Skip to main content

SQL Injection

web HIGH

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.

How It Works

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.

Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.

Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.

Impact

  • Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
  • Authentication bypass — logging in as any user without knowing passwords
  • Data manipulation — unauthorized modification or deletion of critical records
  • Privilege escalation — granting administrative rights to attacker-controlled accounts
  • Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
  • Lateral movement — using compromised database credentials to access other connected systems

Real-World Examples

FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.

E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.

Mitigation

  • Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
  • Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
  • Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
  • Least privilege database accounts — applications should use credentials with minimal necessary permissions
  • Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
  • Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts

Recent CVEs (15162)

CVSS 4.9
MEDIUM This Month

SQL Injection in the Amelia booking plugin for WordPress (versions through 2.4.3) allows authenticated attackers holding the wpamelia-manager role to exfiltrate arbitrary data from the site's database via the Customer Import feature. The flaw stems from unsanitized user-supplied parameters passed into pre-existing SQL queries without adequate escaping or prepared statement usage, enabling stacked or appended query manipulation. No public exploit code or active exploitation has been identified at the time of analysis, and the confidentiality-only impact (C:H/I:N/A:N) reflects read-level database access rather than modification or destruction capability.

WordPress SQLi Booking For Appointments And Events Calendar Amelia
NVD
Awaiting Data

A SQL injection vulnerability in the /ureport/datasource/previewData component of ureport v2.2.9 allows attackers to access sensitive database information via crafted SQL statements.

SQLi
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in the WP Bulk Delete WordPress plugin (all versions up to and including 1.4.2) allows authenticated attackers holding administrator-level privileges to append arbitrary SQL to existing queries via the delete_user_roles POST parameter, enabling full database read access. The root cause is a code-level stripping of WordPress's built-in magic-quotes protection: wp_unslash() is called on the raw POST body before parse_str() decomposes it, leaving attacker-controlled values fully unescaped when they reach the SQL sink in class-delete-api.php. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; real-world risk is bounded by the administrator authentication requirement.

SQLi WordPress Wp Bulk Delete
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

SQL injection in the Quix Page Builder Pro extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a crafted request, enabling database read and write against affected sites. The CVSS 4.0 base score is 8.7 (High), reflecting network vector, low complexity, no privileges, and high impact to confidentiality, integrity, and availability of the vulnerable database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; a third-party disclosure write-up exists on mysites.guru.

SQLi Quix Page Builder Pro Extension For Joomla
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL Injection in the WP TripAdvisor Review Slider WordPress plugin (all versions through 14.6) allows authenticated attackers holding administrator-level credentials to append arbitrary SQL to existing queries via the unsanitized 'filtersource' parameter, exposing sensitive data stored in the WordPress database. The flaw originates from insufficient escaping and missing prepared statement usage across multiple display and admin class files identified by Wordfence. No public exploit code or active exploitation has been identified at time of analysis, and the high privilege requirement significantly constrains real-world impact.

SQLi WordPress Wp Tripadvisor Review Slider
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected SQL. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided.

SQLi WordPress Tutor Lms Elearning And Online Course Solution
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. No active exploitation is confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis, keeping real-world urgency moderate despite the High confidentiality impact.

SQLi WordPress Tickera Sell Tickets Manage Events
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. No public exploit code has been identified at time of analysis; however, the split-phase attack pattern - where payload planting and execution are decoupled - commonly evades first-order WAF detection and standard code scanning, elevating practical risk beyond the 6.5 CVSS score alone.

SQLi WordPress Quiz And Survey Master Qsm Quiz Maker Survey Maker
NVD
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

SQL injection in WP Job Portal WordPress plugin before 2.5.5 enables authenticated subscriber-level users to exfiltrate data from the underlying WordPress database. Because subscriber accounts are explicitly self-registerable (no admin approval required), the practical authentication barrier is near-zero for any external attacker. A publicly available exploit exists per WPScan, though EPSS at 0.18% (7th percentile) indicates limited observed exploitation to date and no CISA KEV listing at time of analysis.

SQLi WordPress Wp Job Portal
NVD WPScan
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL Injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'sort_field' parameter, exposing sensitive database contents. The vulnerability resides in seo-booster.php (lines 389, 404, 406) where user-supplied sort input is neither escaped nor parameterized before being incorporated into SQL execution. Despite a high confidentiality impact, exploitation is gated behind WordPress administrator-level credentials (PR:H), substantially limiting the realistic attack surface. No public exploit identified at time of analysis; a WordPress Trac changeset (3606177) suggests a patch has been committed.

SQLi WordPress Seo Booster
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Time-based SQL injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) allows authenticated administrators to extract sensitive database contents by manipulating the unquoted 'orderby' parameter in the Google Search Console list table component. The root cause is that developer-applied sanitization functions esc_sql() and sanitize_text_field() fail to neutralize SQL keywords, subquery syntax, commas, or parentheses when used in an ORDER BY clause context, leaving the clause fully attacker-controlled. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS score data was not provided.

SQLi WordPress Seo Booster
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. No public exploit code or CISA KEV listing has been identified at time of analysis, but the default-on privilege escalation path substantially raises exploitability beyond the PR:L CVSS score suggests.

