Skip to main content

SQL Injection

web HIGH

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.

How It Works

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.

Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.

Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.

Impact

  • Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
  • Authentication bypass — logging in as any user without knowing passwords
  • Data manipulation — unauthorized modification or deletion of critical records
  • Privilege escalation — granting administrative rights to attacker-controlled accounts
  • Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
  • Lateral movement — using compromised database credentials to access other connected systems

Real-World Examples

FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.

E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.

Mitigation

  • Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
  • Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
  • Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
  • Least privilege database accounts — applications should use credentials with minimal necessary permissions
  • Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
  • Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts

Recent CVEs (15171)

EPSS 0% CVSS 5.5
MEDIUM POC This Month

Remote SQL injection in YunaiV yudao-cloud up to version 2026.01 allows unauthenticated attackers to execute arbitrary SQL queries via the Website parameter in the /admin-api/system/tenant/get-by-website endpoint. The vulnerability has a CVSS score of 6.9 with public exploit code available, enabling remote compromise of database confidentiality and integrity without authentication or user interaction. The vendor has not responded to early disclosure notification.

SQLi Yudao Cloud
NVD VulDB GitHub
EPSS 0% CVSS 7.4
HIGH This Week

SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the mysqlColumnAsInsert function located in plugins/mysql/lib/column.go. The vulnerability affects the MySQL plugin component and enables attackers to manipulate database queries, potentially leading to unauthorized data access, modification, or deletion. Public proof-of-concept code is available, and CVSS/EPSS data are not yet assigned by NVD.

SQLi Schemahero
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH This Week

SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the columnAsInsert function within the PostgreSQL plugin, potentially compromising database integrity and confidentiality. Public exploit documentation is available, indicating proof-of-concept code exists. CVSS and EPSS data are unavailable, limiting formal severity quantification.

SQLi PostgreSQL
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Prototype pollution in MikroORM's Utils.merge function allows attackers to modify JavaScript object prototypes when applications pass untrusted user input into ORM operations. Affects @mikro-orm/core npm package, enabling denial of service and potentially SQL injection when polluted properties influence query construction. No public exploit identified at time of analysis, though GitHub security advisory published by the project maintainers confirms the vulnerability class (CWE-1321).

Prototype Pollution Denial Of Service SQLi
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

SQL injection in MikroORM JavaScript ORM (versions ≤6.6.9 and ≤7.0.5) allows attackers to execute arbitrary SQL commands when specially crafted user-controlled objects are passed to query construction APIs. The vulnerability stems from duck-typed detection of internal ORM markers that attackers can replicate in malicious input objects. Applications passing unsanitized user input directly to write APIs like wrap().assign(), em.nativeUpdate(), em.nativeInsert(), or em.create() are exploitable. No public exploit identified at time of analysis, though the attack technique is straightforward for environments accepting untrusted JSON/object input.

SQLi
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the en_id parameter in /view_work.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code is available, increasing practical exploitation risk despite the moderate CVSS score of 6.9.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the cos_id parameter in /edit_costumer.php. The vulnerability has a CVSS 4.0 score of 6.9 with low impact to confidentiality, integrity, and availability. Publicly available exploit code exists, elevating real-world risk despite moderate CVSS severity.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Accounting System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the cos_id parameter in /view_costumer.php. Publicly available exploit code exists (GitHub POC published), enabling trivial exploitation with no authentication required. CVSS 7.3 reflects high exploitability (AV:N/AC:L/PR:N) with partial impact across confidentiality, integrity, and availability. No vendor-released patch identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple Food Order System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Status parameter in all-orders.php. The vulnerability has a publicly available exploit and requires no authentication or user interaction (CVSS 7.3, AV:N/AC:L/PR:N). No vendor-released patch identified at time of analysis, representing elevated risk for installations of this PHP-based food ordering application.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple Food Order System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'Name' parameter in register-router.php. The vulnerability permits unauthorized database access with confirmed publicly available exploit code (EPSS and CVSS both indicate medium-severity risk). Attack complexity is low with no user interaction required, enabling automated exploitation. No vendor-released patch identified at time of analysis, and exploitation requires no authentication (CVSS PR:N).

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Food Order System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Status parameter in /all-tickets.php. The vulnerability is trivially exploitable with low attack complexity and requires no user interaction. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no active exploitation has been confirmed by CISA KEV at time of analysis.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Sinaptik AI PandasAI versions up to 0.1.4 allows unauthenticated remote attackers to manipulate database operations through the pandasai-lancedb extension. Six functions (delete_question_and_answers, delete_docs, update_question_answer, update_docs, get_relevant_question_answers_by_id, get_relevant_docs_by_id) in lancedb.py are vulnerable to SQL injection attacks. Publicly available exploit code exists (CVSS 7.3, EPSS data not provided). The vendor has not responded to disclosure attempts.

SQLi Pandasai pandas
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in WeGIA charitable institution management software allows authenticated remote attackers to execute arbitrary database queries with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe use of extract($_REQUEST) combined with unsanitized SQL concatenation in the tag deletion module (deletar_tag.php), affecting all versions prior to 3.6.7. No public exploit identified at time of analysis, with EPSS probability data not available for this recent CVE.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

SQL injection in Fleet device management software versions prior to 4.81.0 allows authenticated Team Admin or Global Admin users to execute arbitrary SQL queries against the Fleet database via the MDM bootstrap package configuration API endpoint. Attackers with these privileges can exfiltrate sensitive data, modify arbitrary team configurations, and inject malicious content into team settings. The vulnerability requires authentication but poses significant risk to multi-tenant Fleet deployments where administrative credentials may be compromised or where insider threats exist.

SQLi Information Disclosure Suse
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

SQL injection in Fleet's Apple MDM profile delivery pipeline before version 4.81.0 allows authenticated attackers with valid MDM enrollment certificates to exfiltrate or modify database contents, including user credentials, API tokens, and device enrollment secrets. This second-order SQL injection vulnerability affects the cpe:2.3:a:fleetdm:fleet product line and requires valid MDM enrollment credentials to exploit, limiting the attack surface to adversaries who have already established trust within the MDM enrollment process. No public exploit code or active exploitation has been identified at the time of this analysis.

SQLi Apple Suse
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Social Networking Site 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in delete_photos.php, potentially enabling unauthorized data access, modification, or deletion. The vulnerability affects an unknown function in the Endpoint component and has publicly available exploit code, increasing the likelihood of active abuse despite the moderate CVSS 5.3 score.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

SQL injection in WWBN AVideo versions up to 26.0 allows unauthenticated remote attackers to extract sensitive database contents and modify data through the RTMP publish authentication stream key validation mechanism. The vulnerability (CVSS 9.1 Critical) arises from unsanitized string interpolation in Live_schedule::keyExists() fallback logic, affecting the open-source video platform's live streaming infrastructure. No vendor-released patch identified at time of analysis, and no public exploit identified at time of analysis.

SQLi Avideo
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Free Hotel Reservation System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/mod_room/index.php?view=edit, leading to unauthorized database query execution. The vulnerability requires valid admin credentials (CVSS PR:L) but has publicly available exploit code and represents a moderate information disclosure and integrity risk (CVSS 5.3 with limited confidentiality, integrity, and availability impact). Active exploitation status is not confirmed via CISA KEV, but proof-of-concept code is documented in public repositories.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL commands through unsanitized input in the save_customer action's username parameter. The application fails to implement proper input validation or prepared statements, enabling attackers to manipulate database queries directly. Publicly available exploit code exists, and this vulnerability affects the PHP-based web application with no confirmed patch status at time of analysis.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows authenticated attackers to execute arbitrary SQL commands via the username parameter in Actions.php (save_user action), due to improper input sanitization. Publicly available exploit code exists demonstrating this vulnerability. While CVSS and EPSS scores are unavailable, the authenticated requirement and public POC availability indicate moderate real-world risk for deployments with user account access.

SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in Streamax Crocus 1.3.44 parameter handler allows unauthenticated remote attackers to manipulate the State argument in /DevicePrint.do?Action=ReadTask endpoint, enabling database queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; the vendor has not responded to early disclosure notification and no patch is available.

SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Streamax Crocus 1.3.44 contains a remote SQL injection vulnerability in the /OperateStatistic.do endpoint via the VehicleID parameter, allowing unauthenticated remote attackers to manipulate database queries and extract or modify sensitive data. Public exploit code exists for this vulnerability, and the vendor has not responded to early disclosure notifications, leaving affected deployments without an official patch.

SQLi
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in mingSoft MCMS 5.5.0 allows authenticated remote attackers to manipulate the Web Content List Endpoint (ContentAction.java) and execute arbitrary database queries, potentially leading to unauthorized data disclosure, modification, or deletion. The vulnerability requires low-privilege authentication (CVSS PR:L) and has publicly available exploit code disclosed on GitHub, making it an active threat to deployed MCMS instances.

SQLi Java
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authenticated SQL injection in Group-Office's JMAP Contact/query endpoint allows any user with basic addressbook permissions to extract database contents, including active session tokens, enabling full account takeover of any user including System Administrators. Affects Group-Office versions before 6.8.158, 25.0.92, and 26.0.17. EPSS exploitation probability is low (0.03%, 9th percentile) with no public exploit or active exploitation confirmed. Despite 8.8 CVSS score, real-world risk depends heavily on whether attackers can obtain valid low-privilege credentials first.

SQLi Microsoft
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up to 2.4.0) lets remote attackers log in as any user when an administrator has cleared the auth_username_chars setting. The flaw is a CWE-89 SQL injection in the SQL-backed authentication driver: with input character filtering disabled, attacker-controlled username data reaches the SQL auth query unsanitized, enabling both full authentication bypass and account enumeration. Reported by OX and tracked as EUVD-2026-16561; no public exploit is identified at time of analysis, and CISA SSVC rates exploitation as none while assessing technical impact as total.

SQLi Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cypher injection in Spring AI Neo4j vector store (versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3) allows unauthenticated remote attackers to access confidential data stored in Neo4j databases. The vulnerability exists in Neo4jVectorFilterExpressionConverter where user-controlled filter expression keys are embedded into Cypher property accessors without proper backtick escaping, enabling attackers to break out of the intended property context and execute arbitrary Cypher queries. CVSS score of 7.5 reflects high confidentiality impact with network accessibility and low attack complexity, though no public exploit has been identified at time of analysis.

Java SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Shenzhen Ruiming Technology Streamax Crocus bis version 1.3.44 allows unauthenticated remote attackers to execute arbitrary SQL commands via the State parameter in the /RemoteFormat.do endpoint. Publicly available exploit code exists, as documented in a Feishu document linked in VulDB disclosure 353661. The vendor was notified but has not responded, leaving users without a vendor-acknowledged remediation path. With a CVSS score of 7.3 and network-accessible attack vector requiring no privileges, this represents a significant risk to exposed systems.

SQLi Streamax Crocus
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the userid parameter in /modstaffinfo.php. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation. The CVSS score of 7.3 reflects network accessibility without authentication requirements (PR:N), though impact is rated as Low across confidentiality, integrity, and availability.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 8.3
HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to manipulate database queries through the 'id' parameter in admin/manage_category.php, enabling unauthorized data extraction, modification, or deletion. The vulnerability affects the administrative interface and has publicly available exploit code, presenting immediate risk to deployed instances of this e-commerce platform.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL queries through the 'id' parameter in admin/view_product.php, enabling unauthorized database access and potential data exfiltration. The vulnerability affects the administrative interface and publicly available exploit code exists, increasing real-world exploitation risk despite the absence of formal CVSS scoring.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the 'id' parameter in admin/manage_product.php, enabling unauthorized database access and data exfiltration. Publicly available exploit code exists for this vulnerability; however, no CVSS score, EPSS data, or CISA KEV confirmation is available to assess active exploitation at scale.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows authenticated attackers to inject arbitrary SQL commands through the unvalidated 'name' parameter in the save_category action of Actions.php. The vulnerability affects the application's category management functionality and enables data exfiltration, modification, or deletion. Publicly available exploit code exists demonstrating the vulnerability, increasing practical exploitation risk despite authentication requirement.

SQLi PHP
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authenticated staff users to read arbitrary files from the server filesystem through crafted template tags in the `encode_svg_image()`, `asset()`, and `uploaded_image()` functions. An attacker with staff privileges can exploit this to access sensitive files if the InvenTree installation runs with elevated host system permissions. Vendor-released patches are available in versions 1.2.6 and 1.3.0 or later; no public exploit code or active exploitation has been confirmed at this time.

Path Traversal SQLi Inventree
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Tandoor Recipes application versions prior to 2.6.0 expose complete database schema and access control logic through an undocumented debug parameter in the Recipe API endpoint, allowing any authenticated user to extract raw SQL queries including table structures, JOIN relationships, WHERE conditions, and multi-tenant space identifiers even in production environments with DEBUG=False. A proof-of-concept exploit is available (SSVC exploitation status: poc). The CVSS 4.0 score of 7.7 reflects network-based exploitation with no attack complexity, and SSVC indicates the vulnerability is automatable with partial technical impact.

SQLi Python
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

AVideo, a popular open-source video platform, stores video access passwords in plaintext within the database, enabling attackers who gain read access through SQL injection, backup exposure, or misconfigured controls to harvest all protected video passwords without cracking. The vulnerability is tracked as CWE-312 (Cleartext Storage of Sensitive Information) and affects AVideo installations using the video password protection feature. A proof-of-concept demonstrating direct database extraction is documented in the GitHub advisory. Vendor patch is available via commit f2d68d2adbf73588ea61be2b781d93120a819e36, and no public exploit identified at time of analysis beyond the documented PoC.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in WWBN AVideo category management allows authenticated administrators to extract database contents including user credentials and private video metadata. The vulnerability resides in objects/category.php where user-supplied category title slugs are concatenated directly into SQL queries without parameterization. A working proof-of-concept demonstrates UNION-based injection to retrieve the users table. Upstream fix available via GitHub commit 994cc2b3d802b819e07e6088338e8bf4e484aae4, though no public exploit identified at time of analysis beyond the documented PoC.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in WWBN AVideo objects/like.php allows authenticated users to read and potentially modify the entire database by injecting malicious payloads into the videos_id parameter during like/dislike actions. The vulnerability affects pkg:composer/wwbn_avideo and arises from mixing parameterized queries with direct string concatenation. A proof-of-concept UNION-based injection exists demonstrating credential extraction. Upstream fix available (PR/commit); released patched version not independently confirmed.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated SQL injection in JS Help Desk WordPress plugin versions up to 3.0.4 allows remote attackers to extract sensitive database information via the multiformid parameter in the storeTickets() function. The vulnerability exploits improper use of esc_sql() without SQL quote encapsulation, enabling injection of additional SQL queries without requiring quote characters. CVSS scored 7.5 (High) with no public exploit identified at time of analysis and SSVC assessment indicates automatable exploitation with partial technical impact.

WordPress SQLi
NVD GitHub
EPSS 0% CVSS 8.3
HIGH This Week

SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive database contents and potentially compromise data integrity and availability. The vulnerability carries a CVSS score of 8.3 with network-based attack vector requiring user interaction. No public exploit is identified at time of analysis, and SSVC assessment indicates no current exploitation with non-automatable attack characteristics.

SQLi Aftermarket Dpc
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in itsourcecode Free Hotel Reservation System 1.0 via the ID parameter in /admin/mod_amenities/index.php?view=editpic allows authenticated remote attackers to manipulate database queries and extract or modify sensitive data. The vulnerability requires valid administrator credentials to exploit (PR:L per CVSS 4.0 vector), affects confidentiality and integrity of database contents, and carries moderate real-world risk despite a CVSS score of 5.3 due to publicly available exploit code and low attack complexity. No vendor-released patch has been identified; the system appears to be unsupported or abandoned based on available advisory data.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 3.5
LOW Monitor

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vectors including Cross-Site Scripting (XSS), SQL Injection, and Command Injection. Authenticated attackers can exploit this vulnerability to inject and execute arbitrary code within the application context. No public exploit code or active exploitation has been identified at time of analysis, and the moderate CVSS score of 3.5 reflects limited confidentiality impact with user interaction required.

XSS SQLi Command Injection +1
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi XSS Ticaret V4
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection in qdPM 9.1 timeReport endpoint enables remote unauthenticated attackers to extract database contents via crafted filter_by parameters in POST requests. Public exploit code exists (Exploit-DB 45767), and CISA SSVC framework confirms proof-of-concept availability with automatable exploitation. Despite 8.8 CVSS severity, EPSS risk probability remains low at 0.07% (21st percentile), suggesting limited observed exploitation activity. Attackers can retrieve sensitive project management data including credentials, user information, and business records without authentication.

SQLi Information Disclosure Qdpm
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

KomSeo Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL commands through the 'my_item_search' parameter in edit.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

ASP.NET jVideo Kit 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the 'query' parameter in the search functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Asp Net Jvideo Kit
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Library CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Authentication Bypass Library Cms
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Information Disclosure Sat Cfdi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi School Management System Cms
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Wecodex Restaurant Cms
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Shipping System Cms
NVD Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0's /checkregisitem.php parameter handler allows unauthenticated remote attackers to manipulate the Long-arm-shirtVol argument and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available to remediate this issue.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in the Admin Login Module of code-projects Online Food Ordering System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter in /admin.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations should implement network-level controls or upgrade to a patched version once available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the deptid parameter in the grades index page. Public exploit code is available for this vulnerability, and no patch is currently available. The attack requires only network access with no additional complexity or user interaction.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in code-projects Online Food Ordering System 1.0's Shopping Cart Module (cart.php) allows unauthenticated remote attackers to manipulate the del parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected PHP-based installations are at immediate risk of database compromise and data exfiltration.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Food Ordering System 1.0 via the custom parameter in /purchase.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects PHP-based installations of this food ordering platform.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Malawi Online Market 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /display.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability remains unpatched and affects PHP-based deployments of this application.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Accounting System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the cos_id parameter in /my_account/delete.php. Public exploit code exists for this vulnerability, enabling potential unauthorized database access and manipulation. No patch is currently available.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 7.7
HIGH This Week

SQL injection in Daylight Studio FuelCMS v1.5.2 Login.php component allows remote attackers to execute arbitrary SQL queries against the application database. The vulnerability affects the authentication mechanism, potentially enabling account enumeration, credential bypass, or unauthorized data extraction. No public exploit code or active exploitation has been confirmed at this time, though the specific attack vector suggests direct manipulation of login form parameters.

PHP SQLi N A
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the sid parameter in /update_stock.php via HTTP GET requests, enabling unauthorized database query execution with limited confidentiality and integrity impact. Publicly available exploit code exists, and the vulnerability carries a moderate CVSS 5.3 score with low real-world exploitation probability (EPSS 0.03%, percentile 8%), indicating this is a lower-priority issue despite public disclosure.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection in OpenEMR versions prior to 8.0.0.3 enables authenticated attackers to execute arbitrary SQL commands through the CAMOS form's ajax_save functionality, potentially leading to complete database compromise including extraction of sensitive health records, data modification, and service disruption. The vulnerability requires low-privilege authentication (PR:L) with no user interaction (UI:N) and is network-exploitable (AV:N), though EPSS assigns only 0.03% (8th percentile) exploitation probability and no public exploit identified at time of analysis. Vendor-released patch available in version 8.0.0.3.

Openemr SQLi PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

A blind SQL injection vulnerability exists in the PostCalendar module of OpenEMR, a widely-used open source electronic health records system. Versions prior to 8.0.0.3 are affected, allowing authenticated administrators to execute arbitrary SQL commands through the categoriesUpdate function's dels parameter. The vulnerability requires high privileges (PR:H) but is network-accessible and has no attack complexity, enabling attackers to extract sensitive patient data, modify health records, or disrupt medical operations.

SQLi Openemr
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

OpenEMR versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability stems from insufficient input validation and can lead to complete compromise of confidentiality, integrity, and availability of the healthcare database. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept is currently available.

SQLi Openemr
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

OpenEMR versions prior to 8.0.0.3 contain a SQL injection vulnerability in the MedEx recall/reminder processing code where user-controlled variables are concatenated directly into SQL queries without parameterization or type casting. An authenticated attacker with high privileges can exploit this to extract, modify, or delete sensitive healthcare data from the database. While the CVSS score of 5.9 is moderate, the attack requires high privilege level (PR:H) and high complexity (AC:H), but the confidentiality and integrity impacts are severe given the medical context.

SQLi Openemr
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_sales.php allows authenticated remote attackers to execute arbitrary SQL queries and potentially access or modify database contents. Public exploit code exists for this vulnerability and exploitation requires valid user credentials. No patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH This Week

A Blind SQL Injection vulnerability exists in OpenEMR's Patient Search functionality that allows authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys instead of values. OpenEMR versions prior to 8.0.0.3 are affected. With a CVSS score of 8.1 (High), this vulnerability enables high confidentiality and integrity impact, allowing attackers to extract sensitive patient health records and potentially modify database contents, though exploitation requires low-privileged authentication.

PHP SQLi
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

SQL injection in n8n's Data Table Get node allows authenticated users with workflow modification permissions to execute arbitrary SQL queries against PostgreSQL backends, enabling data modification and deletion. Public exploit code exists for this vulnerability. Affected versions prior to 1.123.26, 2.13.3, and 2.14.1 should be upgraded immediately, or workflow creation/editing permissions should be restricted to trusted users only.

SQLi PostgreSQL
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

A blind SQL injection vulnerability exists in the PublishPress Revisions WordPress plugin through version 3.7.23, allowing attackers to execute arbitrary SQL commands against the underlying database. The vulnerability affects all installations of PublishPress Revisions up to and including version 3.7.23, enabling attackers to extract sensitive data, modify database contents, or potentially achieve remote code execution depending on database permissions and WordPress configuration. No CVSS score or EPSS data is currently available, and KEV status is unknown, though the vulnerability has been documented by Patchstack security researchers with a public reference available.

SQLi Publishpress Revisions
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

JoomSky JS Help Desk contains a blind SQL injection vulnerability in versions through 3.0.3 that allows attackers to execute arbitrary SQL commands against the underlying database. The vulnerability affects the JS Help Desk plugin (identified via CPE cpe:2.3:a:joomsky:js_help_desk) and was reported by Patchstack. While no CVSS score or EPSS data is currently available, the blind SQL injection classification (CWE-89) indicates a serious data exfiltration and potential privilege escalation risk; however, the lack of CVE metadata and KEV designation suggests this may be a newer or less widely exploited vulnerability pending full disclosure and vendor patch release.

SQLi Js Help Desk
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

A blind SQL injection vulnerability exists in the Miraculous Core Plugin for WordPress (versions prior to 2.1.2), allowing attackers to execute arbitrary SQL commands against the underlying database without displaying query results directly. This vulnerability affects all installations of the kamleshyadav Miraculous Core Plugin below version 2.1.2, enabling attackers to extract sensitive data, modify database contents, or potentially achieve remote code execution depending on database permissions and WordPress configuration. While CVSS and EPSS scores are not yet available and KEV status is unknown, the SQL injection classification (CWE-89) and reporting via Patchstack indicate this is a validated vulnerability with a confirmed patch available in version 2.1.2.

SQLi Miraculous Core Plugin
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

A blind SQL injection vulnerability exists in QuantumCloud ChatBot plugin affecting versions up to and including 7.7.9, allowing attackers to execute arbitrary SQL commands through improper neutralization of special elements in SQL queries. The vulnerability impacts all installations of the ChatBot plugin across the affected version range, potentially enabling unauthorized data extraction, manipulation, or deletion depending on database permissions. While no CVSS score or EPSS data is currently available, the blind SQL injection classification indicates a high-risk condition requiring immediate patching.

SQLi Chatbot
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

A blind SQL injection vulnerability exists in the Product Rearrange for WooCommerce plugin (versions up to 1.2.2) that allows attackers to execute arbitrary SQL commands against the WooCommerce database without direct output visibility. This affects WordPress installations using the Devteam HaywoodTech product-rearrange-woocommerce plugin, enabling attackers to extract sensitive data, modify database records, or potentially escalate privileges. While no CVSS score or EPSS data is currently published, the vulnerability's classification as blind SQL injection combined with its presence in a publicly available WordPress plugin suggests moderate to high real-world risk of exploitation.

SQLi WordPress
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

A blind SQL injection vulnerability exists in AA-Team's WZone WordPress plugin through version 14.0.31, allowing unauthenticated attackers to extract sensitive database information without direct error-based feedback. The vulnerability affects all versions of WZone up to and including 14.0.31, enabling attackers to manipulate SQL queries through improperly neutralized user input. While no CVSS score or EPSS probability is available in the disclosed data, the blind SQL injection classification and the plugin's wide WordPress ecosystem adoption suggest moderate to high real-world risk, particularly if the vulnerability is easily triggerable and no authentication is required.

SQLi Wzone
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

A SQL injection vulnerability exists in the eyecix Addon Jobsearch Chat plugin for WordPress, affecting all versions through 3.0, that allows attackers to execute arbitrary SQL commands against the underlying database. The vulnerability stems from improper neutralization of special SQL characters in user-supplied input, classified under CWE-89 (SQL Injection). While no CVSS score or EPSS metric is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15695, indicating active awareness in vulnerability tracking systems.

SQLi Addon Jobsearch Chat
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

A blind SQL injection vulnerability exists in King-Theme's Lumise Product Designer WordPress plugin, allowing unauthenticated attackers to extract sensitive data through time-based or boolean-based SQL inference techniques without direct query result visibility. The vulnerability affects all versions of Lumise Product Designer prior to 2.0.9. Attackers can exploit this to bypass authentication, enumerate database schemas, or extract user credentials and plugin configuration data.

SQLi Lumise Product Designer
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

A blind SQL injection vulnerability exists in the NooTheme Jobmonster WordPress theme that allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability affects Jobmonster versions prior to 4.8.4, and while no active exploitation in the wild has been confirmed via KEV status, the vulnerability was disclosed by Patchstack with sufficient technical detail to enable exploitation. This is a critical web application flaw that could lead to complete database compromise, including extraction of sensitive user data, credentials, and job postings.

SQLi Jobmonster
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

A blind SQL injection vulnerability exists in ElementInvader Addons for Elementor, a WordPress plugin, affecting all versions through 1.4.2. An attacker can exploit this CWE-89 vulnerability to extract sensitive data from the underlying database without authentication, leveraging the plugin's improper neutralization of special SQL elements. No CVSS score, EPSS metric, or active KEV designation is currently available, but the blind SQL injection vector indicates meaningful exploitability risk requiring immediate patching.

SQLi Elementinvader Addons For Elementor Elementor
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

A blind SQL injection vulnerability exists in WPFactory's Advanced WooCommerce Product Sales Reporting plugin (versions through 4.1.3) that allows attackers to execute arbitrary SQL commands against the underlying database. This WordPress plugin is widely deployed on e-commerce sites using WooCommerce, and the blind SQL injection technique enables attackers to extract sensitive data without requiring direct error message feedback. While no CVSS score, EPSS value, or KEV status has been assigned at this time, the vulnerability is classified as CWE-89 (SQL Injection) and has been documented by Patchstack, indicating active research and potential proof-of-concept availability.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

A blind SQL injection vulnerability exists in NooTheme's Organici Library WordPress plugin through version 2.1.2, allowing unauthenticated attackers to extract sensitive data from the underlying database without direct error feedback. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements in SQL Commands) and has been documented by Patchstack as a critical WordPress plugin security issue. While no CVSS score, EPSS probability, or public proof-of-concept availability has been confirmed in available sources, the blind SQL injection attack vector and broad plugin distribution make this a medium-to-high priority for WordPress administrators managing affected installations.

SQLi Organici Library
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

A SQL Injection vulnerability exists in Pebas Lisfinity Core, a WordPress plugin, affecting versions up to and including 1.5.0. This improper neutralization of special elements in SQL commands (CWE-89) allows attackers to inject arbitrary SQL code, potentially leading to unauthorized data access, modification, or deletion of the underlying database. The vulnerability has been documented by Patchstack and assigned EUVD-2026-15489, though no CVSS score, EPSS data, or confirmed active exploitation status is currently available in the provided intelligence.

SQLi Lisfinity Core
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Opencart Core
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated attackers can exploit SQL injection in Support Board v3.7.7's AJAX endpoint to fully compromise the application database through the calls[0][message_ids][] parameter, enabling complete data exfiltration and manipulation. The vulnerability requires only low privileges and network access, with no user interaction needed, making it trivially exploitable in multi-tenant environments. A patch is available and should be applied immediately given the HIGH severity rating and complete database access impact.

SQLi PHP
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 PHP application allows unauthenticated remote attackers to execute arbitrary database queries through the serviceId parameter in /checkcheckout.php. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in the College Management System 1.0 parameter handler allows authenticated attackers to manipulate the course_code argument in /admin/add-single-student-results.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and valid credentials but can compromise data confidentiality and integrity.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the sid parameter in update_purchase.php, enabling unauthorized database queries and potential data exfiltration. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the update_out_standing.php file's sid parameter that allows authenticated remote attackers to execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects PHP-based deployments and has a CVSS score of 5.3.

SQLi PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in update_customer_details.php allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations using PHP-based deployments of this system should restrict access to the vulnerable component until a fix is released.

PHP SQLi
NVD VulDB GitHub
Prev Page 17 of 169 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
15171

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy