SQL Injection

web HIGH

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.

How It Works

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.

Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.

Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.

Impact

  • Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
  • Authentication bypass — logging in as any user without knowing passwords
  • Data manipulation — unauthorized modification or deletion of critical records
  • Privilege escalation — granting administrative rights to attacker-controlled accounts
  • Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
  • Lateral movement — using compromised database credentials to access other connected systems

Real-World Examples

FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.

E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.

Mitigation

  • Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
  • Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
  • Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
  • Least privilege database accounts — applications should use credentials with minimal necessary permissions
  • Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
  • Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts

Recent CVEs (4539)

CVE-2025-52410
EPSS 0% CVSS 9.8
CRITICAL This Week

Institute-of-Current-Students v1.0 contains a time-based blind SQL injection vulnerability in the mydetailsstudent.php endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP Institute Of Current Students
NVD GitHub
CVE-2025-60798
EPSS 0% CVSS 6.5
MEDIUM This Month

phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PHP Phppgadmin +1
NVD GitHub
CVE-2025-60797
EPSS 0% CVSS 6.5
MEDIUM This Month

phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PHP Privilege Escalation +2
NVD GitHub
CVE-2025-13451
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was identified in SourceCodester Online Shop Project 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Shop Project
NVD GitHub VulDB
CVE-2025-13449
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was found in code-projects Online Shop Project 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Shop Project
NVD GitHub VulDB
CVE-2025-12502
EPSS 0% CVSS 6.8
MEDIUM This Month

The attention-bar WordPress plugin through 0.7.2.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as administrator to perform SQL. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD WPScan
CVE-2025-13424
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A vulnerability has been found in Campcodes Supplier Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Supplier Management System
NVD GitHub VulDB
CVE-2025-13422
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was detected in freeprojectscodes Sports Club Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Sports Club Management System
NVD GitHub VulDB
CVE-2025-13421
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A security vulnerability has been detected in itsourcecode Human Resource Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Human Resource Management System
NVD GitHub VulDB
CVE-2025-13420
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A weakness has been identified in itsourcecode Human Resource Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Human Resource Management System
NVD GitHub VulDB
CVE-2025-63719
EPSS 0% CVSS 7.3
HIGH POC This Month

Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection in /admin/index.php via the parameter username. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Hospital Management System
NVD GitHub
CVE-2025-13410
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability has been found in Campcodes Retro Basketball Shoes Online Store 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Retro Basketball Shoes Online Store
NVD GitHub VulDB
CVE-2025-65103
EPSS 0% CVSS 8.8
HIGH PATCH This Month

OpenSTAManager is an open source management software for technical assistance and invoicing. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD GitHub
CVE-2025-12743
EPSS 0% CVSS 6.0
MEDIUM This Month

The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-65024
EPSS 0% CVSS 7.2
HIGH POC PATCH This Month

i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi PHP I Educar
NVD GitHub
CVE-2025-65023
EPSS 0% CVSS 7.2
HIGH POC PATCH This Month

i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi PHP I Educar
NVD GitHub
CVE-2025-65022
EPSS 0% CVSS 7.2
HIGH PATCH This Month

i-Educar is free, fully online school management software. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi PHP I Educar
NVD GitHub
CVE-2025-63878
EPSS 0% CVSS 6.5
MEDIUM POC This Week

Github Restaurant Website Restoran v1.0 was discovered to contain a SQL injection vulnerability via the Contact Form page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Restaurant Website Restoran
NVD GitHub
CVE-2025-13396
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A weakness has been identified in code-projects Courier Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Microsoft +1
NVD GitHub VulDB
CVE-2025-10437
EPSS 0% CVSS 9.8
CRITICAL This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-13395
EPSS 0% CVSS 6.9
MEDIUM This Month

A security flaw has been discovered in codehub666 94list up to 5831c8240e99a72b7d3508c79ef46ae4b96befe8. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP
NVD GitHub VulDB
CVE-2025-12646
EPSS 0% CVSS 7.5
HIGH This Month

The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'dayofyear' parameter in all versions up to, and including, 1.5.4 due to insufficient escaping on the user supplied. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVE-2025-65093
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Librenms
NVD GitHub
CVE-2025-63694
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Dzzoffice
NVD GitHub
CVE-2025-63512
EPSS 0% CVSS 6.5
MEDIUM POC This Week

kishan0725 Hospital Management System/ v4 is vulnerable to SQL Injection in admin-panel1.php, specifically in the deleting doctor logic. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Hospital Management System
NVD GitHub
CVE-2025-58692
EPSS 0% CVSS 8.8
HIGH This Month

An improper neutralization of special elements used in an SQL Command ("SQL Injection") vulnerability [CWE-89] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Fortinet Fortivoice
NVD
CVE-2025-9977
EPSS 4% CVSS 5.3
MEDIUM This Month

Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi Command Injection
NVD
CVE-2025-13347
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A flaw has been found in SourceCodester Train Station Ticketing System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Train Station Ticketing System
NVD GitHub VulDB
CVE-2025-13346
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was detected in SourceCodester Train Station Ticketing System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Train Station Ticketing System
NVD GitHub VulDB
CVE-2025-41348
EPSS 0% CVSS 8.7
HIGH This Month

SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Winplus
NVD
CVE-2025-13345
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A security vulnerability has been detected in SourceCodester Train Station Ticketing System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Train Station Ticketing System
NVD GitHub VulDB
CVE-2025-13344
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A weakness has been identified in SourceCodester Train Station Ticketing System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Train Station Ticketing System
NVD GitHub VulDB
CVE-2025-12411
EPSS 0% CVSS 7.1
HIGH This Week

The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVE-2025-13325
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was determined in itsourcecode Student Information System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Student Information System
NVD GitHub VulDB
CVE-2025-13323
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A security flaw has been discovered in code-projects Simple Pizza Ordering System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Simple Pizza Ordering System
NVD GitHub VulDB
CVE-2025-13303
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was determined in code-projects Courier Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Courier Management System
NVD GitHub VulDB
CVE-2025-13302
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A vulnerability was identified in code-projects Courier Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Courier Management System
NVD GitHub VulDB
CVE-2025-13301
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was found in itsourcecode Web-Based Internet Laboratory Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Web Based Internet Laboratory Management System
NVD GitHub VulDB
CVE-2025-13300
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability has been found in itsourcecode Web-Based Internet Laboratory Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Web Based Internet Laboratory Management System
NVD GitHub VulDB
CVE-2025-13299
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A flaw has been found in itsourcecode Web-Based Internet Laboratory Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Web Based Internet Laboratory Management System
NVD GitHub VulDB
CVE-2025-13298
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was detected in itsourcecode Web-Based Internet Laboratory Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Web Based Internet Laboratory Management System
NVD GitHub VulDB
CVE-2024-44664
EPSS 0% CVSS 6.5
MEDIUM POC This Week

PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the name, summary, review, quality, price, and value parameters in product-details.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Shopping Portal
NVD GitHub
CVE-2024-44659
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the email parameter in forgot-password.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Shopping Portal
NVD GitHub
CVE-2024-44663
EPSS 0% CVSS 6.5
MEDIUM POC This Week

PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the product parameter in search-result.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Shopping Portal
NVD GitHub
CVE-2024-44662
EPSS 0% CVSS 6.5
MEDIUM POC This Week

PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the username parameter in the admin page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Online Shopping Portal
NVD GitHub
CVE-2024-44660
EPSS 0% CVSS 6.5
MEDIUM POC This Week

PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the fullname, emailid, and contactno parameters in login.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Shopping Portal
NVD GitHub
CVE-2024-44658
EPSS 0% CVSS 6.5
MEDIUM POC This Week

PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the subcategory and category parameters in subcategory.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Complaint Management System
NVD GitHub
CVE-2024-44654
EPSS 0% CVSS 6.5
MEDIUM POC This Week

PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the email and mobileno parameters in reset-password.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Complaint Management System
NVD GitHub
CVE-2025-13297
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A security vulnerability has been detected in itsourcecode Web-Based Internet Laboratory Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Web Based Internet Laboratory Management System
NVD GitHub VulDB
CVE-2024-44657
EPSS 0% CVSS 6.5
MEDIUM POC This Week

PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the fromdate and todate parameters in between-date-userreport.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Complaint Management System
NVD GitHub
CVE-2024-44653
EPSS 0% CVSS 6.5
MEDIUM POC This Week

Kashipara Ecommerce Website 1.0 is vulnerable to SQL Injection via the user_email parameter in user_login.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Ecommerce Website
NVD GitHub
CVE-2024-44651
EPSS 0% CVSS 6.5
MEDIUM POC This Week

Kashipara Ecommerce Website 1.0 is vulnerable to SQL Injection via the recover_email parameter in user_password_recover.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Ecommerce Website
NVD GitHub
CVE-2025-62519
EPSS 0% CVSS 7.2
HIGH POC PATCH This Month

phpMyFAQ is an open source FAQ web application. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi RCE Phpmyfaq
NVD GitHub
CVE-2025-13291
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was found in Campcodes Supplier Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Supplier Management System
NVD GitHub VulDB
CVE-2025-13290
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability has been found in code-projects Simple Food Ordering System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Simple Food Ordering System
NVD GitHub VulDB
CVE-2024-44652
EPSS 0% CVSS 6.5
MEDIUM POC This Week

Kashipara Ecommerce Website 1.0 is vulnerable to SQL Injection via the user_email, username, user_firstname, user_lastname, and user_address parameters in user_register.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Ecommerce Website
NVD GitHub
CVE-2024-44648
EPSS 0% CVSS 6.5
MEDIUM POC This Week

PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via id and adminremark parameters in quote-details.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Small Crm
NVD GitHub
CVE-2024-44644
EPSS 0% CVSS 6.5
MEDIUM POC This Week

PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via the frm_id and aremark parameters in manage-tickets.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Small Crm
NVD GitHub
CVE-2024-44641
EPSS 0% CVSS 6.5
MEDIUM POC This Week

PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via the oldpass parameter in change-password.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Small Crm
NVD GitHub
CVE-2025-13289
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was detected in 1000projects Design & Development of Student Database Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Design Development Of Student Database Management System
NVD GitHub VulDB
CVE-2025-13287
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A weakness has been identified in itsourcecode Online Voting System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Voting System
NVD GitHub VulDB
CVE-2025-13286
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A security flaw has been discovered in itsourcecode Online Voting System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Voting System
NVD GitHub VulDB
CVE-2025-13285
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was identified in itsourcecode Online Voting System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Voting System
NVD GitHub VulDB
CVE-2025-13280
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was determined in CodeAstro Simple Inventory System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Simple Inventory System
NVD GitHub VulDB
CVE-2025-13279
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in code-projects Nero Social Networking Site 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Nero Social Networking Site
NVD GitHub VulDB
CVE-2025-13278
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Advanced Library Management System
NVD GitHub VulDB
CVE-2025-13277
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A flaw has been found in code-projects Nero Social Networking Site 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Nero Social Networking Site
NVD GitHub VulDB
CVE-2025-13276
EPSS 0% CVSS 6.9
MEDIUM This Month

A vulnerability was detected in g33kyrash Online-Banking-System up to 12dbfa690e5af649fb72d2e5d3674e88d6743455. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP
NVD GitHub VulDB
CVE-2025-13274
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A weakness has been identified in Campcodes School Fees Payment Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP School Fees Payment Management System
NVD GitHub VulDB
CVE-2025-13273
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A security flaw has been discovered in Campcodes School Fees Payment Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP School Fees Payment Management System
NVD GitHub VulDB
CVE-2025-13272
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was identified in Campcodes School Fees Payment Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP School Fees Payment Management System
NVD GitHub VulDB
CVE-2025-13271
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was determined in Campcodes School Fees Payment Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP School Fees Payment Management System
NVD GitHub VulDB
CVE-2025-13270
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in Campcodes School Fees Payment Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP School Fees Payment Management System
NVD GitHub VulDB
CVE-2025-13269
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability has been found in Campcodes School Fees Payment Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP School Fees Payment Management System
NVD GitHub VulDB
CVE-2025-13267
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was detected in SourceCodester Dental Clinic Appointment Reservation System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Dental Clinic Appointment Reservation System
NVD GitHub VulDB
CVE-2025-13264
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A security flaw has been discovered in SourceCodester Online Magazine Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Magazine Management System
NVD GitHub VulDB
CVE-2025-13263
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was identified in SourceCodester Online Magazine Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Magazine Management System
NVD GitHub VulDB
CVE-2025-13260
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability has been found in Campcodes Supplier Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Supplier Management System
NVD GitHub VulDB
CVE-2025-13259
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A flaw has been found in Campcodes Supplier Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Supplier Management System
NVD GitHub VulDB
CVE-2025-10460
EPSS 0% CVSS 9.4
CRITICAL This Week

A SQL Injection vulnerability on an endpoint in BEIMS Contractor Web, a legacy product that is no longer maintained or patched by the vendor, allows an unauthorised user to retrieve sensitive. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-13257
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A security vulnerability has been detected in itsourcecode Inventory Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Inventory Management System
NVD GitHub VulDB
CVE-2025-13256
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A weakness has been identified in projectworlds Advanced Library Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Advanced Library Management System
NVD GitHub VulDB
CVE-2025-13255
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A security flaw has been discovered in projectworlds Advanced Library Management System 1.0.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Advanced Library Management System
NVD GitHub VulDB
CVE-2025-13254
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was identified in projectworlds Advanced Library Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Advanced Library Management System
NVD GitHub VulDB
CVE-2025-13253
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was determined in projectworlds Advanced Library Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Advanced Library Management System
NVD GitHub VulDB
CVE-2025-13251
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A flaw has been found in WeiYe-Jing datax-web up to 2.1.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Datax Web
NVD GitHub VulDB
CVE-2025-13248
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Patients Waiting Area Queue Management System
NVD GitHub VulDB
CVE-2025-13247
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A security flaw has been discovered in PHPGurukul Tourism Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Tourism Management System
NVD GitHub VulDB
CVE-2025-13243
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in code-projects Student Information System 2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Student Information System
NVD GitHub VulDB
CVE-2025-13242
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability has been found in code-projects Student Information System 2.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Student Information System
NVD GitHub VulDB
Prev Page 15 of 51 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
4539

Related CWEs

MITRE ATT&CK

References

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy