Skip to main content

SQL Injection

web HIGH

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.

How It Works

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.

Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.

Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.

Impact

  • Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
  • Authentication bypass — logging in as any user without knowing passwords
  • Data manipulation — unauthorized modification or deletion of critical records
  • Privilege escalation — granting administrative rights to attacker-controlled accounts
  • Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
  • Lateral movement — using compromised database credentials to access other connected systems

Real-World Examples

FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.

E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.

Mitigation

  • Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
  • Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
  • Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
  • Least privilege database accounts — applications should use credentials with minimal necessary permissions
  • Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
  • Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts

Recent CVEs (15171)

EPSS 0% CVSS 5.3
MEDIUM This Month

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the orderid parameter in /order-details.php, enabling data exfiltration and database manipulation. CVSS 6.3 reflects authenticated access requirement and limited scope; no public exploit code or active KEV status confirmed at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

eDirectory contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to bypass administrator authentication and disclose sensitive files by injecting SQL code into. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the filter_user_mail parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_project parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the sort_direction parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_to_delete parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the language_tag parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user2reset parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id_to_modify' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the mng_profile_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados R10 Greenbee
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the menu_lev1 parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Kados Greenbee
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

OpenDocMan 1.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'where' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Advance Gift Shop Pro Script 2.0.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Advance Gift Shop Pro Script
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

C4G Basic Laboratory Information System 3.4 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Ask Expert Script 3.0.5 contains cross-site scripting and SQL injection vulnerabilities that allow unauthenticated attackers to inject malicious code by manipulating URL parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS SQLi +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

PilusCart 1.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'send' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Piluscart
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search_by_extrafields[] parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Qdpm
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

News Website Script 2.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the news ID parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Suitecrm
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in griptape-ai griptape 0.19.4 SqlTool allows authenticated remote attackers to manipulate SQL queries via the griptape/tools/sql/tool.py component, potentially accessing or modifying database contents. The exploit is publicly available, and the vendor has not responded to early disclosure notification.

SQLi Griptape
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in zhongyu09 openchatbi up to version 0.2.1 allows authenticated remote attackers to manipulate the keywords argument in the Multi-stage Text2SQL Workflow component, leading to unauthorized database access with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in wbbeyourself MAC-SQL via the _execute_sql function in core/agents.py (Refiner Agent component) allows authenticated remote attackers to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability affects all versions up to commit 31a9df5e0d520be4769be57a4b9022e5e34a14f4, with publicly available exploit code and CVSS 6.3 (medium severity). The vendor has not responded to early disclosure attempts, and the product uses rolling releases making version tracking difficult.

SQLi Mac Sql
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the fullname parameter in /my-profile.php. The vulnerability has a publicly disclosed exploit and CVSS 5.3 score reflecting low confidentiality and integrity impact; however, the moderate real-world risk is elevated by public exploit availability and the authentication-required nature suggesting insider or credential-based attack scenarios.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the fname parameter in the /OnlineClassroom/updatedetailsfromfaculty.php endpoint. The vulnerability has been publicly disclosed with exploit code available, presenting moderate real-world risk due to required authentication (PR:L) but low technical impact (VC:L, VI:L, VA:L) per CVSS 4.0 scoring.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the videotitle parameter in /OnlineClassroom/addvideos.php. Publicly available exploit code exists, enabling database manipulation with low complexity. CVSS 6.3 (Medium) reflects authentication requirement and limited scope, though exploitation is straightforward and could lead to unauthorized data access or modification.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 via the deleteid parameter in /OnlineClassroom/addassessment.php allows authenticated remote attackers to manipulate database queries with low impact to confidentiality, integrity, and availability. Public exploit code is available, increasing practical risk despite the moderate CVSS 5.3 score. The vulnerability requires valid authentication (PR:L) but uses a common attack vector (AV:N, AC:L) typical of parameter validation flaws in PHP web applications.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Song-Li cross_browser application allows remote code execution via unsanitized ID parameter in the details endpoint of flask/uniquemachine_app.py. The vulnerability affects all versions up to commit ca690f0fe6954fd9bcda36d071b68ed8682a786a, requires no authentication, and has publicly available exploit code. The vendor has not responded to disclosure attempts, and the product's rolling-release model means no traditional patched version has been released.

Python SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in SourceCodester jkev Record Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter in the Login component (index.php) to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. The exploit code is publicly available, and the vulnerability carries a CVSS 4.0 base score of 6.9 with low confidentiality, integrity, and availability impact.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the userid parameter in /delmemberinfo.php. The vulnerability has publicly available exploit code (GitHub POC) and CVSS 7.3 severity with network-accessible attack vector requiring low complexity and no privileges. No vendor-released patch identified at time of analysis. EPSS data not provided, but public exploit availability increases likelihood of opportunistic scanning and exploitation.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the searchServiceId parameter in /searchguest.php. CVSS 7.3 reflects network-accessible attack with low complexity requiring no privileges. Publicly available exploit code exists (GitHub PoC published), significantly lowering exploitation barrier. No vendor-released patch identified at time of analysis. EPSS data unavailable, but combination of remotely exploitable SQLi with public PoC against an unmaintained open-source project indicates elevated real-world risk for installations exposed to untrusted networks.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in AutohomeCorp Frostmourne up to version 1.0 allows authenticated remote attackers to execute arbitrary SQL queries through the /api/monitor-api/alarm/previewData endpoint's httpTest function, potentially leading to unauthorized data access, modification, or system compromise. Publicly available exploit code exists, elevating real-world risk despite the CVSS 6.3 (medium) rating.

SQLi Frostmourne
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to manipulate the paymethod parameter in /payment-method.php, enabling database query execution with limited confidentiality, integrity, and availability impact. The vulnerability is publicly documented with exploit code available, presenting moderate real-world risk despite the CVSS 6.3 score, as exploitation requires valid authentication credentials.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project up to version 2.1 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /pending-orders.php, potentially leading to unauthorized data access or modification. The vulnerability has a published proof-of-concept exploit available and carries a CVSS score of 5.3 with moderate real-world impact due to authentication requirements.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Email parameter in login.php. The vulnerability is trivially exploitable (CVSS AC:L, PR:N) with publicly available exploit code demonstrating the attack path. EPSS data not available, but the combination of remote exploitation without authentication, public POC, and database compromise capabilities indicates moderate real-world risk for internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'searching' parameter in process_search.php. Publicly available exploit code exists (GitHub), enabling immediate weaponization. CVSS 7.3 reflects network-accessible attack with no complexity barriers, though EPSS data unavailable. Not confirmed as actively exploited (no CISA KEV listing), but POC publication significantly lowers exploitation threshold for opportunistic attackers targeting exposed instances.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Online Cellphone System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /cp/available.php, potentially compromising confidentiality, integrity, and availability of the application database. Publicly available exploit code exists and the vulnerability has moderate exploitability signals (CVSS 6.3, EPSS evidence of public tools), though no CISA KEV confirmation of active exploitation is present.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the pid parameter in /sub-category.php, enabling information disclosure and potential data modification. Publicly available exploit code exists for this vulnerability, which carries a CVSS score of 6.3 with confirmed exploitation feasibility.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'email' parameter in /hotel/admin/login.php. The vulnerability is remotely exploitable with low attack complexity and no user interaction required. Publicly available exploit code exists (confirmed POC on GitHub), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of unauthenticated remote access, public exploit, and impact on confidentiality, integrity, and availability creates moderate-to-high real-world risk for exposed instances.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in PHPGurukul User Registration & Login and User Management System 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/yesterday-reg-users.php, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists; CVSS 6.3 reflects moderate impact with low attack complexity and authenticated access requirement.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the firstName parameter in /modifymember.php. Publicly available exploit code exists (GitHub POC), enabling attackers to extract, modify, or delete database contents without authentication. CVSS 7.3 reflects network-based attack with low complexity and no privilege requirements. Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC availability.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in halex CourseSEL up to version 1.1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the seid parameter in the HTTP GET request handler, potentially leading to unauthorized data access, modification, and denial of service. The vulnerability affects the check_sel function in IndexController.class.php and has publicly available exploit code; the vendor has not responded to early disclosure notifications.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate database queries via the USERID parameter in /sms/user/index.php. The CVSS 7.3 score reflects network-accessible exploitation with low complexity requiring no privileges. Publicly available exploit code exists on GitHub, elevating immediate risk. CVSS impact ratings indicate potential for limited confidentiality, integrity, and availability compromise across the database layer.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

SQL injection in Kestra orchestration platform's flow search endpoint (GET /api/v1/main/flows/search) enables remote code execution on the underlying PostgreSQL host. Authenticated users can trigger the vulnerability by visiting a malicious link, exploiting PostgreSQL's COPY TO PROGRAM feature to execute arbitrary OS commands on the Docker container host. Affects Kestra versions prior to 1.3.7 in default docker-compose deployments. With CVSS 9.9 (Critical) and low attack complexity requiring only low-privilege authentication, this represents a severe risk for container escape and host compromise scenarios.

Docker SQLi PostgreSQL +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in Emlog tag management allows authenticated administrators to execute arbitrary SQL queries through the updateTagName() function in include/model/tag_model.php. Versions 2.6.2 and prior are affected. An attacker with administrative privileges can exploit this via direct SQL manipulation to modify or exfiltrate database contents. No public exploit code or active exploitation has been confirmed; patch status remains unavailable as of publication.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in OpenSTAManager 2.10.1 and prior allows authenticated users to extract database contents including bcrypt password hashes, customer records, and financial data via unsanitized GET parameters across six vulnerable PHP modules. The righe parameter in confronta_righe.php files is directly concatenated into IN() clauses without parameterization. CVSS 8.8 (High) with network attack vector, low complexity, and low privilege requirement. Vendor-released patch available in version 2.10.2. Exploit reproduction demonstrated via EXTRACTVALUE-based error injection extracting MySQL version, database user, and admin credentials. Confirmed publicly available exploit code exists (GitHub advisory GHSA-mmm5-3g4x-qw39).

SQLi Information Disclosure PHP
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

SQL injection in Piwigo's Activity List API endpoint allows authenticated administrators to extract sensitive database contents including user credentials and email addresses. This vulnerability affects Piwigo versions prior to 16.3.0 and requires high-level privileges (administrator access) to exploit. CVSS score of 7.2 reflects the network-accessible attack vector with low complexity, though exploitation requires prior administrative authentication. No public exploit code or active exploitation (CISA KEV) identified at time of analysis. The vendor has released version 16.3.0 addressing this issue.

SQLi Information Disclosure Piwigo
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

SQL injection in Piwigo photo gallery application allows authenticated administrators to execute arbitrary SQL commands via the pwg.users.getList Web Service API method. Piwigo versions prior to 16.3.0 are affected due to improper sanitization of the filter parameter, which is directly concatenated into database queries. Vendor-released patch version 16.3.0 addresses this vulnerability. EPSS data not provided; no public exploit identified at time of analysis. Authentication requirements (PR:H) significantly limit attack surface to users with administrative privileges.

SQLi Piwigo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection in Piwigo photo gallery application versions prior to 16.3.0 allows unauthenticated remote attackers to extract the entire database, including user password hashes, via unsanitized date filter parameters in the ws_std_image_sql_filter() function. The vulnerability stems from direct SQL concatenation of four date parameters without input validation or escaping. Vendor-released patch available in version 16.3.0. EPSS and KEV data not provided, but the combination of unauthenticated access, low attack complexity, and full database disclosure represents critical risk for internet-facing Piwigo installations.

SQLi Piwigo
NVD GitHub
EPSS 0% CVSS 8.1
HIGH Monitor

Second-order SQL injection in Focalboard 8.0 and earlier allows authenticated attackers to exfiltrate password hashes and other sensitive data via time-based blind injection through the category reorder API. Malicious SQL payloads injected into category ID fields persist in the database and execute unsanitized during subsequent reorder operations. Focalboard standalone is unsupported and will not receive a security patch. EPSS score of 0.01% indicates very low observed exploitation probability, consistent with the narrow attack surface requiring authenticated access to an end-of-life product.

SQLi Information Disclosure Focalboard
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via the =n operator. Affects all versions prior to 17.2.3. Attack complexity is low with no user interaction required, enabling authenticated users to escalate privileges, modify data integrity, and potentially compromise availability across scope boundaries. Vendor-released patch confirms fix in version 17.2.3. EPSS score of 0.04% (13th percentile) indicates low probability of mass exploitation, though the CVSS 9.9 critical rating reflects severe potential impact in targeted scenarios. No CISA KEV listing or public exploit code identified at time of analysis.

SQLi Openproject
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in projectworlds Car Rental Project 1.0 login.php allows unauthenticated remote attackers to bypass authentication, extract sensitive database contents, and potentially modify or delete data via the 'uname' parameter. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network-accessible attack vector, no authentication requirement, and public exploit makes this a practical threat for internet-facing deployments of this vulnerable application.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the deptid parameter in /enrollment/index.php?view=edit&id=3, potentially enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS score of 6.9. The vulnerability affects the Parameter Handler component's SQL query construction logic.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary SQL execution in OpenSTAManager's database conflict resolution module allows authenticated attackers with access to the Aggiornamenti (Updates) feature to execute unrestricted SQL commands. Affecting versions prior to 2.10.2, attackers can submit JSON arrays of SQL statements that execute directly against the MySQL database with foreign key checks disabled, enabling complete database compromise including data exfiltration, modification, deletion, and schema manipulation. No public exploit identified at time of analysis, though EPSS data not available; authentication requirement (PR:L) and low attack complexity (AC:L) indicate straightforward exploitation for internal threats or compromised accounts.

SQLi Openstamanager
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

SQL injection in shsuishang modulithshop allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the sidx/sort parameter in the ProductItemDao Interface listItem function, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability affects the rolling-release product across an unspecified version range; publicly available exploit code exists. CVSS 6.3 with exploitation probability noted (E:P), and a patch is available via upstream commit 42bcb9463425d1be906c3b290cf29885eb5a2324.

Java SQLi
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Blind SQL injection in MB Connect Line mbCONNECT24 and mymbCONNECT24 allows unauthenticated remote attackers to extract sensitive database contents via the mb24api endpoint. The vulnerability enables complete confidentiality breach through crafted SQL SELECT commands with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis. Vendor advisory published by CERT@VDE with remediation guidance.

SQLi Mbconnect24 Mymbconnect24
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

SQL injection in MB Connect Line's mbCONNECT24 and mymbCONNECT24 platforms allows unauthenticated remote attackers to execute arbitrary SQL commands via the setinfo endpoint, potentially destroying database integrity and causing complete service disruption. The vulnerability stems from insufficient input validation in SQL UPDATE operations. With CVSS 9.1 (Critical), CVSS vector PR:N confirms no authentication required, and attack complexity is low (AC:L), making this trivially exploitable. No public exploit identified at time of analysis, though the technical details disclosed in CERT@VDE advisory provide sufficient information for rapid weaponization.

SQLi Mbconnect24 Mymbconnect24
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in MB Connect Line's mbCONNECT24 and mymbCONNECT24 products allows unauthenticated remote attackers to extract sensitive data through the getinfo endpoint. The vulnerability permits direct database queries without authentication, enabling complete confidentiality breach of stored information. EPSS and KEV data not provided; exploitation status unknown beyond technical disclosure by CERT@VDE.

SQLi Mbconnect24 Mymbconnect24
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in AlejandroArciniegas mcp-data-vis MCP Handler allows remote unauthenticated attackers to manipulate database queries via the Request function in src/servers/database/server.js. Publicly available exploit code exists. CVSS 7.3 (High) with low attack complexity enables unauthorized data access, modification, and partial availability disruption. The vendor did not respond to disclosure, and the product uses a rolling release model without fixed version tracking, complicating patch verification (EPSS data not provided).

SQLi Mcp Data Vis
NVD VulDB GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

SQL injection in NocoBase plugin-workflow-sql through version 2.0.8 allows authenticated workflow users to execute arbitrary database queries. The vulnerable SQLInstruction class performs unparameterized string substitution of template variables (e.g., {{$context.data.fieldName}}) directly into raw SQL statements, enabling attackers to break out of string literals and inject malicious SQL commands. Publicly available exploit code exists demonstrating UNION-based injection to extract database credentials and system information. With default Docker deployments granting superuser database privileges, attackers gain full read/write access to the database including credential extraction, data modification, and table deletion capabilities.

SQLi Docker Debian +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in PraisonAI's thread listing function allows unauthenticated remote attackers to execute arbitrary SQL queries and achieve complete database compromise. The vulnerability exists in sql_alchemy.py where thread IDs stored via update_thread are concatenated into raw SQL queries using f-strings without sanitization. Attackers inject malicious SQL through thread_id parameters, which execute when get_all_user_threads loads the thread list. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no authentication or user interaction. No public exploit confirmed beyond the GitHub security advisory POC, though EPSS data unavailable. Immediate patching required for all PraisonAI Python package installations.

Python SQLi Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

SQL injection in Payload CMS versions prior to 3.79.1 allows authenticated attackers to manipulate database queries and exfiltrate or modify collection data. The vulnerability stems from inadequate input validation on request parameters, enabling low-privilege users to craft malicious SQL queries with low attack complexity over the network. No public exploit identified at time of analysis. EPSS risk data not available, but the CVSS score of 8.5 with scope change (S:C) indicates potential for significant impact beyond the vulnerable component.

SQLi Payload
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

SQL injection in Hi.Events open-source event management platform (versions 0.8.0-beta.1 through 1.7.0-beta) allows remote unauthenticated attackers to execute arbitrary SQL queries via unsanitized sort_by parameters passed to Eloquent's orderBy() method. The PostgreSQL backend supports stacked queries, enabling multi-statement injection. While CVSS 8.7 reflects high confidentiality impact and no authentication requirement, no public exploit code or CISA KEV listing exists at time of analysis. Vendor-released patch available in version 1.7.1-beta.

SQLi PostgreSQL
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires in

PHP Deserialization Docker +4
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the `options[stato]` GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working

PHP SQLi Denial Of Service +2
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in Joomla CMS articles webservice endpoint allows remote attackers to execute arbitrary SQL queries through improperly constructed ORDER BY clauses, affecting all versions of Joomla CMS. The vulnerability exists in the com_content component's webservice endpoint and permits unauthenticated query manipulation. No CVSS score or patch version information is available at time of analysis, limiting severity quantification.

SQLi Joomla Cms
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to manipulate the userid parameter in /delstaffinfo.php, enabling arbitrary SQL query execution with limited data confidentiality and integrity impact. Public exploit code is available, increasing real-world risk despite the moderate CVSS score of 6.9.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to manipulate the firstName parameter in /modify.php, enabling arbitrary database queries and potential data exfiltration or modification. The vulnerability affects the Parameter Handler component through CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Publicly available exploit code exists, and the CVSS 6.9 score reflects moderate impact with low attack complexity and no authentication requirement.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

SQL injection in IBM Storage Protect Server 8.2.0 and Storage Protect Plus Server allows authenticated remote attackers to execute arbitrary SQL commands against the back-end database, enabling unauthorized data access, modification, or deletion. The vulnerability requires low attack complexity and low-level privileges (CVSS 7.6, PR:L), making it exploitable by any authenticated user. No public exploit identified at time of analysis, though SQL injection techniques are well-documented. EPSS data not provided, but SQL injection vulnerabilities historically see moderate exploitation rates when authentication barriers are low.

IBM SQLi
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in itsourcecode Payroll Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via manipulation of the ID parameter in /view_employee.php. The vulnerability has a CVSS score of 6.9 and publicly available exploit code exists, enabling potential data extraction, modification, or authentication bypass without requiring user interaction.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in Booking for Appointments and Events Calendar - Amelia WordPress plugin (versions up to 2.1.2) allows authenticated Manager-level users to extract sensitive database information via the `sort` parameter in the payments listing endpoint. The vulnerability exists because the sort field is interpolated directly into an ORDER BY clause without sanitization, bypassing PDO prepared statement protections which do not cover column names. GET requests also bypass Amelia's nonce validation, enabling time-based blind SQL injection attacks by authenticated users with Manager access or higher.

WordPress PHP SQLi
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

SQL injection in pandas-ai v3.0.0 allows remote code execution through the pandasai.agent.base._execute_sql_query component, enabling attackers to manipulate SQL queries and potentially access, modify, or exfiltrate database contents. No CVSS score, EPSS data, or KEV status is available; however, the vulnerability affects a widely-used data analysis library and publicly available proof-of-concept code exists, elevating real-world risk despite incomplete severity metrics.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in itsourcecode Payroll Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /manage_user.php, enabling arbitrary SQL query execution with confidentiality and integrity impact. The vulnerability has a publicly available exploit, making it immediately actionable for threat actors despite the moderate CVSS score.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

SQL injection in Alerta's Query string search API (q= parameter) allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying PostgreSQL database. The vulnerability stems from unsafe f-string interpolation of user-supplied search terms directly into SQL WHERE clauses without parameterization. Alerta versions prior to 9.1.0 are affected; the vulnerability has been patched in version 9.1.0 with no public exploit code identified at time of analysis.

PostgreSQL SQLi
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Simple Gym Management System 1.0 Payment Handler allows authenticated remote attackers to manipulate Payment_id, Amount, customer_id, payment_type, and customer_name parameters to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. Publicly available exploit code exists for this vulnerability; patch status from vendor remains unconfirmed.

SQLi Simple Gym Management System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Student Membership System 1.0 admin login allows unauthenticated remote attackers to bypass authentication and access sensitive data via crafted username/password parameters at /admin/index.php. Publicly available exploit code exists (VulDB 354296, GitHub POC), enabling trivial exploitation with no attack complexity. CVSS 7.3 reflects network-accessible attack with low confidentiality/integrity/availability impact. No vendor-released patch identified at time of analysis.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Student Membership System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /delete_user.php, enabling unauthorized data exfiltration or manipulation. The vulnerability has CVSS score 5.3 (medium severity) with publicly available exploit code, though it requires authenticated access (PR:L) and carries low confidentiality, integrity, and availability impact per CVSS v4.0 assessment.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

SQL injection in Umami Software's web analytics application allows authenticated attackers with low privileges to execute arbitrary SQL commands via unsanitized timezone parameter. The vulnerability affects raw query implementations (prisma.rawQuery, $queryRawUnsafe, ClickHouse raw queries) with CVSS 9.3 severity. Successful exploitation enables database compromise and execution of dangerous functions. Patch available per vendor advisory; no public exploit identified at time of analysis, though the straightforward attack vector (network-accessible, low complexity, low privileges required) presents significant risk for deployments with untrusted authenticated users.

SQLi Umami Software
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Student Membership System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /delete_member.php, resulting in limited confidentiality and integrity impact. Publicly available exploit code exists, and the vulnerability has been disclosed; however, active exploitation has not been confirmed by CISA. The attack requires valid authentication credentials but can be initiated over the network with minimal complexity.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in code-projects Student Membership System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the User Registration Handler component. The vulnerability has a CVSS score of 7.3 with network-based attack vector and low complexity, requiring no privileges or user interaction. EPSS data not available; no CISA KEV listing indicates confirmed actively exploited status is unknown. Publicly available exploit code exists per researcher disclosure on GitHub, elevating real-world risk for organizations running this application.

SQLi Student Membership System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Teacher Record System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'searchteacher' parameter in the Parameter Handler component. The vulnerability has a publicly available exploit (GitHub POC published), enabling extraction of sensitive data, modification of database records, or potential system compromise. CVSS 7.3 (High severity) with low attack complexity and no authentication required indicates significant exploitation risk.

SQLi Teacher Record System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Simple Doctors Appointment System 1.0 allows unauthenticated remote attackers to compromise confidentiality, integrity, and availability via the /admin/ajax.php login endpoint. Attackers manipulate the 'email' parameter to execute arbitrary SQL commands. Publicly available exploit code exists (GitHub POC published), significantly lowering the attack barrier. The CVSS score of 7.3 reflects network-based exploitation requiring low complexity and no privileges, with partial impact across all CIA triad elements. No CISA KEV listing at time of analysis, but the combination of public exploit and authentication bypass capability makes this a realistic threat to internet-facing instances.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Simple Doctors Appointment System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the Username parameter in /admin/login.php. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation with no authentication required. CVSS 7.3 reflects low attack complexity and network accessibility. EPSS data unavailable, but public POC significantly elevates real-world risk for internet-facing installations.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in SciTokens Python library allows unauthenticated remote code execution against the local SQLite database. The KeyCache class improperly uses str.format() to construct SQL queries with attacker-controlled issuer and key_id parameters, enabling arbitrary SQL command execution. Affects all versions prior to 1.9.6. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No CISA KEV listing indicates no confirmed active exploitation at time of analysis, though the straightforward nature of SQL injection and public patch details increase exploitation risk.

Python SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

SQL injection in baserCMS prior to version 5.2.3 allows unauthenticated remote attackers to execute arbitrary SQL queries through unvalidated input in blog post functionality. The vulnerability affects all versions before 5.2.3 and has been patched; no public exploit code or active exploitation has been confirmed at the time of analysis.

SQLi Basercms
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Blind SQL injection in SourceCodester Loan Management System v1.0 allows authenticated attackers to inject malicious SQL commands via the borrower_id parameter in the ajax.php save_loan action. The vulnerability requires valid authentication to exploit and publicly available proof-of-concept code exists, making this a moderate-risk issue for organizations using this open-source application despite the lack of CVSS scoring.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Remote SQL injection in code-projects Accounting System 1.0 allows unauthenticated attackers to execute arbitrary SQL queries via the cos_id parameter in the /viewin_costumer.php file. The vulnerability has a CVSS score of 6.9 with a public exploit available, enabling attackers to read sensitive data from the database with minimal attack complexity. This is a network-accessible PHP application flaw affecting confidentiality with confirmed public disclosure.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in YunaiV yudao-cloud up to version 2026.01 allows authenticated remote attackers to execute arbitrary SQL queries via the toMail parameter in the /admin-api/system/mail-log/page endpoint, enabling data exfiltration and potential database manipulation. The vulnerability carries a CVSS score of 5.1 with moderate confidentiality and integrity impact. Public exploit code is available, and the vendor has not responded to early disclosure efforts, leaving organizations dependent on self-patching or workarounds.

SQLi
NVD GitHub VulDB
Prev Page 16 of 169 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
15171

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy