, 11th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV.
SQL injection in the MB connect line mbCONNECT24 / myREX24 family of industrial remote-maintenance gateways (all listed editions through 2.20.0) lets a low-privileged remote user feed crafted input into a SQL SELECT statement assembled by the saveObjectFromData function, exposing the full backend database for reading. Reported by CERT@VDE (advisory VDE-2026-044, EUVD-2026-32134), the issue is a confidentiality-only impact (CVSS 4.0 base 7.1, VC:H/VI:N/VA:N). No public exploit code and no CISA KEV listing exist at this time, and EPSS is very low (0.03%, 11th percentile), indicating no observed mass exploitation.
SQL injection in the saveDashboardLayout function of dash_layout.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-access platforms (all versions up to and including 2.20.0) lets a low-privileged remote attacker manipulate a SQL INSERT statement to read the entire backend database and write rows into a non-critical table. The flaw, reported by CERT@VDE (VDE-2026-044, EUVD-2026-32133), yields total loss of confidentiality and partial loss of integrity but no availability impact. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis, so this is a serious data-exposure bug rather than a mass-exploitation threat.
SQL injection in the saveDashboardLayout function of dash.php affects the mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual industrial remote-maintenance platforms in versions up to and including 2.20.0. Because user-supplied input is improperly neutralized inside a SQL INSERT statement, a remote attacker can read the entire backend database and write rows into a non-critical table, yielding full loss of confidentiality and partial loss of integrity. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%, 11th percentile).
SQL injection in the getDevicegroups function of MB connect line / Red Lion industrial remote-access products (mbCONNECT24, myREX24V2 and their hosted mymbCONNECT24 / myREX24V2.virtual variants, all versions up to and including 2.20.0) lets a low-privileged remote user inject crafted input into a SQL SELECT statement and read arbitrary database contents, yielding a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H, VI:N, VA:N). The issue was reported by CERT@VDE and published as advisory VDE-2026-044 / EUVD-2026-32161; no public exploit has been identified and EPSS is very low (0.03%, 11th percentile), indicating no observed widespread exploitation. Note a source discrepancy: the description labels the flaw 'unauthenticated' while the CVSS vector requires low privileges (PR:L) - this should be verified with the vendor.
Information disclosure via SQL injection affects the Easy View feature of MB connect line's remote-maintenance portals (mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual) in versions up to and including 2.20.0. A remote attacker holding a low-privileged account can inject crafted input into a SQL SELECT statement to read arbitrary database contents, resulting in total loss of confidentiality. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 11th percentile), indicating no observed widespread exploitation activity.
SQL injection in the UpdateParam function of admin.mbnetj.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-maintenance portals (versions up to and including 2.20.0) lets a high-privileged remote attacker tamper with a SQL UPDATE command, reading the entire database and modifying values in a non-critical table. The flaw was reported by CERT@VDE (advisory VDE-2026-044) and carries CVSS 4.0 base 7.0. There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as 'none' - indicating low immediate real-world urgency despite the high impact ceiling.
SQL injection in the UpdateParam function of view.html.php affects MB connect line remote-access portals (mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual) in versions up to and including 2.20.0, letting an attacker inject into a SQL UPDATE statement to read the entire backend database and alter values in a non-critical table. The CVSS 4.0 vector (PR:H) indicates a high-privileged account is required, even though the advisory text labels the flaw 'unauthenticated' - a discrepancy defenders should resolve with the vendor. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC rates exploitation as 'none'.
SQL injection in the DeleteSysLogEntry function of MB connect line / Helmholz remote-maintenance platforms - mbCONNECT24, myREX24V2, mymbCONNECT24 and the myREX24V2.virtual variant through version 2.20.0 - lets a network attacker with high privileges inject SQL into a DELETE statement, reading the entire backend database and deleting rows in a non-critical syslog table. The flaw yields full confidentiality loss and limited integrity impact (CVSS 4.0 base 7.0). There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as none, indicating no observed in-the-wild activity. Note the vendor description's 'unauthenticated' wording conflicts with the CVSS PR:H (high privileges required) metric.
SQL injection in the MB connect line remote-maintenance portals mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 (all versions up to and including 2.20.0) lets a high-privileged remote user manipulate a SQL DELETE statement in the _RemoveRequest function to read the entire backend database and delete rows in a non-critical table. The CVSS 4.0 vector (PR:H) indicates an authenticated, high-privilege account is required despite the description's wording, yielding total confidentiality loss and partial integrity loss. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and the issue is not listed in CISA KEV.
Arbitrary file disclosure in Synology Active Backup for Business (DSM add-on package, versions before 2.7.1-3234) lets unauthenticated remote attackers read sensitive files on the host via a SQL injection flaw (CWE-89). The vulnerability scores CVSS 8.6 with a changed scope and high confidentiality impact, but EPSS estimates only a 0.04% (14th percentile) exploitation probability, and there is no public exploit identified at time of analysis nor any CISA KEV listing. Synology, who self-reported the issue, has released a fixed package.
Time-based blind SQL Injection in the EnvíaloSimple: Email Marketing y Newsletters WordPress plugin (all versions through 2.4.5) allows authenticated administrators to extract sensitive data from the underlying database. The vulnerability is in the 'orderby' parameter, which is insufficiently escaped and passed into existing SQL queries without adequate preparation, enabling an attacker with administrator-level WordPress credentials to append arbitrary SQL and enumerate database contents. EPSS is very low (0.03%, 8th percentile), no public exploit has been identified, and the vulnerability is not listed in CISA KEV, suggesting limited real-world exploitation pressure at this time.
SQL injection in the dsgvo_contracts view of mbCONNECT24 and related industrial remote access platforms (versions up to and including 2.20.0) enables a high-privileged remote attacker to exfiltrate confidential data from the underlying database without integrity or availability impact. The vulnerability (CWE-89, CVSS 4.0: 6.9) is constrained by the PR:H requirement - the attacker must already hold high-privileged credentials - which substantially limits realistic attack surface in well-managed deployments. No public exploit or active exploitation has been identified; CISA SSVC rates exploitation as none and EPSS stands at 0.03% (10th percentile).
SQL injection in MB connect line's mbCONNECT24 / myREX24V2 remote-maintenance portals (all releases up to and including 2.20.0) lets an attacker break out of the SQL UPDATE statement bound to the 'devices' parameter in the accountstatus view, yielding full read access to the backend database and limited writes to a non-critical table. The CVSS 4.0 vector requires high privileges (PR:H), so a privileged authenticated user is the realistic threat actor — this directly contradicts the advisory text that labels the flaw 'unauthenticated,' a discrepancy defenders should resolve with the vendor. EPSS is very low (0.03%, 10th percentile) and there is no CISA KEV entry; no public exploit identified at time of analysis.
SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-access platform (all editions through 2.20.0) lets a high-privileged remote attacker inject SQL through the userid parameter of the accountstatus view, which is concatenated unsafely into a SQL UPDATE statement. Successful exploitation yields read access to the entire backend database (total confidentiality loss) plus the ability to alter values in a non-critical table (partial integrity loss). There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is very low at 0.03% (10th percentile).
SQL injection in the DevSerialReset function of MB connect line / Helmholz industrial remote-access portals (mbCONNECT24, mymbCONNECT24, myREX24V2, and the .virtual variants) lets a high-privileged remote attacker read the entire backend database and modify values in a non-critical table. The flaw stems from improper neutralization of special elements within a SQL UPDATE statement (CWE-89), yielding total loss of confidentiality and partial integrity impact. There is no public exploit identified at time of analysis, and EPSS rates exploitation likelihood very low (0.03%, 10th percentile).
SQL injection in the DevSerialReset function of MB Connect Line's mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual industrial remote access platforms allows a high-privileged remote attacker to read arbitrary database contents via a maliciously crafted SQL SELECT statement. All product variants at or below version 2.20.0 are confirmed affected per ENISA EUVD-2026-32126. No public exploit code exists and EPSS is 0.03% (10th percentile), indicating low observed exploitation pressure at time of analysis; however, the industrial/OT targeting profile warrants attention.
SQL injection in the getAccountByID function of MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual industrial remote-access platforms (all versions up to and including 2.20.0) allows a high-privileged remote attacker to extract data from the underlying database via a crafted SELECT statement. The vulnerability is classified under CWE-89 with confidentiality impact rated High on the vulnerable component, while integrity and availability remain unaffected. No public exploit code exists and no KEV listing has been issued; EPSS (0.03%, 10th percentile) and SSVC signals both indicate low current exploitation likelihood.
Unauthenticated SQL injection in the mbCONNECT24 remote-maintenance platform (and the related myREX24V2, myREX24V2.virtual, and mymbCONNECT24 portals) at version 2.20.0 and earlier lets a remote attacker inject crafted SQL into a SELECT statement processed by the 'sync_data24' task, yielding a total loss of database confidentiality (CVSS 4.0 base 8.7). Because the CVSS vector confirms no privileges and no user interaction (PR:N/UI:N), any network-reachable client can attempt it. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), so widespread automated exploitation is not currently indicated.
Unauthenticated SQL injection in the mbCONNECT24 remote-maintenance portal (and the related myREX24V2, myREX24V2.virtual and mymbCONNECT24 products, all versions up to and including 2.20.0) lets a remote attacker read arbitrary data from the backend database by abusing the _mb24confi_getDevice function. The flaw requires no credentials, no user interaction and low attack complexity over the network (CVSS 4.0 score 8.7), but its impact is confined to confidentiality. There is no public exploit identified at time of analysis and the EPSS probability is very low (0.05%, 15th percentile), indicating no observed exploitation activity yet.
SQL injection in the mbCONNECT24 / myREX24V2 family of industrial remote-maintenance platforms (all editions at version 2.20.0 and earlier) lets unauthenticated remote attackers manipulate a SQL SELECT statement in the getAlarmProfiles function and read arbitrary database contents. The flaw (CWE-89) carries a CVSS 4.0 base score of 8.7 with a confidentiality-only impact and requires no authentication or user interaction. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 15th percentile), indicating no observed mass-exploitation pressure despite the high base score.
SQL injection in MB connect line's mbCONNECT24, mymbCONNECT24, and myREX24V2 remote-maintenance portals (all versions up to and including 2.20.0) lets an unauthenticated remote attacker inject crafted SQL through the _mb24confi_getTagAlarm function in mb24alarm.php, resulting in a total loss of database confidentiality. The CVSS 4.0 base score of 8.7 reflects network reach with no authentication or user interaction (AV:N/AC:L/PR:N/UI:N), but impact is scoped to confidentiality only (VC:H, VI:N, VA:N) - an attacker can read data but cannot directly alter or disrupt the system through this flaw. No public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), indicating no observed broad exploitation activity despite the high base score.
Unauthenticated SQL injection in the mbCONNECT24/myREX24 industrial remote-maintenance platform (all variants up to and including 2.20.0) lets remote attackers extract database contents through the _mb24api_getUserAccount API function via a crafted SQL SELECT command (CWE-89). The CVSS 4.0 score of 8.7 reflects a confidentiality-only impact (VC:H, VI:N, VA:N) reachable over the network with no authentication and no user interaction. No public exploit has been identified at time of analysis and EPSS rates exploitation probability very low (0.05%, 15th percentile), but the no-auth, network-reachable design makes credential and account-data theft a credible concern.
SQL injection in MB connect line's mbCONNECT24 remote-maintenance platform (and the related myREX24V2, mymbCONNECT24 and myREX24V2.virtual products through version 2.20.0) lets unauthenticated remote attackers read arbitrary database contents. The flaw lives in the _mb24confi_getTagAlarm function of dataapi.php, where attacker-controlled input is concatenated into a SQL SELECT statement, yielding a total loss of confidentiality. There is no public exploit identified at time of analysis, the EPSS probability is very low (0.05%), and the issue is not on CISA KEV; it was reported by CERT@VDE (advisory VDE-2026-044).
SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (versions up to and including 2.20.0) lets a remote, unauthenticated attacker read arbitrary database contents by manipulating the tagid parameter of the getLiveValues function. The CVSS 4.0 base score is 8.7 with a confidentiality-only impact (VC:H, VI:N, VA:N), and no public exploit has been identified at the time of analysis. EPSS is very low (0.05%, 15th percentile), and the issue is not in CISA KEV, so widespread automated exploitation is not currently indicated despite the network-reachable, no-auth attack surface.
Unauthenticated SQL injection in MB connect line's mbCONNECT24 and myREX24V2 industrial remote-maintenance portals (all editions through 2.20.0) lets remote attackers inject SQL through the 'sn' parameter of the getLiveValues function, producing a total loss of confidentiality. Disclosed via CERT@VDE advisory VDE-2026-044 and tracked as EUVD-2026-32112, the flaw carries a CVSS 4.0 base score of 8.7 and requires no authentication or user interaction, though it has no integrity or availability impact. No public exploit is identified at time of analysis and EPSS rates near-term exploitation probability low at 0.05% (15th percentile).
Unauthenticated SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (all variants at versions ≤2.20.0) lets a remote attacker inject crafted input into a SQL SELECT statement handled by the ssoabstractservice (single sign-on) component, yielding read access to backend database contents and a total loss of confidentiality. The flaw requires no authentication, no privileges, and no user interaction over the network. No public exploit has been identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), but the issue affects internet-exposed OT remote-access portals, raising its practical exposure.
SQL injection in the MB connect line / Red Lion remote-maintenance platform (mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual, all versions up to and including 2.20.0) lets a remote, unauthenticated attacker inject crafted SQL into the userinfo endpoint, resulting in total loss of confidentiality of the backing database. The flaw was reported by CERT@VDE (advisory VDE-2026-044) and tracked in the ENISA EUVD as EUVD-2026-32110. There is no public exploit identified at time of analysis and EPSS is very low (0.05%), but the CVSS 4.0 base score is 8.7 and CISA's SSVC framework rates the issue as automatable.
SQL injection in dotCMS Core (versions 25.11.04-1 through 26.04.28-02) lets remote unauthenticated attackers read, modify, or destroy arbitrary database content through the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll, which neither enforced authentication nor sanitized input before constructing SQL. The flaw carries a maximum CVSS 4.0 base score of 10.0, reflecting full confidentiality, integrity, and availability impact extending to subsequent systems. No public exploit was identified at time of analysis and EPSS is low (0.38%, 60th percentile), but the network-reachable, no-privilege, no-interaction profile makes this an urgent patch for affected (non-LTS) deployments.
SQL injection in Pimcore's admin-ui-classic-bundle (versions <= 2.3.5) allows an authenticated user holding only the translations-view permission to read arbitrary database contents by injecting into the translation grid's date filter. The user-controlled 'property' field of the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) expression at the POST /admin/translation/translations endpoint, behind only a trivially bypassable str_replace('--','') filter. A working proof-of-concept and publicly available exploit code exist; the reporter notes it can be chained with an unsafe-unserialize flaw (GM-249) to reach remote code execution. No EPSS score or CISA KEV listing was supplied.
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config permission inject arbitrary SQL through the custom-report column-config endpoint, which concatenates user-supplied 'sql', 'from', and 'where' fields directly into a query executed via Doctrine's fetchAssociative(). Because the controller returns raw database error messages in its JSON response, attackers can perform error-based extraction (e.g. EXTRACTVALUE) to read credentials and arbitrary tables, and can bypass the keyword denylist using inline /**/ comments to reach UPDATE/INSERT/DELETE - compromising confidentiality and integrity. Publicly available exploit code exists (a full PoC is published in the GitHub advisory); no CISA KEV listing or EPSS score is present in the provided data.
SQL injection in itsourcecode Courier Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized 's' parameter in /parcel_list.php. A proof-of-concept exploit is publicly available on GitHub, meaningfully lowering the barrier to exploitation despite the low CVSS 4.0 score of 2.1. No vendor patch has been identified at time of analysis, leaving deployments reliant on compensating controls.
SQL injection in itsourcecode Courier Management System 1.0 lets remote attackers manipulate the 'ID' parameter of /manage_user.php to inject arbitrary SQL into backend database queries. Per the CVSS vector (PR:N) no authentication is required, and publicly available exploit code exists, though the flaw is not listed in CISA KEV and carries only low (C:L/I:L/A:L) per-impact ratings.
SQL injection in code-projects Project Management System 1.0 allows remote unauthenticated attackers to manipulate database queries through the login handler (chk.php). The flaw stems from unsanitized input being passed into a SQL statement, enabling authentication-context query tampering and data disclosure. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and no active exploitation is confirmed.
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the admin panel endpoint `/admin/modules/class/index.php?view=view` to remote unauthenticated database manipulation via the unsanitized `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, making this trivially reachable from the network. A public proof-of-concept exploit has been disclosed on GitHub, and SSVC flags this as automatable with partial technical impact - though EPSS at 0.03% (9th percentile) reflects limited observed in-the-wild activity; no public exploit identified at time of analysis reaching KEV status.
SQL injection in itsourcecode Student Transcript Processing System 1.0 allows remote unauthenticated attackers to manipulate backend database queries by supplying crafted values for the studentId or cid parameters in /admin/modules/student/trans.php. The CVSS 4.0 vector (PR:N, AC:L, UI:N) confirms exploitation requires no authentication and no user interaction, and a proof-of-concept is publicly available via a GitHub issue. No public KEV listing exists and EPSS sits at 0.03% (9th percentile), indicating limited threat-actor uptake thus far - likely due to the narrow deployment footprint of this niche educational PHP application.
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the application to unauthenticated remote database manipulation via the studentId parameter in the admin student view endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no privileges or user interaction are required, and publicly available exploit code exists on GitHub. Despite the remote, unauthenticated attack surface and POC availability, EPSS sits at only 0.03% (9th percentile), indicating limited real-world exploitation uptake at time of analysis; no CISA KEV listing has been issued.
SQL injection in Chatwoot versions 2.2.0 through 4.11.1 allows any authenticated account user to execute arbitrary SQL via time-based blind injection by abusing unparameterized values in custom-attribute filter operators on the conversation, contact, and custom attribute definition APIs. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%, 8th percentile), but CVSS 8.5 with scope-changed confidentiality impact reflects the ability to read data beyond the attacker's account boundary. The vulnerability is fixed in Chatwoot 4.11.2.
Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS commands on the database server by chaining SQL injection in the REST API groupBy endpoint with PostgreSQL's COPY TO PROGRAM functionality. The unsanitized timeZone parameter is interpolated directly into raw SQL via JavaScript template literals, and exploitation succeeds whenever the application's Postgres role holds superuser privileges. Publicly available exploit code exists per SSVC, though EPSS scoring (0.15%) suggests exploitation activity has not yet become widespread.
Blind SQL injection in the com_finder (Smart Search) component of Joomla! CMS allows authenticated high-privilege users to extract confidential data from the underlying database across versions 5.4.0-5.4.5 and 6.0.0-6.1.0. The vulnerability stems from improperly constructed SQL filter clauses in search queries that permit attacker-controlled input to alter query logic. No public exploit has been identified at time of analysis, CISA has not added this to the KEV catalog, and EPSS probability sits at 0.03%, signaling minimal observed exploitation pressure.
Authenticated blind SQL injection in Joomla! CMS's com_tags component allows high-privileged attackers to exfiltrate database contents by supplying maliciously crafted ORDER BY clauses that are not properly validated. Affected versions span two distinct release trains: the 4.x/5.x line (4.0.0 through 5.4.5) and the 6.x line (6.0.0 through 6.1.0), meaning the vulnerability persists across both legacy and current major releases. No public exploit code has been identified at time of analysis, and the EPSS score of 0.00% indicates negligible automated exploitation probability, though the high-privilege requirement significantly limits the realistic attacker pool.
SQL injection in IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 permits authenticated remote attackers to send specially crafted SQL statements that manipulate back-end database content - enabling unauthorized data reads, inserts, modifications, or deletions. The CVSS vector scores confidentiality impact as none (C:N), yet the vendor description explicitly states attackers may view data, a discrepancy that warrants direct verification against IBM's advisory. No public exploit has been identified at time of analysis, EPSS sits at 0.03% (9th percentile), and CISA SSVC rates exploitation as none, collectively indicating low near-term exploitation risk.
Authenticated SQL injection in OpenKM Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) lets administrative users execute arbitrary SQL against the application database through the /admin/DatabaseQuery endpoint's qs parameter. Publicly available exploit code exists (Exploit-DB 52520 and a Nuclei template from Terra System Labs), enabling dumping of password hashes from OKM_USER, permission tampering, and data destruction. EPSS is very low (0.03%) and the bug requires high privileges (PR:H), so real-world risk is bounded but meaningful for any internet-facing OpenKM instance with weak admin credentials.
SQL injection in Das Parking Management System (停车场管理系统) 6.2.0 allows remote unauthenticated attackers to manipulate the Value argument of the Search API Endpoint, enabling unauthorized database read and write operations. The CVSS 4.0 vector confirms network-accessible, zero-complexity, no-privilege-required exploitation with partial impact across confidentiality, integrity, and availability. A public exploit has been released per VulDB (EUVD-2026-31829), and the vendor was unresponsive to disclosure - no patch exists at time of analysis.
SQL injection via the xp_cmdshell-invoked export endpoint in Das Parking Management System 6.2.0 allows unauthenticated remote attackers to manipulate database queries through the Value parameter of the ParkingRecord/ExportParkingRecords API endpoint. The specific reference to xp_cmdshell - a Microsoft SQL Server extended stored procedure capable of executing operating system commands - elevates the potential impact beyond typical data-layer SQL injection if that procedure is enabled on the target SQL Server instance, making this more consequential than the CVSS 5.5 score alone suggests. A publicly available proof-of-concept exploit exists and the vendor has not responded to disclosure, leaving version 6.2.0 without a vendor-issued patch.
Cross-domain RBAC bypass in Check Point Quantum Security Management allows an authenticated administrator with read-write access to one Management Domain (CMA) to modify Compliance Best Practices metadata stored in a separate Management Domain where they hold no permissions. The underlying root cause is SQL injection (CWE-89, corroborated by the 'SQLi' intelligence tag), suggesting the Compliance feature's metadata storage does not enforce domain-level query isolation. Affected releases span R81.10 and below, R81.20 up to Jumbo Hotfix Take 127, R82 up to Jumbo Hotfix Take 91, and R82.10 up to Jumbo Hotfix Take 19. No public exploit identified at time of analysis, and EPSS of 0.04% reflects low observed exploitation probability.
SQL injection in Check Point Quantum Security Gateway's UserCheck Web Portal allows a remote unauthenticated attacker who can reach the UserCheck Ask page to manipulate the Security Gateway's stored DLP incident database when the DLP blade is active. Successful exploitation can cause loss of stored incident entries, disruption of pending approval workflows, or resource exhaustion through repeated abuse - all of which could undermine the integrity of an organization's data loss prevention audit trail. No public exploit code has been identified and EPSS is very low at 0.06% (18th percentile), with no CISA KEV listing at time of analysis.
SQL injection in the Sixun Shanghui Group Business Management System 10 exposes the /api/Dinner/PayConfig endpoint to unauthenticated remote attackers who can manipulate the tableno parameter to execute arbitrary SQL queries against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position - only access to the endpoint. A public proof-of-concept exploit is available via a Feishu document, though EPSS remains very low at 0.03% (8th percentile), and no patch has been released as the vendor was unresponsive to coordinated disclosure.
SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate the `email_id` parameter in `/admin/add_staff.php`, enabling arbitrary SQL query manipulation against the underlying database. The CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - confidentiality, integrity, and availability are each rated Low with no lateral impact to subsequent systems - and EPSS at 0.03% (8th percentile) indicates negligible real-world exploitation probability despite a publicly available proof-of-concept on GitHub. No active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/delete_judge.php endpoint to remote unauthenticated attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required to reach the vulnerable parameter, and a publicly available proof-of-concept exploit exists on GitHub, corroborated by the CVSS 4.0 exploit maturity modifier E:P. Despite these factors, EPSS sits at 0.03% (9th percentile), indicating no public exploit has yet driven widespread opportunistic scanning; no KEV listing confirms active exploitation in the wild at time of analysis.
SQL injection in itsourcecode Electronic Judging System 1.0 allows remote unauthenticated attackers to manipulate the `num_id` parameter in `/admin/edit_team.php`, enabling unauthorized database read, write, and partial availability impact. The CVSS 4.0 vector confirms no authentication or user interaction is required (PR:N/UI:N), and publicly available exploit code exists on GitHub - though EPSS remains very low at 0.03% (9th percentile), suggesting limited real-world exploitation interest consistent with a niche, low-adoption PHP application. The vulnerability is not listed in CISA KEV, but the SSVC framework flags it as automatable, meaning opportunistic scanning tools could exploit it at scale against any internet-exposed deployment.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/edit_judge.php endpoint to unauthenticated remote attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions. A public proof-of-concept exploit has been disclosed on GitHub, though EPSS at 0.03% (9th percentile) reflects the product's limited deployment footprint rather than low technical severity - no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).
SQL injection in xianrendzw EasyReport up to version 2.0.17.0522_Beta exposes authenticated remote attackers a path to query manipulation via the `reportParams` argument in the REST Endpoint's `execute` function. The CVSS 4.0 score of 5.3 reflects a low-privilege authenticated requirement with partial impact across confidentiality, integrity, and availability - meaning data exfiltration, record tampering, and limited availability disruption are all within scope. No public exploit has been confirmed and no vendor patch exists, as the vendor did not respond to coordinated disclosure; EPSS at 0.03% (8th percentile) corroborates low current exploitation interest.
SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2 enables remote unauthenticated attackers to manipulate the `sort` parameter at the `/SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree` endpoint, achieving partial read, write, and availability impact against the backend database. The `..;` path segment is a known Java servlet filter-bypass technique, suggesting the endpoint may circumvent URL-based access controls before reaching the vulnerable query handler. A public proof-of-concept exploit exists and the vendor did not respond to responsible disclosure, meaning no patch is currently available - leaving all deployments of this power infrastructure management platform exposed.
Blind SQL injection in the eMagicOne Store Manager WordPress plugin (versions up to and including 1.3.2) allows remote unauthenticated attackers to inject malicious SQL through improperly sanitized parameters. With a CVSS 9.3 score and changed scope, successful exploitation can expose confidential database contents across the WordPress installation, though EPSS remains very low (0.03%) and no public exploit identified at time of analysis.
SQL injection in Crocoblock JetEngine (a WordPress plugin) through version 3.8.8.1 allows remote unauthenticated attackers to inject crafted SQL into backend queries, leading to high-impact confidentiality disclosure and limited availability impact with a scope change to other components. The flaw carries a CVSS 9.3 rating and was disclosed by Patchstack, but there is no public exploit identified at time of analysis and EPSS is very low at 0.03%.
Blind SQL injection in the Unlimited Elements For Elementor WordPress plugin (versions up to and including 2.0.8) allows authenticated low-privilege attackers to inject arbitrary SQL into backend database queries. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5 due to scope change and high confidentiality impact, though no public exploit identified at time of analysis and EPSS probability remains low at 0.03%. The scope change (S:C) indicates the injection crosses a trust boundary, amplifying impact beyond the vulnerable component.
Pre-authentication SQL injection in Roundcube Webmail's virtuser_query plugin allows unauthenticated remote attackers to bypass input sanitization through a preg_replace() backslash escape flaw and inject arbitrary SQL against the backing database. Versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1 are affected. Vendor patches are available, no public exploit identified at time of analysis, and EPSS is low (0.08%), but SSVC rates technical impact as total.
SQL injection in yashpokharna2555 StudentManagementSystem's /studentdel.php endpoint allows remote unauthenticated attackers to manipulate the ID parameter within the confirm_logged_in function, enabling arbitrary SQL query execution against the backend database. All commits up to cb2f558ddf8d19396de0f92abf2d224d46a0a203 of this PHP-based academic application are affected, with no patched release available due to its rolling-release model and vendor non-response. A public exploit exists per GitHub issue #5, and SSVC flags the attack as automatable, though the EPSS score of 0.03% reflects limited real-world scanning activity likely attributable to the application's narrow deployment footprint.
SQL injection in Genetec Security Center's Access Manager role enables a remote attacker with high privileges to achieve full confidentiality, integrity, and availability impact against the underlying database. The vulnerability spans multiple major release branches (5.9 through 5.13) of this widely deployed physical security management platform, covering access control, video surveillance, and license plate recognition environments. Vendor-released patches are confirmed available for the 5.12 and 5.13 branches; no public exploit has been identified at time of analysis and SSVC assessment confirms no current exploitation activity.
SQL injection in yashpokharna2555's StudentManagementSystem (commit cb2f558) exposes the confirm_logged_in function in student_trans.php to unauthenticated remote attackers who can manipulate FIRST_NAME, Last_Name, and EMAIL parameters to execute arbitrary SQL against the backend database. A public exploit has been disclosed via GitHub issue #3, confirming exploitability requires minimal skill; however, EPSS at 0.03% (9th percentile) indicates very low observed real-world exploitation activity, likely reflecting the narrow deployment footprint of this niche open-source PHP project rather than any technical barrier. No patch is available at time of analysis, as the maintainer has not responded to the coordinated disclosure.
SQL injection in the PHP-based yashpokharna2555/StudentManagementSystem exposes the /success.php endpoint to remote unauthenticated database attacks via the unsanitized 'User' argument. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position. A publicly available exploit exists via a GitHub issue report; the project maintainer has been notified but has not responded, and no patch has been released. Despite POC availability, EPSS sits at 0.03% (9th percentile), reflecting the niche, low-adoption nature of this project rather than a reduced technical severity.
Unauthenticated SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 exposes database contents to remote attackers via the strTBName parameter of the GetDBDataEx.jsp web service endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and exploit code has been made publicly available, raising the operational risk despite a relatively low EPSS score of 0.03%. The vendor was notified prior to public disclosure but did not respond, and no vendor-released patch has been identified at time of analysis.
Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Collectric CMU 1.0 contains a boolean-based blind SQL injection vulnerability in the lang parameter that allows unauthenticated attackers to manipulate database queries during authentication. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
mooSocial Store Plugin 2.6 contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries through the product parameter in URL rewrite. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Twitter-Clone 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the name parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Twitter-Clone 1 contains a SQL injection vulnerability in follow.php that allows attackers to manipulate database queries by injecting SQL code through the userid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in code-projects Employee Management System 1.0 allows remote low-privileged attackers to manipulate the `ID` parameter in `/process/applyleaveprocess.php`, enabling unauthorized database read and write operations with partial impact across confidentiality, integrity, and availability. A publicly available proof-of-concept exploit exists on GitHub, though no confirmed active exploitation (CISA KEV) has been recorded. EPSS at 0.03% (8th percentile) and an SSVC assessment of 'not automatable' indicate low broad exploitation likelihood, though the accessible POC meaningfully lowers the barrier for targeted manual attacks against organizations running this application.
SQL injection in the /psubmit.php endpoint of code-projects Employee Management System 1.0 enables authenticated remote attackers to manipulate the pid parameter and inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been released on GitHub, reducing the skill barrier for exploitation against unpatched deployments. Despite a low CVSS 4.0 base score of 2.1 reflecting partial impact scope and low-privilege requirements, the combination of network accessibility and public PoC warrants prompt remediation for any internet-facing instance; no public exploit identified meets CISA KEV criteria, and no vendor-released patch has been confirmed at time of analysis.
SQL injection in code-projects Employee Management System 1.0 exposes the /changepassemp.php password-change endpoint to database manipulation by authenticated low-privilege users over the network. The CVSS 4.0 score of 2.1 reflects limited, non-cascading impact - partial confidentiality, integrity, and availability degradation confined to the vulnerable component with no downstream system scope change. A publicly available proof-of-concept exploit exists on GitHub, though the EPSS score of 0.03% (8th percentile) and SSVC 'automatable: no' classification indicate this is unlikely to see widespread opportunistic exploitation; no public exploit identified at time of analysis corroborating active KEV-level campaigns.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 exposes the application to unauthenticated remote data extraction and manipulation via the Name parameter in /user/search.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and a publicly available proof-of-concept exploit (GitHub gist) lowers the bar for exploitation. No active exploitation has been confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) indicates limited real-world exploitation activity at time of analysis despite the public POC.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows remote authenticated administrators to manipulate database queries via the ID parameter in /admin/edit_customer.php. The vulnerability is tagged CWE-89 and carries a CVSS 4.0 base score of 2.0, reflecting the high privilege requirement that significantly limits the attacker pool to those with existing admin access. Publicly available exploit code exists (hosted on GitHub Gist), though EPSS remains very low at 0.03% (8th percentile), and no CISA KEV listing is present - indicating no confirmed widespread exploitation at time of analysis.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows a remote, high-privileged (admin-level) attacker to manipulate database queries via the unsanitized 'ID' GET parameter in /admin/deleteproduct.php. Successful exploitation yields partial read, write, and availability impact on the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though no confirmed active exploitation (KEV) has been observed, and the EPSS score of 0.03% reflects minimal real-world exploitation pressure.
SQL injection in SourceCodester Indian Invoicing System 1.0 allows a remote, low-privileged authenticated attacker to manipulate database queries through the customer_name and category parameters in /Invoicing/IGST_Invoice.php. The vulnerability yields partial confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though the application is a niche, open-source invoicing tool with limited deployment footprint and no confirmed active exploitation in the wild.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin login endpoint at /intrams/admin/login.php to unauthenticated remote attackers who can manipulate the Username parameter to alter backend SQL query logic. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction, and publicly available exploit code (E:P) further lowers the barrier to entry. Although EPSS sits at 0.03% (9th percentile) indicating low observed exploitation activity, no vendor patch has been identified at time of analysis, leaving all known deployments of version 1.0 without an official remediation path.
SQL injection in Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate database queries through the social_linked parameter in /admin/adminHome.php. The vulnerability has publicly available exploit code and a CVSS score of 7.3, indicating high severity with the ability to impact confidentiality, integrity, and availability of the application.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 enables remote unauthenticated attackers to manipulate database queries through the ID parameter in /admin/patients/manage_history.php. Public exploit code exists (GitHub), though not listed in CISA KEV. The vulnerability carries moderate risk with CVSS 7.3 reflecting potential for data theft and manipulation of patient records.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows remote attackers to compromise patient data without authentication via manipulated ID parameter in /classes/Master.php?f=save_patient_history. The vulnerability has publicly available exploit code (GitHub) and enables unauthorized database access with potential to read, modify, or delete patient records. CVSS 7.3 indicates moderate severity with no exploitation prerequisites.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows authenticated attackers to extract, modify, or delete database records via the ID parameter in /admin/patients/view_history.php. The vulnerability requires low-privilege authenticated access (PR:L) but has low attack complexity (AC:L) and can be exploited remotely. Publicly available exploit code exists on GitHub (referenced in VulDB entry), enabling immediate weaponization by threat actors. EPSS data not available, and the vulnerability is not currently listed in CISA KEV, indicating exploitation may be limited or targeted rather than widespread. The CVSS 6.3 (Medium) rating reflects partial impact across confidentiality, integrity, and availability (C:L/I:L/A:L).
WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in the VerifyCreateLicences function of MB connect line's mbCONNECT24 / myREX24 remote-maintenance platforms (including the myREX24V2.virtual and mymbCONNECT24 variants, versions up to and including 2.20.0) lets a remote attacker holding a low-privilege account inject crafted input into a SQL SELECT statement and read arbitrary database contents, causing total loss of confidentiality. The CVSS 4.0 base score is 7.1 with high confidentiality impact but no integrity or availability impact. There is no public exploit identified at time of analysis, and EPSS rates exploitation probability very low at 0.03% (11th percentile).
SQL injection in the getComponentScalings function of MB connect line's mbCONNECT24/myREX24V2 remote-maintenance platforms (all variants at version 2.20.0 and earlier) lets a remote attacker manipulate a backend SQL SELECT statement to read arbitrary database contents, causing a total loss of confidentiality. The flaw was reported by CERT@VDE (advisory VDE-2026-044, EUVD-2026-32138) and the CVSS 4.0 vector indicates the attacker holds at least a low-privilege account (PR:L), although the description text confusingly also calls it 'unauthenticated.' No public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile), indicating no observed mass-exploitation interest.
SQL injection in the mbCONNECT24 industrial remote-access platform (and the sibling products myREX24V2, myREX24V2.virtual and mymbCONNECT24, all versions up to and including 2.20.0) lets a remote attacker abuse the getDeviceScalings function, where user input is concatenated into a SQL SELECT statement without proper neutralization (CWE-89). Successful injection yields a total loss of confidentiality, allowing extraction of arbitrary database contents, though integrity and availability are unaffected per the CVSS 4.0 vector (VC:H/VI:N/VA:N, score 7.1). There is no public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile).
Confidential data disclosure via SQL injection affects the mbCONNECT24 industrial remote-maintenance platform and its related variants (mymbCONNECT24, myREX24V2, myREX24V2.virtual) at versions up to and including 2.20.0. The flaw lives in the getProjectScalings function, where attacker-controlled input reaches a SQL SELECT statement, allowing extraction of arbitrary database contents and a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H). The CVSS vector requires low-privilege access (PR:L), which conflicts with the description's claim of an 'unauthenticated' attack - a discrepancy defenders should resolve against the vendor advisory. There is no public exploit identified at time of analysis, and EPSS is very low (0.03%, 11th percentile), with CISA SSVC rating exploitation as 'none'.
SQL injection in MB connect line's remote-maintenance platforms - mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 at versions up to and including 2.20.0 - lets a low-privileged remote attacker manipulate the SQL DELETE command in the 'inmessage' model to read the entire backend database and delete rows from a non-critical table. The flaw yields full confidentiality loss and partial integrity loss but no availability impact, and is rated CVSS 4.0 7.1. EPSS is very low (0.03%, 11th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV.
SQL injection in the MB connect line mbCONNECT24 / myREX24 family of industrial remote-maintenance gateways (all listed editions through 2.20.0) lets a low-privileged remote user feed crafted input into a SQL SELECT statement assembled by the saveObjectFromData function, exposing the full backend database for reading. Reported by CERT@VDE (advisory VDE-2026-044, EUVD-2026-32134), the issue is a confidentiality-only impact (CVSS 4.0 base 7.1, VC:H/VI:N/VA:N). No public exploit code and no CISA KEV listing exist at this time, and EPSS is very low (0.03%, 11th percentile), indicating no observed mass exploitation.
SQL injection in the saveDashboardLayout function of dash_layout.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-access platforms (all versions up to and including 2.20.0) lets a low-privileged remote attacker manipulate a SQL INSERT statement to read the entire backend database and write rows into a non-critical table. The flaw, reported by CERT@VDE (VDE-2026-044, EUVD-2026-32133), yields total loss of confidentiality and partial loss of integrity but no availability impact. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis, so this is a serious data-exposure bug rather than a mass-exploitation threat.
SQL injection in the saveDashboardLayout function of dash.php affects the mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual industrial remote-maintenance platforms in versions up to and including 2.20.0. Because user-supplied input is improperly neutralized inside a SQL INSERT statement, a remote attacker can read the entire backend database and write rows into a non-critical table, yielding full loss of confidentiality and partial loss of integrity. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%, 11th percentile).
SQL injection in the getDevicegroups function of MB connect line / Red Lion industrial remote-access products (mbCONNECT24, myREX24V2 and their hosted mymbCONNECT24 / myREX24V2.virtual variants, all versions up to and including 2.20.0) lets a low-privileged remote user inject crafted input into a SQL SELECT statement and read arbitrary database contents, yielding a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H, VI:N, VA:N). The issue was reported by CERT@VDE and published as advisory VDE-2026-044 / EUVD-2026-32161; no public exploit has been identified and EPSS is very low (0.03%, 11th percentile), indicating no observed widespread exploitation. Note a source discrepancy: the description labels the flaw 'unauthenticated' while the CVSS vector requires low privileges (PR:L) - this should be verified with the vendor.
Information disclosure via SQL injection affects the Easy View feature of MB connect line's remote-maintenance portals (mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual) in versions up to and including 2.20.0. A remote attacker holding a low-privileged account can inject crafted input into a SQL SELECT statement to read arbitrary database contents, resulting in total loss of confidentiality. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 11th percentile), indicating no observed widespread exploitation activity.
SQL injection in the UpdateParam function of admin.mbnetj.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-maintenance portals (versions up to and including 2.20.0) lets a high-privileged remote attacker tamper with a SQL UPDATE command, reading the entire database and modifying values in a non-critical table. The flaw was reported by CERT@VDE (advisory VDE-2026-044) and carries CVSS 4.0 base 7.0. There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as 'none' - indicating low immediate real-world urgency despite the high impact ceiling.
SQL injection in the UpdateParam function of view.html.php affects MB connect line remote-access portals (mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual) in versions up to and including 2.20.0, letting an attacker inject into a SQL UPDATE statement to read the entire backend database and alter values in a non-critical table. The CVSS 4.0 vector (PR:H) indicates a high-privileged account is required, even though the advisory text labels the flaw 'unauthenticated' - a discrepancy defenders should resolve with the vendor. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC rates exploitation as 'none'.
SQL injection in the DeleteSysLogEntry function of MB connect line / Helmholz remote-maintenance platforms - mbCONNECT24, myREX24V2, mymbCONNECT24 and the myREX24V2.virtual variant through version 2.20.0 - lets a network attacker with high privileges inject SQL into a DELETE statement, reading the entire backend database and deleting rows in a non-critical syslog table. The flaw yields full confidentiality loss and limited integrity impact (CVSS 4.0 base 7.0). There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as none, indicating no observed in-the-wild activity. Note the vendor description's 'unauthenticated' wording conflicts with the CVSS PR:H (high privileges required) metric.
SQL injection in the MB connect line remote-maintenance portals mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 (all versions up to and including 2.20.0) lets a high-privileged remote user manipulate a SQL DELETE statement in the _RemoveRequest function to read the entire backend database and delete rows in a non-critical table. The CVSS 4.0 vector (PR:H) indicates an authenticated, high-privilege account is required despite the description's wording, yielding total confidentiality loss and partial integrity loss. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and the issue is not listed in CISA KEV.
Arbitrary file disclosure in Synology Active Backup for Business (DSM add-on package, versions before 2.7.1-3234) lets unauthenticated remote attackers read sensitive files on the host via a SQL injection flaw (CWE-89). The vulnerability scores CVSS 8.6 with a changed scope and high confidentiality impact, but EPSS estimates only a 0.04% (14th percentile) exploitation probability, and there is no public exploit identified at time of analysis nor any CISA KEV listing. Synology, who self-reported the issue, has released a fixed package.
Time-based blind SQL Injection in the EnvíaloSimple: Email Marketing y Newsletters WordPress plugin (all versions through 2.4.5) allows authenticated administrators to extract sensitive data from the underlying database. The vulnerability is in the 'orderby' parameter, which is insufficiently escaped and passed into existing SQL queries without adequate preparation, enabling an attacker with administrator-level WordPress credentials to append arbitrary SQL and enumerate database contents. EPSS is very low (0.03%, 8th percentile), no public exploit has been identified, and the vulnerability is not listed in CISA KEV, suggesting limited real-world exploitation pressure at this time.
SQL injection in the dsgvo_contracts view of mbCONNECT24 and related industrial remote access platforms (versions up to and including 2.20.0) enables a high-privileged remote attacker to exfiltrate confidential data from the underlying database without integrity or availability impact. The vulnerability (CWE-89, CVSS 4.0: 6.9) is constrained by the PR:H requirement - the attacker must already hold high-privileged credentials - which substantially limits realistic attack surface in well-managed deployments. No public exploit or active exploitation has been identified; CISA SSVC rates exploitation as none and EPSS stands at 0.03% (10th percentile).
SQL injection in MB connect line's mbCONNECT24 / myREX24V2 remote-maintenance portals (all releases up to and including 2.20.0) lets an attacker break out of the SQL UPDATE statement bound to the 'devices' parameter in the accountstatus view, yielding full read access to the backend database and limited writes to a non-critical table. The CVSS 4.0 vector requires high privileges (PR:H), so a privileged authenticated user is the realistic threat actor — this directly contradicts the advisory text that labels the flaw 'unauthenticated,' a discrepancy defenders should resolve with the vendor. EPSS is very low (0.03%, 10th percentile) and there is no CISA KEV entry; no public exploit identified at time of analysis.
SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-access platform (all editions through 2.20.0) lets a high-privileged remote attacker inject SQL through the userid parameter of the accountstatus view, which is concatenated unsafely into a SQL UPDATE statement. Successful exploitation yields read access to the entire backend database (total confidentiality loss) plus the ability to alter values in a non-critical table (partial integrity loss). There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is very low at 0.03% (10th percentile).
SQL injection in the DevSerialReset function of MB connect line / Helmholz industrial remote-access portals (mbCONNECT24, mymbCONNECT24, myREX24V2, and the .virtual variants) lets a high-privileged remote attacker read the entire backend database and modify values in a non-critical table. The flaw stems from improper neutralization of special elements within a SQL UPDATE statement (CWE-89), yielding total loss of confidentiality and partial integrity impact. There is no public exploit identified at time of analysis, and EPSS rates exploitation likelihood very low (0.03%, 10th percentile).
SQL injection in the DevSerialReset function of MB Connect Line's mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual industrial remote access platforms allows a high-privileged remote attacker to read arbitrary database contents via a maliciously crafted SQL SELECT statement. All product variants at or below version 2.20.0 are confirmed affected per ENISA EUVD-2026-32126. No public exploit code exists and EPSS is 0.03% (10th percentile), indicating low observed exploitation pressure at time of analysis; however, the industrial/OT targeting profile warrants attention.
SQL injection in the getAccountByID function of MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual industrial remote-access platforms (all versions up to and including 2.20.0) allows a high-privileged remote attacker to extract data from the underlying database via a crafted SELECT statement. The vulnerability is classified under CWE-89 with confidentiality impact rated High on the vulnerable component, while integrity and availability remain unaffected. No public exploit code exists and no KEV listing has been issued; EPSS (0.03%, 10th percentile) and SSVC signals both indicate low current exploitation likelihood.
Unauthenticated SQL injection in the mbCONNECT24 remote-maintenance platform (and the related myREX24V2, myREX24V2.virtual, and mymbCONNECT24 portals) at version 2.20.0 and earlier lets a remote attacker inject crafted SQL into a SELECT statement processed by the 'sync_data24' task, yielding a total loss of database confidentiality (CVSS 4.0 base 8.7). Because the CVSS vector confirms no privileges and no user interaction (PR:N/UI:N), any network-reachable client can attempt it. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), so widespread automated exploitation is not currently indicated.
Unauthenticated SQL injection in the mbCONNECT24 remote-maintenance portal (and the related myREX24V2, myREX24V2.virtual and mymbCONNECT24 products, all versions up to and including 2.20.0) lets a remote attacker read arbitrary data from the backend database by abusing the _mb24confi_getDevice function. The flaw requires no credentials, no user interaction and low attack complexity over the network (CVSS 4.0 score 8.7), but its impact is confined to confidentiality. There is no public exploit identified at time of analysis and the EPSS probability is very low (0.05%, 15th percentile), indicating no observed exploitation activity yet.
SQL injection in the mbCONNECT24 / myREX24V2 family of industrial remote-maintenance platforms (all editions at version 2.20.0 and earlier) lets unauthenticated remote attackers manipulate a SQL SELECT statement in the getAlarmProfiles function and read arbitrary database contents. The flaw (CWE-89) carries a CVSS 4.0 base score of 8.7 with a confidentiality-only impact and requires no authentication or user interaction. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 15th percentile), indicating no observed mass-exploitation pressure despite the high base score.
SQL injection in MB connect line's mbCONNECT24, mymbCONNECT24, and myREX24V2 remote-maintenance portals (all versions up to and including 2.20.0) lets an unauthenticated remote attacker inject crafted SQL through the _mb24confi_getTagAlarm function in mb24alarm.php, resulting in a total loss of database confidentiality. The CVSS 4.0 base score of 8.7 reflects network reach with no authentication or user interaction (AV:N/AC:L/PR:N/UI:N), but impact is scoped to confidentiality only (VC:H, VI:N, VA:N) - an attacker can read data but cannot directly alter or disrupt the system through this flaw. No public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), indicating no observed broad exploitation activity despite the high base score.
Unauthenticated SQL injection in the mbCONNECT24/myREX24 industrial remote-maintenance platform (all variants up to and including 2.20.0) lets remote attackers extract database contents through the _mb24api_getUserAccount API function via a crafted SQL SELECT command (CWE-89). The CVSS 4.0 score of 8.7 reflects a confidentiality-only impact (VC:H, VI:N, VA:N) reachable over the network with no authentication and no user interaction. No public exploit has been identified at time of analysis and EPSS rates exploitation probability very low (0.05%, 15th percentile), but the no-auth, network-reachable design makes credential and account-data theft a credible concern.
SQL injection in MB connect line's mbCONNECT24 remote-maintenance platform (and the related myREX24V2, mymbCONNECT24 and myREX24V2.virtual products through version 2.20.0) lets unauthenticated remote attackers read arbitrary database contents. The flaw lives in the _mb24confi_getTagAlarm function of dataapi.php, where attacker-controlled input is concatenated into a SQL SELECT statement, yielding a total loss of confidentiality. There is no public exploit identified at time of analysis, the EPSS probability is very low (0.05%), and the issue is not on CISA KEV; it was reported by CERT@VDE (advisory VDE-2026-044).
SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (versions up to and including 2.20.0) lets a remote, unauthenticated attacker read arbitrary database contents by manipulating the tagid parameter of the getLiveValues function. The CVSS 4.0 base score is 8.7 with a confidentiality-only impact (VC:H, VI:N, VA:N), and no public exploit has been identified at the time of analysis. EPSS is very low (0.05%, 15th percentile), and the issue is not in CISA KEV, so widespread automated exploitation is not currently indicated despite the network-reachable, no-auth attack surface.
Unauthenticated SQL injection in MB connect line's mbCONNECT24 and myREX24V2 industrial remote-maintenance portals (all editions through 2.20.0) lets remote attackers inject SQL through the 'sn' parameter of the getLiveValues function, producing a total loss of confidentiality. Disclosed via CERT@VDE advisory VDE-2026-044 and tracked as EUVD-2026-32112, the flaw carries a CVSS 4.0 base score of 8.7 and requires no authentication or user interaction, though it has no integrity or availability impact. No public exploit is identified at time of analysis and EPSS rates near-term exploitation probability low at 0.05% (15th percentile).
Unauthenticated SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (all variants at versions ≤2.20.0) lets a remote attacker inject crafted input into a SQL SELECT statement handled by the ssoabstractservice (single sign-on) component, yielding read access to backend database contents and a total loss of confidentiality. The flaw requires no authentication, no privileges, and no user interaction over the network. No public exploit has been identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), but the issue affects internet-exposed OT remote-access portals, raising its practical exposure.
SQL injection in the MB connect line / Red Lion remote-maintenance platform (mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual, all versions up to and including 2.20.0) lets a remote, unauthenticated attacker inject crafted SQL into the userinfo endpoint, resulting in total loss of confidentiality of the backing database. The flaw was reported by CERT@VDE (advisory VDE-2026-044) and tracked in the ENISA EUVD as EUVD-2026-32110. There is no public exploit identified at time of analysis and EPSS is very low (0.05%), but the CVSS 4.0 base score is 8.7 and CISA's SSVC framework rates the issue as automatable.
SQL injection in dotCMS Core (versions 25.11.04-1 through 26.04.28-02) lets remote unauthenticated attackers read, modify, or destroy arbitrary database content through the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll, which neither enforced authentication nor sanitized input before constructing SQL. The flaw carries a maximum CVSS 4.0 base score of 10.0, reflecting full confidentiality, integrity, and availability impact extending to subsequent systems. No public exploit was identified at time of analysis and EPSS is low (0.38%, 60th percentile), but the network-reachable, no-privilege, no-interaction profile makes this an urgent patch for affected (non-LTS) deployments.
SQL injection in Pimcore's admin-ui-classic-bundle (versions <= 2.3.5) allows an authenticated user holding only the translations-view permission to read arbitrary database contents by injecting into the translation grid's date filter. The user-controlled 'property' field of the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) expression at the POST /admin/translation/translations endpoint, behind only a trivially bypassable str_replace('--','') filter. A working proof-of-concept and publicly available exploit code exist; the reporter notes it can be chained with an unsafe-unserialize flaw (GM-249) to reach remote code execution. No EPSS score or CISA KEV listing was supplied.
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config permission inject arbitrary SQL through the custom-report column-config endpoint, which concatenates user-supplied 'sql', 'from', and 'where' fields directly into a query executed via Doctrine's fetchAssociative(). Because the controller returns raw database error messages in its JSON response, attackers can perform error-based extraction (e.g. EXTRACTVALUE) to read credentials and arbitrary tables, and can bypass the keyword denylist using inline /**/ comments to reach UPDATE/INSERT/DELETE - compromising confidentiality and integrity. Publicly available exploit code exists (a full PoC is published in the GitHub advisory); no CISA KEV listing or EPSS score is present in the provided data.
SQL injection in itsourcecode Courier Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized 's' parameter in /parcel_list.php. A proof-of-concept exploit is publicly available on GitHub, meaningfully lowering the barrier to exploitation despite the low CVSS 4.0 score of 2.1. No vendor patch has been identified at time of analysis, leaving deployments reliant on compensating controls.
SQL injection in itsourcecode Courier Management System 1.0 lets remote attackers manipulate the 'ID' parameter of /manage_user.php to inject arbitrary SQL into backend database queries. Per the CVSS vector (PR:N) no authentication is required, and publicly available exploit code exists, though the flaw is not listed in CISA KEV and carries only low (C:L/I:L/A:L) per-impact ratings.
SQL injection in code-projects Project Management System 1.0 allows remote unauthenticated attackers to manipulate database queries through the login handler (chk.php). The flaw stems from unsanitized input being passed into a SQL statement, enabling authentication-context query tampering and data disclosure. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and no active exploitation is confirmed.
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the admin panel endpoint `/admin/modules/class/index.php?view=view` to remote unauthenticated database manipulation via the unsanitized `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, making this trivially reachable from the network. A public proof-of-concept exploit has been disclosed on GitHub, and SSVC flags this as automatable with partial technical impact - though EPSS at 0.03% (9th percentile) reflects limited observed in-the-wild activity; no public exploit identified at time of analysis reaching KEV status.
SQL injection in itsourcecode Student Transcript Processing System 1.0 allows remote unauthenticated attackers to manipulate backend database queries by supplying crafted values for the studentId or cid parameters in /admin/modules/student/trans.php. The CVSS 4.0 vector (PR:N, AC:L, UI:N) confirms exploitation requires no authentication and no user interaction, and a proof-of-concept is publicly available via a GitHub issue. No public KEV listing exists and EPSS sits at 0.03% (9th percentile), indicating limited threat-actor uptake thus far - likely due to the narrow deployment footprint of this niche educational PHP application.
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the application to unauthenticated remote database manipulation via the studentId parameter in the admin student view endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no privileges or user interaction are required, and publicly available exploit code exists on GitHub. Despite the remote, unauthenticated attack surface and POC availability, EPSS sits at only 0.03% (9th percentile), indicating limited real-world exploitation uptake at time of analysis; no CISA KEV listing has been issued.
SQL injection in Chatwoot versions 2.2.0 through 4.11.1 allows any authenticated account user to execute arbitrary SQL via time-based blind injection by abusing unparameterized values in custom-attribute filter operators on the conversation, contact, and custom attribute definition APIs. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%, 8th percentile), but CVSS 8.5 with scope-changed confidentiality impact reflects the ability to read data beyond the attacker's account boundary. The vulnerability is fixed in Chatwoot 4.11.2.
Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS commands on the database server by chaining SQL injection in the REST API groupBy endpoint with PostgreSQL's COPY TO PROGRAM functionality. The unsanitized timeZone parameter is interpolated directly into raw SQL via JavaScript template literals, and exploitation succeeds whenever the application's Postgres role holds superuser privileges. Publicly available exploit code exists per SSVC, though EPSS scoring (0.15%) suggests exploitation activity has not yet become widespread.
Blind SQL injection in the com_finder (Smart Search) component of Joomla! CMS allows authenticated high-privilege users to extract confidential data from the underlying database across versions 5.4.0-5.4.5 and 6.0.0-6.1.0. The vulnerability stems from improperly constructed SQL filter clauses in search queries that permit attacker-controlled input to alter query logic. No public exploit has been identified at time of analysis, CISA has not added this to the KEV catalog, and EPSS probability sits at 0.03%, signaling minimal observed exploitation pressure.
Authenticated blind SQL injection in Joomla! CMS's com_tags component allows high-privileged attackers to exfiltrate database contents by supplying maliciously crafted ORDER BY clauses that are not properly validated. Affected versions span two distinct release trains: the 4.x/5.x line (4.0.0 through 5.4.5) and the 6.x line (6.0.0 through 6.1.0), meaning the vulnerability persists across both legacy and current major releases. No public exploit code has been identified at time of analysis, and the EPSS score of 0.00% indicates negligible automated exploitation probability, though the high-privilege requirement significantly limits the realistic attacker pool.
SQL injection in IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 permits authenticated remote attackers to send specially crafted SQL statements that manipulate back-end database content - enabling unauthorized data reads, inserts, modifications, or deletions. The CVSS vector scores confidentiality impact as none (C:N), yet the vendor description explicitly states attackers may view data, a discrepancy that warrants direct verification against IBM's advisory. No public exploit has been identified at time of analysis, EPSS sits at 0.03% (9th percentile), and CISA SSVC rates exploitation as none, collectively indicating low near-term exploitation risk.
Authenticated SQL injection in OpenKM Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) lets administrative users execute arbitrary SQL against the application database through the /admin/DatabaseQuery endpoint's qs parameter. Publicly available exploit code exists (Exploit-DB 52520 and a Nuclei template from Terra System Labs), enabling dumping of password hashes from OKM_USER, permission tampering, and data destruction. EPSS is very low (0.03%) and the bug requires high privileges (PR:H), so real-world risk is bounded but meaningful for any internet-facing OpenKM instance with weak admin credentials.
SQL injection in Das Parking Management System (停车场管理系统) 6.2.0 allows remote unauthenticated attackers to manipulate the Value argument of the Search API Endpoint, enabling unauthorized database read and write operations. The CVSS 4.0 vector confirms network-accessible, zero-complexity, no-privilege-required exploitation with partial impact across confidentiality, integrity, and availability. A public exploit has been released per VulDB (EUVD-2026-31829), and the vendor was unresponsive to disclosure - no patch exists at time of analysis.
SQL injection via the xp_cmdshell-invoked export endpoint in Das Parking Management System 6.2.0 allows unauthenticated remote attackers to manipulate database queries through the Value parameter of the ParkingRecord/ExportParkingRecords API endpoint. The specific reference to xp_cmdshell - a Microsoft SQL Server extended stored procedure capable of executing operating system commands - elevates the potential impact beyond typical data-layer SQL injection if that procedure is enabled on the target SQL Server instance, making this more consequential than the CVSS 5.5 score alone suggests. A publicly available proof-of-concept exploit exists and the vendor has not responded to disclosure, leaving version 6.2.0 without a vendor-issued patch.
Cross-domain RBAC bypass in Check Point Quantum Security Management allows an authenticated administrator with read-write access to one Management Domain (CMA) to modify Compliance Best Practices metadata stored in a separate Management Domain where they hold no permissions. The underlying root cause is SQL injection (CWE-89, corroborated by the 'SQLi' intelligence tag), suggesting the Compliance feature's metadata storage does not enforce domain-level query isolation. Affected releases span R81.10 and below, R81.20 up to Jumbo Hotfix Take 127, R82 up to Jumbo Hotfix Take 91, and R82.10 up to Jumbo Hotfix Take 19. No public exploit identified at time of analysis, and EPSS of 0.04% reflects low observed exploitation probability.
SQL injection in Check Point Quantum Security Gateway's UserCheck Web Portal allows a remote unauthenticated attacker who can reach the UserCheck Ask page to manipulate the Security Gateway's stored DLP incident database when the DLP blade is active. Successful exploitation can cause loss of stored incident entries, disruption of pending approval workflows, or resource exhaustion through repeated abuse - all of which could undermine the integrity of an organization's data loss prevention audit trail. No public exploit code has been identified and EPSS is very low at 0.06% (18th percentile), with no CISA KEV listing at time of analysis.
SQL injection in the Sixun Shanghui Group Business Management System 10 exposes the /api/Dinner/PayConfig endpoint to unauthenticated remote attackers who can manipulate the tableno parameter to execute arbitrary SQL queries against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position - only access to the endpoint. A public proof-of-concept exploit is available via a Feishu document, though EPSS remains very low at 0.03% (8th percentile), and no patch has been released as the vendor was unresponsive to coordinated disclosure.
SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate the `email_id` parameter in `/admin/add_staff.php`, enabling arbitrary SQL query manipulation against the underlying database. The CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - confidentiality, integrity, and availability are each rated Low with no lateral impact to subsequent systems - and EPSS at 0.03% (8th percentile) indicates negligible real-world exploitation probability despite a publicly available proof-of-concept on GitHub. No active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/delete_judge.php endpoint to remote unauthenticated attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required to reach the vulnerable parameter, and a publicly available proof-of-concept exploit exists on GitHub, corroborated by the CVSS 4.0 exploit maturity modifier E:P. Despite these factors, EPSS sits at 0.03% (9th percentile), indicating no public exploit has yet driven widespread opportunistic scanning; no KEV listing confirms active exploitation in the wild at time of analysis.
SQL injection in itsourcecode Electronic Judging System 1.0 allows remote unauthenticated attackers to manipulate the `num_id` parameter in `/admin/edit_team.php`, enabling unauthorized database read, write, and partial availability impact. The CVSS 4.0 vector confirms no authentication or user interaction is required (PR:N/UI:N), and publicly available exploit code exists on GitHub - though EPSS remains very low at 0.03% (9th percentile), suggesting limited real-world exploitation interest consistent with a niche, low-adoption PHP application. The vulnerability is not listed in CISA KEV, but the SSVC framework flags it as automatable, meaning opportunistic scanning tools could exploit it at scale against any internet-exposed deployment.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/edit_judge.php endpoint to unauthenticated remote attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions. A public proof-of-concept exploit has been disclosed on GitHub, though EPSS at 0.03% (9th percentile) reflects the product's limited deployment footprint rather than low technical severity - no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).
SQL injection in xianrendzw EasyReport up to version 2.0.17.0522_Beta exposes authenticated remote attackers a path to query manipulation via the `reportParams` argument in the REST Endpoint's `execute` function. The CVSS 4.0 score of 5.3 reflects a low-privilege authenticated requirement with partial impact across confidentiality, integrity, and availability - meaning data exfiltration, record tampering, and limited availability disruption are all within scope. No public exploit has been confirmed and no vendor patch exists, as the vendor did not respond to coordinated disclosure; EPSS at 0.03% (8th percentile) corroborates low current exploitation interest.
SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2 enables remote unauthenticated attackers to manipulate the `sort` parameter at the `/SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree` endpoint, achieving partial read, write, and availability impact against the backend database. The `..;` path segment is a known Java servlet filter-bypass technique, suggesting the endpoint may circumvent URL-based access controls before reaching the vulnerable query handler. A public proof-of-concept exploit exists and the vendor did not respond to responsible disclosure, meaning no patch is currently available - leaving all deployments of this power infrastructure management platform exposed.
Blind SQL injection in the eMagicOne Store Manager WordPress plugin (versions up to and including 1.3.2) allows remote unauthenticated attackers to inject malicious SQL through improperly sanitized parameters. With a CVSS 9.3 score and changed scope, successful exploitation can expose confidential database contents across the WordPress installation, though EPSS remains very low (0.03%) and no public exploit identified at time of analysis.
SQL injection in Crocoblock JetEngine (a WordPress plugin) through version 3.8.8.1 allows remote unauthenticated attackers to inject crafted SQL into backend queries, leading to high-impact confidentiality disclosure and limited availability impact with a scope change to other components. The flaw carries a CVSS 9.3 rating and was disclosed by Patchstack, but there is no public exploit identified at time of analysis and EPSS is very low at 0.03%.
Blind SQL injection in the Unlimited Elements For Elementor WordPress plugin (versions up to and including 2.0.8) allows authenticated low-privilege attackers to inject arbitrary SQL into backend database queries. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5 due to scope change and high confidentiality impact, though no public exploit identified at time of analysis and EPSS probability remains low at 0.03%. The scope change (S:C) indicates the injection crosses a trust boundary, amplifying impact beyond the vulnerable component.
Pre-authentication SQL injection in Roundcube Webmail's virtuser_query plugin allows unauthenticated remote attackers to bypass input sanitization through a preg_replace() backslash escape flaw and inject arbitrary SQL against the backing database. Versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1 are affected. Vendor patches are available, no public exploit identified at time of analysis, and EPSS is low (0.08%), but SSVC rates technical impact as total.
SQL injection in yashpokharna2555 StudentManagementSystem's /studentdel.php endpoint allows remote unauthenticated attackers to manipulate the ID parameter within the confirm_logged_in function, enabling arbitrary SQL query execution against the backend database. All commits up to cb2f558ddf8d19396de0f92abf2d224d46a0a203 of this PHP-based academic application are affected, with no patched release available due to its rolling-release model and vendor non-response. A public exploit exists per GitHub issue #5, and SSVC flags the attack as automatable, though the EPSS score of 0.03% reflects limited real-world scanning activity likely attributable to the application's narrow deployment footprint.
SQL injection in Genetec Security Center's Access Manager role enables a remote attacker with high privileges to achieve full confidentiality, integrity, and availability impact against the underlying database. The vulnerability spans multiple major release branches (5.9 through 5.13) of this widely deployed physical security management platform, covering access control, video surveillance, and license plate recognition environments. Vendor-released patches are confirmed available for the 5.12 and 5.13 branches; no public exploit has been identified at time of analysis and SSVC assessment confirms no current exploitation activity.
SQL injection in yashpokharna2555's StudentManagementSystem (commit cb2f558) exposes the confirm_logged_in function in student_trans.php to unauthenticated remote attackers who can manipulate FIRST_NAME, Last_Name, and EMAIL parameters to execute arbitrary SQL against the backend database. A public exploit has been disclosed via GitHub issue #3, confirming exploitability requires minimal skill; however, EPSS at 0.03% (9th percentile) indicates very low observed real-world exploitation activity, likely reflecting the narrow deployment footprint of this niche open-source PHP project rather than any technical barrier. No patch is available at time of analysis, as the maintainer has not responded to the coordinated disclosure.
SQL injection in the PHP-based yashpokharna2555/StudentManagementSystem exposes the /success.php endpoint to remote unauthenticated database attacks via the unsanitized 'User' argument. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position. A publicly available exploit exists via a GitHub issue report; the project maintainer has been notified but has not responded, and no patch has been released. Despite POC availability, EPSS sits at 0.03% (9th percentile), reflecting the niche, low-adoption nature of this project rather than a reduced technical severity.
Unauthenticated SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 exposes database contents to remote attackers via the strTBName parameter of the GetDBDataEx.jsp web service endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and exploit code has been made publicly available, raising the operational risk despite a relatively low EPSS score of 0.03%. The vendor was notified prior to public disclosure but did not respond, and no vendor-released patch has been identified at time of analysis.
Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Collectric CMU 1.0 contains a boolean-based blind SQL injection vulnerability in the lang parameter that allows unauthenticated attackers to manipulate database queries during authentication. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
mooSocial Store Plugin 2.6 contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries through the product parameter in URL rewrite. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Twitter-Clone 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the name parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Twitter-Clone 1 contains a SQL injection vulnerability in follow.php that allows attackers to manipulate database queries by injecting SQL code through the userid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in code-projects Employee Management System 1.0 allows remote low-privileged attackers to manipulate the `ID` parameter in `/process/applyleaveprocess.php`, enabling unauthorized database read and write operations with partial impact across confidentiality, integrity, and availability. A publicly available proof-of-concept exploit exists on GitHub, though no confirmed active exploitation (CISA KEV) has been recorded. EPSS at 0.03% (8th percentile) and an SSVC assessment of 'not automatable' indicate low broad exploitation likelihood, though the accessible POC meaningfully lowers the barrier for targeted manual attacks against organizations running this application.
SQL injection in the /psubmit.php endpoint of code-projects Employee Management System 1.0 enables authenticated remote attackers to manipulate the pid parameter and inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been released on GitHub, reducing the skill barrier for exploitation against unpatched deployments. Despite a low CVSS 4.0 base score of 2.1 reflecting partial impact scope and low-privilege requirements, the combination of network accessibility and public PoC warrants prompt remediation for any internet-facing instance; no public exploit identified meets CISA KEV criteria, and no vendor-released patch has been confirmed at time of analysis.
SQL injection in code-projects Employee Management System 1.0 exposes the /changepassemp.php password-change endpoint to database manipulation by authenticated low-privilege users over the network. The CVSS 4.0 score of 2.1 reflects limited, non-cascading impact - partial confidentiality, integrity, and availability degradation confined to the vulnerable component with no downstream system scope change. A publicly available proof-of-concept exploit exists on GitHub, though the EPSS score of 0.03% (8th percentile) and SSVC 'automatable: no' classification indicate this is unlikely to see widespread opportunistic exploitation; no public exploit identified at time of analysis corroborating active KEV-level campaigns.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 exposes the application to unauthenticated remote data extraction and manipulation via the Name parameter in /user/search.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and a publicly available proof-of-concept exploit (GitHub gist) lowers the bar for exploitation. No active exploitation has been confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) indicates limited real-world exploitation activity at time of analysis despite the public POC.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows remote authenticated administrators to manipulate database queries via the ID parameter in /admin/edit_customer.php. The vulnerability is tagged CWE-89 and carries a CVSS 4.0 base score of 2.0, reflecting the high privilege requirement that significantly limits the attacker pool to those with existing admin access. Publicly available exploit code exists (hosted on GitHub Gist), though EPSS remains very low at 0.03% (8th percentile), and no CISA KEV listing is present - indicating no confirmed widespread exploitation at time of analysis.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows a remote, high-privileged (admin-level) attacker to manipulate database queries via the unsanitized 'ID' GET parameter in /admin/deleteproduct.php. Successful exploitation yields partial read, write, and availability impact on the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though no confirmed active exploitation (KEV) has been observed, and the EPSS score of 0.03% reflects minimal real-world exploitation pressure.
SQL injection in SourceCodester Indian Invoicing System 1.0 allows a remote, low-privileged authenticated attacker to manipulate database queries through the customer_name and category parameters in /Invoicing/IGST_Invoice.php. The vulnerability yields partial confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though the application is a niche, open-source invoicing tool with limited deployment footprint and no confirmed active exploitation in the wild.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin login endpoint at /intrams/admin/login.php to unauthenticated remote attackers who can manipulate the Username parameter to alter backend SQL query logic. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction, and publicly available exploit code (E:P) further lowers the barrier to entry. Although EPSS sits at 0.03% (9th percentile) indicating low observed exploitation activity, no vendor patch has been identified at time of analysis, leaving all known deployments of version 1.0 without an official remediation path.
SQL injection in Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate database queries through the social_linked parameter in /admin/adminHome.php. The vulnerability has publicly available exploit code and a CVSS score of 7.3, indicating high severity with the ability to impact confidentiality, integrity, and availability of the application.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 enables remote unauthenticated attackers to manipulate database queries through the ID parameter in /admin/patients/manage_history.php. Public exploit code exists (GitHub), though not listed in CISA KEV. The vulnerability carries moderate risk with CVSS 7.3 reflecting potential for data theft and manipulation of patient records.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows remote attackers to compromise patient data without authentication via manipulated ID parameter in /classes/Master.php?f=save_patient_history. The vulnerability has publicly available exploit code (GitHub) and enables unauthorized database access with potential to read, modify, or delete patient records. CVSS 7.3 indicates moderate severity with no exploitation prerequisites.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows authenticated attackers to extract, modify, or delete database records via the ID parameter in /admin/patients/view_history.php. The vulnerability requires low-privilege authenticated access (PR:L) but has low attack complexity (AC:L) and can be exploited remotely. Publicly available exploit code exists on GitHub (referenced in VulDB entry), enabling immediate weaponization by threat actors. EPSS data not available, and the vulnerability is not currently listed in CISA KEV, indicating exploitation may be limited or targeted rather than widespread. The CVSS 6.3 (Medium) rating reflects partial impact across confidentiality, integrity, and availability (C:L/I:L/A:L).
WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.