SQLi WordPress Multivendorx Woocommerce Multivendor Marketplace Ai Powered Solutions
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in ThemeHunk's Advance Product Search - Voice & Ajax Search for WooCommerce plugin (all versions ≤ 1.4.4) lets unauthenticated attackers inject arbitrary SQL through the 's' and 'match' search parameters, enabling extraction of sensitive database contents such as user credentials and order data. The flaw stems from unescaped, unprepared query construction in the plugin's AJAX search backend and is remotely exploitable without authentication or user interaction. Reported by Wordfence; no public exploit identified at time of analysis and not listed in CISA KEV.

SQLi WordPress Advance Product Search Voice Ajax Search For Woocommerce
NVD VulDB
Awaiting Data

LogicalDOC Enterprise up to and for v9.1.1 is vulnerable to blind SQL injection in the ComparisonServlet component, allowing authenticated user to manipulate SQL queries via crafted input.

SQLi N A
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in H3C SecPath F1000-C8300 (firmware up to 20260522) allows unauthenticated remote attackers to manipulate database queries via the `subject` parameter in the `/webui/?g=log_fw_nbc_mail_jsondata` web management endpoint. The vendor has confirmed the vulnerability and acknowledged a planned fix, but no patch is released as of the disclosure date. A publicly available exploit exists (hosted on Feishu), lowering the bar for exploitation significantly despite the moderate CVSS 4.0 score of 5.5.

SQLi Secpath F1000 C8300
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

SQL injection in listmonk's subscriber export endpoint prior to version 6.2.0 allows a highly-privileged authenticated user to read arbitrary PostgreSQL database tables - including users and settings - and execute data-modifying CTEs. The GET /api/subscribers/export endpoint passed a user-controlled query parameter directly into QuerySubscribersForExport in internal/core/subscribers.go without invoking the validateQueryTables guard that the sibling GET /api/subscribers endpoint correctly applies, creating a bypass of the allowlist-based table restriction. Exploitation requires possession of both the subscribers:sql_query and subscribers:get_all permissions; no public exploit code has been identified at time of analysis.

SQLi PostgreSQL Listmonk
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

SQL injection in NocoBase's @nocobase/plugin-notification-in-app-message (before 2.0.61) lets any signed-up authenticated user reach GET /api/myInAppChannels:list and inject into the filter[latestMsgReceiveTimestamp][$lt] parameter, which is concatenated into a Sequelize.literal() template with no escaping or parameter binding. Because PostgreSQL permits stacked statements through this sink, an attacker can run arbitrary SQL and escalate to operating-system command execution via COPY ... TO PROGRAM. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the code fix and regression tests are public in the vendor commit, and the vendor rates it CVSS 10.0.

SQLi PostgreSQL Nocobase
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

{deptId}. The root cause is SqlparserUtils.transFilter() returning raw, unsanitized user input for operators other than 'in'/'between', which is then string-spliced into the dashboard query via SubstitutedSql.replace(). No public exploit identified at time of analysis and it is not in CISA KEV, but the vendor GHSA advisory, fixing commit, and 2.10.23 release confirm the flaw is real and patched.

SQLi Dataease
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored SQL injection in DataEase (open source data visualization/BI tool) versions prior to 2.10.23 allows an authenticated user who can define SQL-type datasets to persist malicious SQL through variable defaultValue entries, which later execute against the backend database whenever any user with dataset read permission opens the dataset. The flaw (CWE-89) enables reading and modifying arbitrary database data, and CVSS 4.0 rates it 8.7 (High). No public exploit has been identified at time of analysis, but the upstream fix commit is public, so exploitation prerequisites are well documented.

SQLi Dataease
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary SQL read access in DataEase before 2.10.23 lets authenticated users abuse the SQL preview feature (/de2api/datasetData/previewSql) to run attacker-supplied queries against any configured datasource. Because DatasetDataManage.previewSql passes the decoded PreviewSqlDTO.sql straight into datasourceRequest.query and CalciteProvider.fetchResultField executes it via prepareStatement().executeQuery(), an attacker can read any table the datasource account can access and receive the rows in the preview response. No public exploit identified at time of analysis, but the fix commit and advisory are public, making the flaw easy to reverse-engineer.

SQLi Dataease
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection in DataEase before 2.10.23 lets an authenticated low-privilege user compromise the backend datasource by abusing the datasource connection-status check, where io.dataease.datasource.provider.CalciteProvider#checkStatus concatenates the user-controlled configuration.getSchema() value into getTablesSql and runs it via executeQuery. Because the schema/owner string is embedded directly into metadata queries for DB2, SQL Server, PostgreSQL, Oracle and other datasources, an attacker who can create or edit a datasource can inject arbitrary SQL and read or alter data on the connected database. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the root cause is confirmed by the vendor commit that replaces string concatenation with parameterized PreparedStatements.

SQLi PostgreSQL Dataease
NVD GitHub
HIGH PATCH This Week

SQL injection in MantisBT 2.28.3 and earlier (fixed in 2.28.4) lets an administrator poison the history_order configuration value, which core/history_api.php concatenates unsanitized into an ORDER BY clause; the injected SQL then fires whenever any authenticated user views a bug that has history entries. This converts an administrator's config-write into database-wide data theft (password hashes, cookie_strings, API tokens, private issues) and, where the MySQL account holds the FILE privilege, remote code execution via INTO OUTFILE dropping a PHP webshell in the web root. No public exploit identified at time of analysis; reported by McCaulay Hudson of watchTowr and tracked as GitHub advisory GHSA-mw6p-33vw-46cc.

SQLi PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

SQL injection in EDocman, the Joomla download/document manager extension by Joomdonation, allows remote unauthenticated attackers to inject arbitrary SQL through the extension's request handling (CWE-89). The CVSS 4.0 score of 8.7 reflects high confidentiality impact with no required privileges or user interaction, meaning database contents can be extracted directly over the network. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.

SQLi Edocman Extension For Joomla
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

SQL injection in the DPCalendar extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a vulnerable parameter, per the CVSS:4.0 vector (PR:N/UI:N). With confidentiality-only impact rated High and no integrity or availability effect, the flaw primarily enables theft of Joomla database contents such as user records, session data, and configuration secrets. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal was provided.

SQLi Dp Calendar Extension For Joomla
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection in MetaGuru's HCM (Human Capital Management) platform lets authenticated remote attackers inject malicious SQL through specific request parameters, yielding full read/write control over the backing database and its confidentiality, integrity, and availability. The flaw was reported by TWCERT (Taiwan CERT) and carries a CVSS 4.0 base score of 8.7; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because valid low-privilege credentials are required (PR:L), risk concentrates in environments where accounts are broadly provisioned or credentials can be phished/reused.

SQLi Hcm
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 lets an authenticated user who holds the office-view permission inject arbitrary SQL through the orderBy request parameter. Because it bypasses the ColumnValidator hardening added for CVE-2024-32838, an attacker can run time-based blind SQL injection to exfiltrate database contents and, by launching concurrent injections that hold connections open, exhaust the database connection pool to cause denial of service. No public exploit identified at time of analysis; the flaw is documented via an oss-security advisory and an upstream fix pull request (apache/fineract #6048).

SQLi Apache Microsoft +2
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Blind boolean-based SQL injection in Apache Fineract's Client Search API (GET /api/v1/clients) through version 1.14.0 lets an authenticated user who holds the view-clients permission concatenate unvalidated orderBy (and sortOrder) parameters directly into the backing SQL query. Attackers can extract arbitrary database contents one bit at a time and, on MySQL/MariaDB back ends, read arbitrary files accessible to the DB process via LOAD_FILE(). There is no public exploit identified at time of analysis, though the vendor's fix PR (#6020) ships an integration test containing a working injection payload; not listed in CISA KEV.

SQLi Apache Fineract
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection in Apache Fineract's Report Execution API (the runreports endpoint) in all versions up to and including 1.14.0 lets an authenticated user holding report-run permission inject arbitrary SQL through crafted report parameter values, because those values are concatenated into the generated query without sufficient validation. This yields unauthorized read access to data well beyond what the report was scoped to expose, and by extension other database contents. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; the upstream fix landed in PR #5980, which introduces a configurable InputValidator/validation-profile framework.

SQLi Apache Authentication Bypass +1
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

UNION-based SQL injection in the Quotes Llama WordPress plugin (all versions before 3.1.6) lets unauthenticated remote attackers inject arbitrary SQL through an unsanitized request parameter and read any data from the WordPress database, including user password hashes. Publicly available exploit code exists and a vendor patch has been released; the flaw carries a high EPSS-relevant profile because it is remotely reachable with no authentication or user interaction. This is no public exploit identified as actively exploited (not in CISA KEV), but working PoC availability makes opportunistic mass-scanning likely.

SQLi WordPress Quotes Llama
NVD WPScan VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

SQL injection in the web management interface of multiple ASUS router models enables a remotely authenticated, high-privilege user to exfiltrate confidential information by sending crafted requests that bypass the router's existing input validation. The vulnerability is limited to read-only data disclosure (no integrity or availability impact) and requires prior administrative authentication, significantly constraining real-world exploitability. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 reflects the high complexity and authentication prerequisites.

SQLi Router
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

SQL injection in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) allows an authenticated attacker to inject crafted SQL and achieve arbitrary code execution in the context of the current user without any user interaction. The flaw carries a critical 9.9 CVSS with a changed scope, meaning impact extends beyond the vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the total technical impact and low attack complexity make it a high-priority patch for internet-facing ColdFusion servers.

SQLi RCE Coldfusion
NVD VulDB
EPSS 20% CVSS 7.2
HIGH This Week

SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows a high-privileged authenticated attacker to inject malicious SQL that can escalate to arbitrary code execution in the context of the current user, enabling account/session takeover. The flaw (CWE-89) is network-reachable and requires no user interaction, but demands existing high privileges per the CVSS PR:H metric. No public exploit is identified at time of analysis and it is not listed in CISA KEV; EPSS was not provided.

SQLi RCE Adobe +4
NVD VulDB
CVSS 9.9
CRITICAL Act Now

Cross-resource SQL injection in the FacturaScripts REST API (all versions through 2026.1) lets a low-privileged, scoped ApiKey read or modify arbitrary database tables via the `filter` query parameter, enabling full admin account takeover. A single GET request with a parenthesized filter key leaks the admin's bcrypt password hash and `logkey` session token, which are then replayed as the `fsLogkey` cookie to reach admin-only endpoints like `/AdminPlugins`. A live end-to-end PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no public exploit identified as being used in active attacks (not in CISA KEV).

Oracle SQLi PHP +2
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated attacker to inject crafted SQL commands over the network and gain higher database privileges (CVSS 8.8). The flaw is a classic improper neutralization of special elements (CWE-89) reachable by any principal already holding low-level database access. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, though a vendor patch is available.

SQLi Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack +8
NVD
EPSS 1% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user to escalate their privileges by injecting crafted special elements into an SQL command. Microsoft has released a fix and reported the flaw; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation requires existing low-level access, the realistic threat is an insider or a compromised low-privilege account pivoting to higher database privileges.

SQLi Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack +8
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in SourceCodester Simple and Nice Shopping Cart Script 1.0. This vulnerability affects unknown code of the file /admin/userproductdeletequery.php. Performing a manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

SQL injection and local file disclosure in Snowflake SQLAlchemy before 1.11.0 lets an authenticated application user abuse three distinct weaknesses: unsanitized column identifiers in MERGE/upsert operations, improper literal rendering of bound parameters in Snowflake-specific table-creation queries, and unsafe forwarding of connection parameters that can be coerced into reading arbitrary local files. Any application built on this dialect that passes user-controlled keys, strings, or connection settings into the affected APIs can leak or modify data within the connection role's scope and, in some deployments, exfiltrate local files to an attacker endpoint. No public exploit identified at time of analysis; the issues are reported by the vendor (Snowflake) and fixed in 1.11.0.

SQLi Snowflake Sqlalchemy
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

SQL injection and input-validation weaknesses in the Snowflake Spark Connector (spark-snowflake) before version 3.2.1 let attackers exfiltrate OAuth client credentials, run arbitrary SQL under the connector's Snowflake role, and redirect COPY data-loading operations to attacker-controlled storage. Reported by Snowflake, the flaws are most dangerous in shared/multi-tenant Spark clusters where injected SQL executes with the cluster admin's JDBC credentials, enabling credential theft and privilege escalation. Rated CVSS 4.0 9.2 (Critical); no public exploit identified at time of analysis.

Authentication Bypass SQLi Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/DeleteUser.php endpoint to unauthenticated remote database manipulation. An attacker can craft HTTP requests that inject arbitrary SQL, enabling data extraction, modification, or deletion from the underlying database. A public proof-of-concept exploit exists (GitHub: shihuizhang-dazhi/MY-CVE/issues/4), lowering the bar for exploitation; this vulnerability is not currently listed in CISA KEV.

SQLi PHP Online Job Portal
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/EditUser.php endpoint to remote database manipulation via the unsanitized UserId parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) classifies this as remotely exploitable with no authentication or interaction required, though the Admin path location raises questions about actual auth gating in practice. A public exploit exists (E:P confirmed in CVSS 4.0 and via GitHub issue), lowering the skill bar for exploitation considerably; this CVE is not currently listed in CISA KEV.

SQLi PHP Online Job Portal
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin panel endpoint /intrams/admin/add_judges.php to database manipulation via the unsanitized `fname` parameter. Authenticated remote attackers can craft malicious input to read, alter, or potentially enumerate backend database contents. A publicly available proof-of-concept exploit exists on GitHub, though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of 2.1 (Low), reflecting the authenticated access prerequisite and limited-scope CIA impact.

SQLi PHP Electronic Judging System
NVD VulDB GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API used to refresh the table catalog, where untrusted input is concatenated into a dynamically generated SQL statement. The upstream CVSS 3.1 vector rates this as unauthenticated (PR:N) with full confidentiality, integrity, and availability impact (9.8), enabling database read/write and potentially further compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi Apache Kylin
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SAP S/4HANA Project Management (PPM-PRO) allows a high-privileged authenticated attacker to execute crafted database queries, exposing backend database contents. The vulnerability is reachable over the network but requires both high attack complexity and high privilege level, significantly constraining the realistic attacker pool. No public exploit or active exploitation has been identified at time of analysis, and the CVSS base score of 5.5 reflects these mitigating factors despite the potential for database exposure.

SQLi SAP Sap S 4Hana Project Management Ppm Pro
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_exam2.php` endpoint to remote unauthenticated database manipulation via the unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions, making this trivially exploitable over the network. A public exploit has been released on GitHub (no public exploit identified at time of analysis for KEV, but publicly available exploit code exists per POC data), and while the vulnerability is not listed in the CISA KEV catalog, the zero-friction attack path elevates real-world risk above what the moderate 5.5 CVSS score might suggest.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in DIRAC (Distributed Infrastructure with Remote Agent Control) grid middleware lets any authenticated user run arbitrary commands on the server through the FileCatalog DatasetManager. A SQL injection (CWE-89) in the checkDataset code path lets the attacker control a value that is fed directly into a Python eval(), turning a data-layer flaw into full server compromise. Rated CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H); no public exploit identified at time of analysis, though the vendor advisory names the exact vulnerable source lines.

SQLi RCE
NVD GitHub
CVSS 6.8
MEDIUM PATCH This Month

Blind SQL injection in decidim-admin's organization user search endpoint allows authenticated organization administrators to execute arbitrary PostgreSQL expressions inside an ORDER BY clause via the `term` query parameter. The flaw spans decidim-admin versions prior to 0.30.9, 0.31.5, and 0.32.0, and is exploitable using time-based payloads such as `pg_sleep` that return HTTP 200 while leaking data through measurable response-time deltas. No public exploit tool is identified at time of analysis and the vulnerability is not in CISA KEV, but the advisory provides working reproduction steps with a concrete payload, confirming practical exploitability.

SQLi Oracle PostgreSQL
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the admin accept handler to database manipulation by low-privilege authenticated remote attackers via the `appid` POST parameter in `/SimpleOnlineLeave/admin/accept.php`. The CVSS 4.0 vector (PR:L, VC:L/VI:L/VA:L) indicates constrained but real impact against the vulnerable system's database, with confidentiality, integrity, and availability all partially compromised. A public exploit is available on GitHub and the E:P evidence tag in the CVSS 4.0 vector corroborates this - however, no CISA KEV listing exists, meaning active exploitation at scale is not confirmed at time of analysis.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the 'ID' parameter in /SimpleOnlineLeave/admin/deletemp.php. The CVSS 4.0 vector (PR:L) indicates low-privilege authenticated access is sufficient to trigger the flaw, and a public proof-of-concept exploit has been disclosed on GitHub. Impact is assessed as low across confidentiality, integrity, and availability, consistent with the CVSS 4.0 score of 2.1, though the underlying SQL injection primitive could theoretically be chained to extract or corrupt database content.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Blind SQL injection in the persian-gravity-forms WordPress plugin (گرویتی فرم فارسی) affects all versions up to and including 3.0.2, allowing a high-privilege authenticated attacker to inject arbitrary SQL through unsanitized input and blindly extract database contents. The flaw was reported by Patchstack and carries a CVSS 7.6 due to a changed scope and high confidentiality impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the Sergey "AIWU" ai-copilot-content-generator WordPress plugin (all versions through 1.5.4) allows remote attackers to inject arbitrary SQL into backend database queries, per the CVSS:3.1 vector without requiring authentication or user interaction. Because the scope is changed and confidentiality impact is High, an attacker can exfiltrate sensitive database contents (WordPress user credentials, secrets, PII) via time- or boolean-based blind techniques. No public exploit identified at time of analysis and the issue is not on CISA KEV, but its high CVSS (9.3) and the fact that it was catalogued by Patchstack make it a credible risk for exposed WordPress sites.

SQLi Aiwu
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in the APIExperts "Square for WooCommerce" (woosquare) WordPress plugin affects all versions up to and including 4.7.4, allowing an authenticated attacker to inject crafted SQL into a database query and infer or extract data via boolean/time-based blind techniques. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the CVSS vector specifies PR:L, exploitation requires an existing low-privileged authenticated session rather than fully anonymous access.

SQLi WordPress Apiexperts Square For Woocommerce
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Authenticated blind SQL injection in the CreativeWS CWS SVGicons WordPress plugin (all versions up to and including 1.5.5) allows a low-privileged authenticated user to inject crafted SQL into a database query, per a Patchstack advisory. Because the CVSS vector reports a scope change with high confidentiality impact, a successful attack can read data beyond the plugin's own tables, exposing the broader WordPress database. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi Cws Svgicons
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Blind SQL injection in the Zorem "Advanced Shipment Tracking for WooCommerce" WordPress plugin (all versions through 4.0) lets an authenticated high-privileged user inject SQL into a backend query and extract database contents inference by inference. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed via Patchstack. Because exploitation requires elevated WordPress privileges (CVSS PR:H), real-world risk is bounded to trusted-but-abusive or compromised admin/shop-manager accounts rather than anonymous internet attackers.

SQLi WordPress Advanced Shipment Tracking For Woocommerce
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in the WP Inventory Manager WordPress plugin (versions up to and including 2.4.0) lets an authenticated attacker with low privileges inject crafted SQL into database queries, enabling extraction of arbitrary database contents such as user credentials and secrets. Reported by Patchstack, the flaw carries a CVSS 8.5 (scope-changed) rating; no public exploit has been identified at time of analysis and it is not listed in CISA KEV, so risk is currently theoretical but high-impact.

SQLi Wp Inventory Manager
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in the GD Rating System WordPress plugin (versions up to and including 3.7) allows authenticated attackers to inject arbitrary SQL into backend database queries. Because the CVSS vector shows PR:L, a low-privileged authenticated user can extract sensitive database contents (CVSS 8.5, scope-changed). No public exploit identified at time of analysis; the flaw was reported by Patchstack via its coordinated disclosure database.

SQLi Gd Rating System
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) lets remote attackers inject arbitrary SQL through unsanitized input and extract database contents inference-by-inference. The CVSS 3.1 base score is 9.3, elevated by a changed scope and confidentiality impact against the underlying WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the finding originates from Patchstack.

SQLi Acymailing Smtp Newsletter
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the Themeum Kirki WordPress customizer framework (all versions up to and including 6.0.12) lets remote attackers inject SQL through improperly neutralized special elements, per the CVSS PR:N vector without authentication, to infer and extract database contents. The scope-changed CVSS 3.1 score of 9.3 reflects impact reaching beyond the plugin's own security boundary into the wider WordPress database. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

SQLi Kirki
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the LatePoint WordPress appointment-booking plugin (versions up to and including 5.6.3) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input (CWE-89), enabling extraction of database contents via boolean/time-based inference. Reported by Patchstack and rated CVSS 9.3 with a network vector requiring no privileges or user interaction; the changed scope reflects access to the shared WordPress/MySQL database beyond the plugin's own boundary. No public exploit is identified at time of analysis and it is not listed in CISA KEV.

SQLi Latepoint
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in QuantumCloud's Simple Business Directory Pro WordPress plugin (all versions through 15.9.4) allows remote attackers to inject crafted SQL into backend database queries, enabling extraction of sensitive data such as user credentials and stored directory records. Patchstack rates it critical (CVSS 9.3) with a network attack vector and no authentication indicated in the supplied vector; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high score and scope-change flag make it a priority for any site running this plugin.

SQLi Simple Business Directory Pro
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unknown initial release through 2.4.2, allowing remote attackers to inject crafted SQL into database queries and extract sensitive data via boolean/time-based inference. The CVSS 9.3 vector (AV:N/PR:N) indicates network-reachable exploitation without authentication, though this is a Patchstack-reported issue with no public exploit and no CISA KEV listing at time of analysis. Because the injection is blind, exploitation typically requires automated tooling to reconstruct data one condition at a time.

SQLi Amelia
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in the appsbd Vitepos (vitepos-lite) WordPress point-of-sale plugin affects all versions up to and including 3.4.2, allowing an authenticated attacker with low privileges to inject crafted SQL into backend database queries and infer data via boolean/time-based responses. The CVSS 3.1 base score of 8.5 reflects a scope change (S:C) with high confidentiality impact, meaning the plugin's SQL context can reach database contents beyond its own security boundary. No public exploit was identified at time of analysis, and the CVE is not listed in CISA KEV.

SQLi Vitepos
NVD
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.

WordPress SQLi Library Management System
NVD WPScan VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Online Book Store System 1.0 exposes the admin authentication panel to remote, unauthenticated exploitation via the Username parameter in admin/login.php. A publicly available proof-of-concept - explicitly titled 'SQL Injection Leading to Authentication Bypass' - demonstrates that an attacker can bypass admin login entirely without valid credentials. No active exploitation is confirmed by CISA KEV, but the combination of a publicly released exploit and a trivially low attack complexity significantly elevates real-world risk above what the base CVSS 4.0 score of 6.9 suggests.

SQLi PHP Online Book Store System
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient prescription data to remote authenticated attackers via the `delid` parameter in `/patviewprescription.php`. Low-privilege access is sufficient to exploit this CWE-89 flaw, enabling database read, write, and partial disruption. No public KEV listing exists, but a proof-of-concept exploit is publicly available on GitHub, materially lowering the barrier to exploitation beyond what the CVSS 4.0 score of 5.3 alone implies.

SQLi PHP Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter within /SimpleOnlineLeave/admin/dashboard.php to inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit is confirmed via a GitHub issue reference, elevating real-world risk above the moderate CVSS 4.0 base score of 5.3. The CVE is not currently listed in the CISA KEV catalog, indicating no confirmed widespread active exploitation, but the low attack complexity combined with an available POC makes this a credible near-term threat for any internet-exposed deployment.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Jinher OA 1.0 exposes the PlanGiveOut.aspx endpoint to remote unauthenticated exploitation via the unsanitized `httpOID` parameter, enabling database enumeration, data exfiltration, and record manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites beyond network access. A public proof-of-concept exploit has been published on GitHub (CVE-2026-15517 issue tracker), the vendor did not respond to coordinated disclosure, and no patch exists at time of analysis.

SQLi Oa
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in Metasoft (美特软件) MetaCRM up to version 6.4.0 Beta06 enables unauthenticated remote attackers to manipulate the `phprpc_args` parameter passed to the `RPCService.query` function at the PHPRPC Remote Call Interface endpoint `/customizemt/xkq/rpc.jsp`, potentially reading, altering, or deleting database contents. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction from any network-reachable position. Publicly available exploit code exists (confirmed by E:P in the CVSS 4.0 supplemental metrics), though this CVE is not currently listed in CISA KEV; the vendor did not respond to disclosure, leaving no official patch available.

SQLi
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in Shenzhou Shihan Video Conference System v1.0 lets a remote, unauthenticated attacker inject arbitrary SQL through the /user/getUserLogin endpoint, enabling full database compromise and, per the MITRE report, arbitrary code execution. The flaw is network-reachable against default installs with no authentication or user interaction (CVSS 9.8). No CISA KEV listing exists and EPSS is low (0.27%, 18th percentile); disclosure references (a GitHub CVE issue and a cnblogs write-up) suggest public exploitation details circulate, though weaponized exploit code was not independently confirmed in this analysis.

SQLi RCE N A
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.

SQLi PHP Antaris
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

SQL injection in Capgo's POST /private/admin_stats endpoint allows platform administrators to inject arbitrary SQL fragments into Cloudflare Analytics Engine queries via an unsanitized limit parameter. Affected versions are all Capgo releases before 12.128.2. An attacker holding valid platform admin credentials can exploit this to enumerate analytics dataset schemas, extract analytics data, or cause denial-of-service against the analytics backend. No public exploit has been identified at time of analysis, and the high-privilege requirement (PR:H) substantially limits realistic blast radius.

SQLi Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in SmartHomeAdatum's users.php Login component exposes the backend database to unauthenticated remote manipulation via a crafted Login argument. All commits up to cf495353d81b680675eb8d9aa14a318aa45ce12c of this PHP-based smart home application are affected, with no patch available and a vendor that did not respond to disclosure. No public exploit code or CISA KEV listing exists at time of analysis, though the CVSS 4.0 vector confirms low-complexity unauthenticated network exploitation.

SQLi PHP Smarthomeadatum
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in AMTT Hotel Broadband Operation System 1.0 exposes the `manager/network/switch_status.php` endpoint to database manipulation via an unsanitized `ID` parameter, exploitable by authenticated remote attackers. A public proof-of-concept exploit exists (GitHub issue referenced in VulDB entry), though the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 2.0 reflects the high-privilege authentication barrier (PR:H) that significantly constrains real-world attack surface, limiting this primarily to insider threat or post-compromise escalation scenarios within hotel network management environments.

SQLi PHP Hotel Broadband Operation System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in RafyMrX TOKO-ONLINE-ROTI (up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) allows remote unauthenticated attackers to manipulate database queries via the kode_produk and kd_cs parameters in proses/add.php. The CVSS 4.0 vector confirms no privileges or user interaction are required, and a public exploit (E:P) has been released, lowering the skill threshold for opportunistic attacks. The vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.

SQLi PHP Toko Online Roti
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in TOKO-ONLINE-ROTI's login endpoint exposes all deployments up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 to unauthenticated remote database manipulation via the Username parameter in proses/login.php. A public exploit is available (CVSS 4.0 E:P), and the vendor has not responded to responsible disclosure, meaning no vendor-released patch exists and no remediation guidance has been issued. No public exploit identified at time of analysis as confirmed active exploitation (CISA KEV), but the combination of a fully unauthenticated attack path, low complexity, and available proof-of-concept code elevates real-world risk above the 5.5 base score suggests.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in Aster Telecom Azcall 10/11 exposes a network-reachable administrative endpoint to unauthenticated query manipulation via the nome, perfil, and status HTTP parameters in the store management handler. The CVSS 4.0 vector confirms no authentication or special prerequisites are required (AV:N/AC:L/PR:N/UI:N), and public exploit code is available (E:P). The vendor did not respond to coordinated disclosure, meaning no official patch exists at time of analysis.

SQLi PHP Azcall
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in IceHRM 35.0.1 and earlier allows authenticated remote attackers to manipulate backend database queries via the `employeeList` parameter in the EmployeeAttendanceReport PHP component, yielding partial confidentiality, integrity, and availability impact. A public proof-of-concept is available via a GitHub issue report, and the IceHRM project has not responded to the disclosure, leaving no vendor patch available. No CISA KEV listing exists, so widespread active exploitation at scale is unconfirmed, but the public PoC and unpatched status materially elevate practical risk for any organization running this software.

SQLi PHP Icehrm
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

SQL injection in Bahmni bahmnicore up to version 0.93 allows low-privileged authenticated remote attackers to manipulate backend database queries via the additionalParams argument at the /openmrs/ws/rest/v1/bahmnicore/sql Search Endpoint. Public exploit code exists (confirmed by E:P in CVSS 4.0 supplemental metrics and the CVE description), lowering the bar for exploitation to any user with valid application credentials. Fixed versions spanning all active release branches (0.93.1 through 2.0.1) were released July 2026, and organizations running affected versions in healthcare environments should prioritize patching given the sensitivity of stored patient and clinical data.

SQLi Bahmnicore
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who controls the create_collection() dimension argument to inject arbitrary database tokens. Although the code validates schema, keyspace, and collection-name identifiers, the dimension value - typed as int but never enforced at runtime - is string-interpolated directly into the vector column of the generated CREATE TABLE DDL, so a payload like '3); DROP TABLE tenant_secrets; --' executes against the backing database. No public exploit identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.

SQLi Praisonai
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated SQL injection in the WP CTA (Sticky CTA Builder / Call Now Button) WordPress plugin through version 2.2.2 lets remote attackers extract database contents - including administrator password hashes - via the 'fildname' parameter of the ajaxCheck() AJAX endpoint. Because the handler is registered through wp_ajax_nopriv_ and performs no capability or nonce checks, exploitation requires no login. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reachable and reported by Wordfence.

WordPress SQLi Wp Cta Call Now Button Sticky Button Call To Action Builder
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Time-based blind SQL injection in the Catalyst Connect Zoho CRM Client Portal WordPress plugin (all versions ≤ 2.2.0) enables authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database via the unsanitized 'uid' parameter. The CVSS vector (PR:H) confirms exploitation requires administrator-level credentials, meaningfully constraining the attack surface. A public proof-of-concept is available on GitHub (BFS-Lab/BFSDV), and no confirmed patch version has been identified in available intelligence at time of analysis.

WordPress SQLi Zoho +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated SQL injection in the Booking Package WordPress plugin (versions up to and including 1.7.20, by developer masaakitanaka) lets remote attackers append SQL to an existing query via the 'email' form parameter on the /wp-json/booking-package/v1/request REST endpoint, enabling extraction of sensitive database contents. The endpoint is registered with permission_callback __return_true and REST-sourced $_POST values bypass wp_magic_quotes, so single quotes reach the SQL sink without authentication. Exploitability is severely constrained because the parameter is filtered through WordPress's is_email() before use, and there is no public exploit identified at time of analysis.

WordPress SQLi Booking Package
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress (all versions through 4.5.0) allows authenticated attackers with doctor-level or equivalent access to exfiltrate arbitrary database contents via a manipulated 'orderby' parameter. The flaw exists in DoctorSessionController.php and the KCQueryBuilder base class, where ORDER BY clause inputs are neither escaped nor parameterized, enabling appended SQL to traverse the entire WordPress database - including patient records, credentials, and clinical data. No public exploit code or active exploitation has been identified at time of analysis, though Wordfence has disclosed the vulnerability with source code references.

WordPress SQLi Kivicare Clinic Patient Management System Ehr
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the Majestic Support WordPress help desk plugin (versions up to and including 1.1.9) allows any authenticated WordPress user to extract sensitive data from the site's database by appending arbitrary SQL to queries via the unsanitized 'val' AJAX parameter. Although the description characterizes attackers as 'unauthenticated,' exploitation in practice requires a Subscriber-level account to obtain a 'get-smart-reply' nonce - a low but real barrier accurately reflected in the CVSS PR:L rating. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial nonce-acquisition path (create a ticket, visit the result page) means any user permitted to submit support requests can exploit this on unpatched deployments. Version 1.2.0 appears to resolve the issue based on source code changes in the referenced repository tags.

WordPress SQLi Majestic Support The Leading Edge Help Desk Customer Support Plugin
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the KiviCare - Clinic & Patient Management System (EHR) WordPress plugin through version 4.5.0 enables authenticated clinic users to extract arbitrary data from the underlying database via a manipulated 'orderby' REST API parameter. The flaw resides in DoctorSessionController.php (lines 648 and 660) where user-supplied sort values are concatenated into queries without escaping or prepared-statement protections, cascading through KCQueryBuilder.php. No public exploit code or CISA KEV listing is identified at time of analysis; EPSS data was not provided, but the authenticated-only prerequisite and niche deployment footprint materially limit real-world impact.

WordPress SQLi Kivicare Clinic Patient Management System Ehr
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

SQL injection in the Drupal Location Selector contributed module (all releases from 0.0.0 up to and including 1.3.0) lets remote attackers inject arbitrary SQL through improperly neutralized input, exposing and modifying database contents. The CVSS 3.1 base score is 7.4 with a network vector but high attack complexity, and the affected products confirm the Drupal 'location_selector' contrib module rather than Drupal core. There is no public exploit identified at time of analysis, and the EPSS score is low at 0.19% (9th percentile), indicating little near-term mass-exploitation pressure.

SQLi Location Selector
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

SQL injection in the Drupal Geolocation Field contributed module exposes sites to unauthenticated database read and partial write access across all module versions prior to 3.15.0. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the attack requires no authentication and no user interaction, making it remotely triggerable against any publicly reachable Drupal installation running the affected module. Impact is bounded by C:L/I:L/A:N - partial data disclosure and modification without availability disruption or full database takeover. No active exploitation has been confirmed (no CISA KEV listing), and EPSS sits at a low 0.16% (5th percentile), indicating minimal current attacker interest. A vendor patch is available.

SQLi Geolocation Field
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Frappe framework's check_safe_sql_query function fails to block SELECT INTO OUTFILE statements, allowing authenticated low-privileged users to write arbitrary files to the server filesystem on self-hosted MySQL deployments where the database user holds the MySQL FILE privilege. Affected branches are v15 prior to 15.108.0 and v16 prior to 16.18.3; fixes are released at both version targets. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, with a CVSS 4.0 base score of 2.3 reflecting the narrow, non-default exploitation conditions captured by AT:P.

SQLi Frappe
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

SQL injection in OpenReplay's enterprise session search and analytics API allows an authenticated member to exfiltrate arbitrary ClickHouse table data and disrupt session search for all project viewers. Affected are enterprise editions with multi-tenancy enabled, running versions prior to 1.27.0, where user-controlled input is inserted unsanitized into ClickHouse query strings at two positions. No public exploit has been identified at time of analysis, and the fix was released in version 1.27.0.

SQLi Openreplay
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authenticated SQL injection in the GLPI DataInjection plugin 2.15.6 (GLPI 11 builds) lets an operator with access to the Data injection feature smuggle SQL into the database by placing expressions in CSV field values, which the import routine concatenates directly into queries without parameterization or escaping (CWE-89). By mapping a payload such as SLEEP() to a field like Serial Number, an attacker performs time-based blind extraction of arbitrary database contents. Reported by VulnCheck and fixed in version 2.15.7; it is not on CISA KEV and no public exploit was identified at time of analysis.

SQLi Datainjection
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute arbitrary SQL against the underlying ClickHouse database by passing unsanitized search parameters into the search_by_full_text method. Because those parameters are concatenated into the query without escaping or parameterization, an attacker can read, modify, or delete stored vector-store data. Publicly available exploit code exists (VulnCheck advisory and GitHub issue #38281) and a vendor patch is available; there is no confirmation of active in-the-wild exploitation.

SQLi Dify
NVD GitHub
Page 1 of 169 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
15162

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy