SQL Injection

web HIGH

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.

How It Works

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.

Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.

Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.

Impact

  • Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
  • Authentication bypass — logging in as any user without knowing passwords
  • Data manipulation — unauthorized modification or deletion of critical records
  • Privilege escalation — granting administrative rights to attacker-controlled accounts
  • Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
  • Lateral movement — using compromised database credentials to access other connected systems

Real-World Examples

FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.

E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.

Mitigation

  • Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
  • Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
  • Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
  • Least privilege database accounts — applications should use credentials with minimal necessary permissions
  • Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
  • Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts

Recent CVEs (4555)

CVE-2024-13150
EPSS 0% CVSS 9.8
CRITICAL This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Fayton Software and Consulting Services fayton.Pro ERP allows SQL Injection.Pro ERP: through. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-8868
EPSS 17% CVSS 9.8
CRITICAL PATCH This Week

In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 17.3%.

SQLi Automate
NVD
CVE-2025-6724
EPSS 0% CVSS 8.8
HIGH PATCH This Month

In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in multiple services via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Automate
NVD
CVE-2025-11118
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was identified in CodeAstro Student Grading System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Student Grading System
NVD GitHub VulDB
CVE-2025-11116
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was found in code-projects Simple Scheduling System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Simple Scheduling System
NVD GitHub VulDB
CVE-2025-11115
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability has been found in code-projects Simple Scheduling System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Simple Scheduling System
NVD GitHub VulDB
CVE-2025-11114
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A flaw has been found in CodeAstro Online Leave Application 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Leave Application
NVD GitHub VulDB
CVE-2025-11113
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was detected in CodeAstro Online Leave Application 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Leave Application
NVD GitHub VulDB
CVE-2025-11111
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A weakness has been identified in Campcodes Advanced Online Voting Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Advanced Online Voting System
NVD GitHub VulDB
CVE-2025-11110
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A security flaw has been discovered in Campcodes Online Learning Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Learning Management System
NVD GitHub VulDB
CVE-2025-11109
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was identified in Campcodes Computer Sales and Inventory System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Computer Sales And Inventory System
NVD GitHub VulDB
CVE-2025-11108
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was determined in code-projects Simple Scheduling System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Simple Scheduling System
NVD GitHub VulDB
CVE-2025-11107
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in code-projects Simple Scheduling System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Simple Scheduling System
NVD GitHub VulDB
CVE-2025-11106
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability has been found in code-projects Simple Scheduling System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Simple Scheduling System
NVD GitHub VulDB
CVE-2025-11105
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A flaw has been found in code-projects Simple Scheduling System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Simple Scheduling System
NVD GitHub VulDB
CVE-2025-11104
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was detected in CodeAstro Electricity Billing System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Electricity Billing System
NVD GitHub VulDB
CVE-2025-11102
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A weakness has been identified in Campcodes Online Learning Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Learning Management System
NVD GitHub VulDB
CVE-2025-11101
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A security flaw has been discovered in itsourcecode Open Source Job Portal 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Open Source Job Portal
NVD GitHub VulDB
CVE-2025-11094
EPSS 0% CVSS 6.9
MEDIUM This Month

A security vulnerability has been detected in code-projects E-Commerce Website 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi E Commerce Site
NVD GitHub VulDB
CVE-2025-11090
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was identified in itsourcecode Open Source Job Portal 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Open Source Job Portal
NVD GitHub VulDB
CVE-2025-11089
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was determined in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Courseselectionsystem
NVD GitHub VulDB
CVE-2025-11088
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A weakness has been identified in itsourcecode Open Source Job Portal 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Open Source Job Portal
NVD GitHub VulDB
CVE-2025-11077
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was determined in Campcodes Online Learning Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Learning Management System
NVD GitHub VulDB
CVE-2025-11076
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in Campcodes Online Learning Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Learning Management System
NVD GitHub VulDB
CVE-2025-11075
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability has been found in Campcodes Online Learning Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Learning Management System
NVD GitHub VulDB
CVE-2025-11074
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A flaw has been found in code-projects Project Monitoring System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Project Monitoring System
NVD VulDB GitHub
CVE-2025-11071
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A security vulnerability has been detected in SeaCMS 13.3.20250820. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Seacms
NVD GitHub VulDB
CVE-2025-11070
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was identified in Projectworlds Online Shopping System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Shopping System
NVD GitHub VulDB
CVE-2025-11066
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A flaw has been found in code-projects Online Bidding System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Bidding System
NVD GitHub VulDB
CVE-2025-11064
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A security flaw has been discovered in Campcodes Online Learning Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Learning Management System
NVD GitHub VulDB
CVE-2025-11063
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was identified in Campcodes Online Learning Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Learning Management System
NVD GitHub VulDB
CVE-2025-11062
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was determined in Campcodes Online Learning Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Learning Management System
NVD GitHub VulDB
CVE-2025-11061
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in Campcodes Online Learning Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Learning Management System
NVD GitHub VulDB
CVE-2025-11057
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability has been found in SourceCodester Pet Grooming Management Software 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Pet Grooming Management Software
NVD GitHub VulDB
CVE-2025-11056
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A flaw has been found in ProjectsAndPrograms School Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi School Management System
NVD VulDB
CVE-2025-11055
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was detected in SourceCodester Online Hotel Reservation System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Hotel Reservation System
NVD GitHub VulDB
CVE-2025-11054
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A security vulnerability has been detected in itsourcecode Open Source Job Portal 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Open Source Job Portal
NVD GitHub VulDB
CVE-2025-11053
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A weakness has been identified in PHPGurukul Small CRM 4.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Small Crm
NVD GitHub VulDB
CVE-2025-11052
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A security flaw has been discovered in kidaze CourseSelectionSystem 1.0/5.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Courseselectionsystem
NVD GitHub VulDB
CVE-2025-59939
EPSS 0% CVSS 8.8
HIGH POC This Week

WeGIA is a Web manager for charitable institutions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Wegia
NVD GitHub
CVE-2025-11041
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability has been found in itsourcecode Open Source Job Portal 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Open Source Job Portal
NVD GitHub VulDB
CVE-2025-11040
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was detected in code-projects Hostel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Hostel Management System
NVD GitHub VulDB
CVE-2025-11039
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A security vulnerability has been detected in Campcodes Computer Sales and Inventory System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Computer Sales And Inventory System
NVD GitHub VulDB
CVE-2025-11038
EPSS 0% CVSS 5.3
MEDIUM This Month

A weakness has been identified in itsourcecode Online Clinic Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Online Clinic Management System
NVD VulDB
CVE-2025-11037
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A security flaw has been discovered in code-projects E-Commerce Website 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi E Commerce Website
NVD GitHub VulDB
CVE-2025-11036
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was identified in code-projects E-Commerce Website 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi E Commerce Website
NVD GitHub VulDB
CVE-2025-11033
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability has been found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Courseselectionsystem
NVD GitHub VulDB
CVE-2025-11032
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A flaw has been found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Courseselectionsystem
NVD GitHub VulDB
CVE-2025-60118
EPSS 0% CVSS 8.5
HIGH This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Potenzaglobalsolutions PGS Core allows SQL Injection.9.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-60110
EPSS 0% CVSS 8.5
HIGH This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup AllInOne - Banner Rotator allows SQL Injection.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-60109
EPSS 0% CVSS 8.5
HIGH This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Content Slider allows Blind SQL Injection.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-60108
EPSS 0% CVSS 8.5
HIGH This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Thumbnails allows Blind SQL Injection.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-60107
EPSS 0% CVSS 8.5
HIGH This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Playlist allows Blind SQL Injection.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-10037
EPSS 0% CVSS 4.9
MEDIUM Monitor

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVE-2025-10036
EPSS 0% CVSS 4.9
MEDIUM Monitor

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_all_urls() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVE-2025-10973
EPSS 0% CVSS 6.9
MEDIUM This Month

A flaw has been found in JackieDYH Resume-management-system up to fb6b857d852dd796e748ce30c606fe5e61c18273. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVE-2025-59816
EPSS 0% CVSS 7.3
HIGH This Month

This vulnerability allows attackers to directly query the underlying database, potentially retrieving all data stored in the Billing Admin database, including user credentials. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-59814
EPSS 0% CVSS 8.8
HIGH This Month

This vulnerability allows malicious actors to gain unauthorized access to the Zenitel ICX500 and ICX510 Gateway Billing Admin endpoint, enabling them to read the entire contents of the Billing Admin. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass SQLi
NVD
CVE-2025-10967
EPSS 0% CVSS 6.9
MEDIUM This Month

A vulnerability was detected in MuFen-mker PHP-Usermm up to 37f2d24e51b04346dfc565b93fc2fc6b37bdaea9. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVE-2025-27261
EPSS 0% CVSS 8.7
HIGH This Week

Ericsson Indoor Connect 8855 contains an SQL injection vulnerability which if exploited can result in unauthorized disclosure or modification of data. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ericsson SQLi Indoor Connect 8855 Firmware
NVD
CVE-2025-40698
EPSS 0% CVSS 8.7
HIGH This Month

SQL injection vulnerability in Prevengos v2.44 by Nedatec Consulting. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-29084
EPSS 0% CVSS 6.5
MEDIUM POC This Week

SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Upgrade.php file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE SQLi +1
NVD GitHub
CVE-2025-29083
EPSS 0% CVSS 6.5
MEDIUM POC This Month

SQL Injection vulnerability in CSZ-CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the execSqlFile function in the Plugin_Manager.php file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP RCE +2
NVD GitHub
CVE-2025-10184
EPSS 0% CVSS 8.2
HIGH This Week

The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure SQLi +1
NVD
CVE-2025-10857
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A security flaw has been discovered in Campcodes Point of Sale System POS 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Point Of Sale System
NVD VulDB
CVE-2025-10851
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A security flaw has been discovered in Campcodes Gym Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD VulDB
CVE-2025-10848
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was identified in Campcodes Society Membership Information System 1.0.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Society Membership Information System
NVD VulDB
CVE-2025-10846
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability was determined in Portabilis i-Educar up to 2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi I Educar
NVD VulDB
CVE-2025-10845
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability was found in Portabilis i-Educar up to 2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi I Educar
NVD VulDB
CVE-2025-10844
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability has been found in Portabilis i-Educar up to 2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi I Educar
NVD VulDB
CVE-2025-10843
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A flaw has been found in Reservation Online Hotel Reservation System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Hotel Reservation System
NVD GitHub VulDB
CVE-2025-10842
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was detected in code-projects Online Bidding System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Bidding System
NVD GitHub VulDB
CVE-2025-10841
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A security vulnerability has been detected in code-projects Online Bidding System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Bidding System
NVD GitHub VulDB
CVE-2025-10840
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A weakness has been identified in SourceCodester Pet Grooming Management Software 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Pet Grooming Management Software
NVD GitHub VulDB
CVE-2025-10839
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A security flaw has been discovered in SourceCodester Pet Grooming Management Software 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Pet Grooming Management Software
NVD GitHub VulDB
CVE-2025-10836
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A weakness has been identified in SourceCodester Pet Grooming Management Software 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Pet Grooming Management Software
NVD GitHub VulDB
CVE-2025-10835
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A security flaw has been discovered in SourceCodester Pet Grooming Management Software 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Pet Grooming Management Software
NVD GitHub VulDB
CVE-2025-10834
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was identified in itsourcecode Open Source Job Portal 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Open Source Job Portal
NVD GitHub VulDB
CVE-2025-10833
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was determined in 1000projects Bookstore Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Bookstore Management System
NVD GitHub VulDB
CVE-2025-10832
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was found in SourceCodester Pet Grooming Management Software 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Pet Grooming Management Software
NVD GitHub VulDB
CVE-2025-10831
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability has been found in Campcodes Computer Sales and Inventory System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Computer Sales And Inventory System
NVD GitHub VulDB
CVE-2025-10830
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A flaw has been found in Campcodes Computer Sales and Inventory System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Computer Sales And Inventory System
NVD GitHub VulDB
CVE-2025-10829
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was detected in Campcodes Computer Sales and Inventory System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Computer Sales And Inventory System
NVD GitHub VulDB
CVE-2025-10828
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A security vulnerability has been detected in SourceCodester Pet Grooming Management Software 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Pet Grooming Management Software
NVD GitHub VulDB
CVE-2025-10826
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A security flaw has been discovered in Campcodes Online Beauty Parlor Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Beauty Parlor Management System
NVD GitHub VulDB
CVE-2025-10825
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was identified in Campcodes Online Beauty Parlor Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Beauty Parlor Management System
NVD GitHub VulDB
CVE-2025-10817
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A weakness has been identified in Campcodes Online Learning Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Learning Management System
NVD GitHub VulDB
CVE-2025-10813
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability was found in code-projects Hostel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Hostel Management System
NVD GitHub VulDB
CVE-2025-10812
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability has been found in code-projects Hostel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Hostel Management System
NVD GitHub VulDB
CVE-2025-59570
EPSS 0% CVSS 7.6
HIGH This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFunnels Mail Mint allows SQL Injection.18.6. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
Prev Page 18 of 51 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
4555

Related CWEs

MITRE ATT&CK

References

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy