SQL Injection

SQL injection in TONNET's E-LAN Hybrid Recording System allows unauthenticated remote attackers to execute arbitrary SQL queries and exfiltrate database contents over the network. The CVSS 4.0 score of 8.7 reflects high confidentiality impact with no required privileges or user interaction, and no public exploit identified at time of analysis. The flaw is reported through TWCERT and affects TONNET's TPR7308 product line per CPE data.

Unauthenticated SQL injection in the PixelYourSite Boost plugin for WordPress (versions up to and including 2.0.3) allows remote attackers to extract sensitive database contents via time-based blind SQLi in the 'current_url' and 'user_name' parameters. Wordfence reported the issue with a CVSS 7.5 (confidentiality-only impact); no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Time-based blind SQL injection in the Read More & Accordion WordPress plugin (slug: expand-maker) through version 3.5.7 enables authenticated administrators to exfiltrate arbitrary database contents, including administrator password hashes, by manipulating the orderby GET parameter. The flaw exists in two data-retrieval functions in ReadMoreData.php, where user input bypasses effective sanitization and is concatenated unquoted into an ORDER BY SQL clause. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, though the high-confidentiality CVSS impact (C:H) reflects genuine data-exposure potential.

Unauthenticated SQL injection in the Creative Mail - Easier WordPress & WooCommerce Email Marketing plugin (versions up to and including 1.6.9) allows remote attackers to append arbitrary SQL clauses through the 'checkout_uuid' parameter handled by the has_checkout_consent() method. The flaw stems from missing escaping and the absence of a prepared statement, enabling extraction of sensitive database contents from any WordPress site running the vulnerable plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQL Injection in the Infility Global WordPress plugin (all versions through 2.15.16) allows authenticated attackers holding only a Subscriber-level account to append arbitrary SQL to existing database queries and extract sensitive information. The vulnerability originates in the show_control_data::post_list() function, which is registered as an admin menu page gated only by the 'read' capability - the lowest WordPress capability tier. With CVSS C:H and no integrity or availability impact, the primary real-world risk is wholesale database exfiltration on any site with open user registration. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

SQL injection in Veritas InfoScale Operations Manager (VIOM) prior to v9.1.3 enables remote, unauthenticated attackers to escalate privileges via crafted requests. The vulnerability is network-accessible with no authentication or user interaction required, and SSVC scoring confirms it is automatable, lowering the bar for mass exploitation. No public exploit or CISA KEV listing has been identified at time of analysis, but the unauthenticated attack surface and automatable classification make this a meaningful exposure for any internet-facing VIOM deployment.

SQL injection in the Contest Gallery WordPress plugin (versions through 28.1.6) allows unauthenticated remote attackers to extract sensitive database contents by abusing the 'form_input' parameter handled by the 'post_cg_gallery_form_upload' AJAX action. The endpoint is gated only by a public nonce that is exposed in the page source of any public gallery page, effectively offering no protection against external attackers. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and affects a publicly reachable PHP endpoint.

SQL injection in the TYPO3 'address_list' extension's AddressRepository::getSqlQuery() method allows remote attackers to manipulate database queries when the method is called with untrusted input. The flaw is latent - the vulnerable method is not invoked anywhere within the extension itself, so default installations are not exposed, but custom or third-party extensions that reuse this method become injection sinks. No public exploit identified at time of analysis, and no EPSS or KEV signal accompanies the advisory.

SQL injection in the TYPO3 'news' extension allows unauthenticated remote attackers to inject arbitrary SQL through a URL parameter on pages that render the 'Date Menu of news articles' plugin. The flaw stems from missing sanitization of user input before it reaches a database query, and exposure is limited to sites that both use the affected plugin and have not enabled the TypoScript/plugin setting disableOverrideDemand. No public exploit identified at time of analysis.

SQL injection in BillaBear (all versions prior to January 2026) allows authenticated users holding the ROLE_ACCOUNT_MANAGER role to execute arbitrary SQL commands via the EventRepository component. The flaw stems from unsanitized filter identifier keys being concatenated into queries through sprintf(), and while no public exploit identified at time of analysis is listed in KEV, two CVE-referenced gists suggest detailed technical write-ups are publicly available. EPSS is very low (0.01%), but the high CVSS of 8.8 and clear exploitation path make this a meaningful risk for any deployed instance.

Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/15. ) Security Advisory: Multiple Vulnerabilities in llama.cpp GGUF Format Parsers (135266653@...com) CVE-2026-35194: Apache Flink: Remote code execution via SQL injection in code generation (Martijn Visser <martijnvisser@...che.org>) libpng-apng: Chunk-smuggling vulnerability in push-mode APNG parser: CVE-2026-40930 (Cosmin Truta <ctruta@...il.com>) netatalk 4.4.3 fixes 20 CVEs, leaves 18 for later (Alan Coopersmith <alan.coopersmith@...cle.com>) PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 Released with security fixes (Alan Coopersmith <alan.coopersmith@...cle.com>) Poppy: XPC Observability & Fault Injecti

SQL injection in SOGo 5.12.7 (Alinto's open-source groupware/webmail platform) allows authenticated users to exfiltrate arbitrary database contents by injecting subqueries through the uid parameter of the addUserInAcls endpoint, then reading the staged data back via the /acls API. The flaw, reported by VulnCheck (with credit to dninh of SACOMBANK), is fixed in 5.12.8; no public exploit identified at time of analysis and the CVE is not on CISA KEV.

The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.

SQL injection in projectworlds Hospital Management System in PHP 1.0 enables unauthenticated remote attackers to extract or modify patient data through the appointment_no parameter in update_info.php. The vulnerability has publicly available exploit code and affects the getAllPatientDetail function, with the vendor notified but unresponsive.

SQL injection in linlinjava litemall 1.8.0 and earlier allows high-privileged remote attackers to read and modify database contents via crafted requests to multiple Admin Endpoint functions. Public exploit code available (EPSS probability unknown from provided data). Attack requires administrative credentials (PR:H) but achieves confidentiality, integrity, and availability impact on vulnerable component (VC:L/VI:L/VA:L). Despite CVSS 4.0 score of 2.0 (Low severity due to high privilege requirement), the existence of public POC and lack of vendor response elevates practical risk for installations where admin accounts may be compromised.

SQL injection in litemall WeChat API allows unauthenticated remote attackers to extract, modify, or delete database contents via crafted queries to the goods listing endpoint. Publicly available exploit code exists targeting the WxGoodsController.list() function in versions up to 1.8.0. Vendor unresponsive to disclosure. EPSS data unavailable, but public POC and network accessibility (CVSS AV:N/AC:L/PR:N) indicate moderate exploitation risk for exposed instances.

SQL injection in Oinone Pamirs versions up to 7.2.0 allows remote unauthenticated attackers to read, modify, or delete database records via the queryListByWrapper interface. The RSQLToSQLNodeConnector.makeVariable function fails to properly sanitize input, enabling direct database manipulation. A publicly available proof-of-concept exploit exists (GitHub issue #12), and the vendor has not responded to disclosure attempts. EPSS data unavailable, not listed in CISA KEV. CVSS 5.5 (Medium) reflects confidentiality, integrity, and availability impacts all rated Low with network-accessible, low-complexity exploitation requiring no authentication.

SQL injection in Dataease 2.10.20's Data Dashboard component allows authenticated high-privilege attackers to execute arbitrary SQL queries via the SqlparserUtils.transFilter function. The vulnerability requires administrative access (CVSS PR:H) but enables database manipulation including data exfiltration, modification, and potential service disruption. Public exploit code exists on GitHub (xpp3901/CVE_APPLY), lowering the barrier for exploitation despite the high privilege requirement. The CVSS base score of 4.7 reflects limited scope due to authentication requirements, though real-world impact depends on admin credential security.

SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries through the order history page. The vulnerability exists in the /user/orders endpoint where order_by and direction parameters are directly concatenated into SQL queries without sanitization, enabling database compromise with low-privileged user credentials. The vendor has released version 1.0.8.3 to address this issue.

Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and SMTP secrets by sending a crafted User-Agent header to the public GET /api/captcha endpoint. The flaw sits in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha(), which interpolate the header into DELETE and INSERT statements via sprintf with no escaping. No public exploit identified at time of analysis, though VulnCheck has published a detailed reachability writeup and a verified time-based blind PoC payload appears in the GHSA advisory.

SQL injection in phpMyFAQ prior to 4.1.2 allows attackers authenticating through Azure AD/Entra ID OAuth to execute arbitrary database queries by embedding SQL metacharacters in their identity provider display name or JWT claims. The CurrentUser::setTokenData() method interpolates OAuth token fields into an UPDATE statement via sprintf without calling the database escape routine, while sibling methods in the same file correctly escape input. Publicly available exploit code exists per VulnCheck and the GHSA advisory, though EPSS is low (0.03%, 9th percentile) and the issue is not in CISA KEV.

Time-based blind SQL injection in NEX-Forms Ultimate Forms Plugin for WordPress through version 9.1.12 allows authenticated administrators to extract sensitive database information by injecting arbitrary SQL queries via the insufficiently escaped 'table' parameter. The vulnerability requires administrator-level access and is not actively exploited in public records, but poses significant risk to multi-admin WordPress installations where admin accounts may be compromised or untrusted.

SQL injection in ClipBucket v5's admin panel allows authenticated administrators to exfiltrate database contents via the action_logs.php endpoint. The type parameter is directly concatenated into SQL queries without parameterization, enabling UNION-based attacks to extract sensitive data including user credentials, video metadata, and system configuration. Affects all versions prior to 5.5.3 - #122. No active exploitation confirmed (not in CISA KEV), but the technical barrier is low given the straightforward injection point and admin access requirement.

SQL injection in Marten's PostgreSQL full-text search APIs allows remote unauthenticated attackers to execute arbitrary database commands when applications pass user-controlled input to the regConfig parameter. The vulnerability affects all five search method overloads (SearchAsync, PlainTextSearchAsync, PhraseSearchAsync, WebStyleSearchAsync, PrefixSearchAsync) where the regConfig parameter is interpolated directly into SQL without validation. Confirmed exploit payloads demonstrate time-based blind extraction, information disclosure via SELECT statements, and DDL execution including table drops. Vendor-released patch available in Marten 8.37.0 via GitHub PR #4343. No public exploit identified at time of analysis, though the advisory includes working proof-of-concept payloads for all affected methods.

SQL injection in n8n's Source Control feature allows attackers with git repository write access to execute arbitrary SQL against the PostgreSQL backend when administrators pull malicious Data Table JSON files. The vulnerability requires a specific attack chain: attacker git repository access, Source Control feature enabled, PostgreSQL backend, and admin-triggered pull operation. Vendor-released patches are available across all affected version branches (1.x, 2.20.x, 2.21.x). No public exploit identified at time of analysis, and the multi-prerequisite exploitation path significantly limits real-world attack surface to supply chain or insider threat scenarios.

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION REFRESH PUBLICATION allows authenticated local or network users with table creation privileges to execute arbitrary SQL queries with the publication subscriber's credentials. The attack is deferred until the next REFRESH PUBLICATION command is executed, requiring user interaction or scheduled maintenance. PostgreSQL 16.x, 17.x, and 18.x versions prior to 16.14, 17.10, and 18.4 respectively are vulnerable; earlier versions are unaffected. No public exploit code or active exploitation has been identified.

Stack buffer overflow in PostgreSQL's refint module allows low-privileged database users to execute arbitrary code as the database operating system user across all supported versions before 14.23, 15.18, 16.14, 17.10, and 18.4. The vulnerability enables two distinct attack paths: direct stack overflow leading to OS-level code execution, and SQL injection when applications expose user-controlled columns configured as refint cascade primary keys. With CVSS 8.8 (AV:N/AC:L/PR:L) and network-based exploitation requiring only low-privilege database credentials, this represents a critical privilege escalation risk for PostgreSQL deployments. No active exploitation (CISA KEV) or public POC identified at time of analysis.

SQL injection in PostgreSQL's pg_createsubscriber utility escalates privileges from pg_create_subscription to superuser, enabling arbitrary SQL execution. Affects PostgreSQL versions 17.0-17.9 and 18.0-18.3; exploitation requires high-privilege access (pg_create_subscription rights) but occurs remotely without additional complexity. Attack triggers when pg_createsubscriber next executes. Fixed in PostgreSQL 18.4 and 17.10. No CISA KEV listing or public exploit identified at time of analysis, but the technical simplicity (AC:L) and privilege escalation nature present moderate risk for multi-tenant or hosted PostgreSQL environments where subscription management permissions are delegated.

Remote unauthenticated SQL injection in Akilli Commerce Software Technologies E-Commerce Website before version 4.5.001 allows complete database compromise without authentication. The vulnerability permits blind SQL injection attacks with network-level access and low complexity (CVSS:3.1 AV:N/AC:L/PR:N/UI:N), achieving full confidentiality, integrity, and availability impact (9.8 critical severity). TR-CERT (Turkish national CERT) published this advisory, indicating regional significance for Turkish e-commerce deployments. No public exploit identified at time of analysis, with EPSS risk data and CISA KEV status unavailable for initial assessment.

ProfileGrid User Profiles plugin for WordPress versions up to 5.9.8.4 allow authenticated attackers with Subscriber-level access to execute blind SQL injection attacks via the 'rid' parameter due to insufficient input escaping and lack of prepared statement use. The vulnerability enables extraction of sensitive database information without user interaction. No public exploit code or active exploitation has been confirmed at this time.

Time-based SQL injection in Avada Builder for WordPress allows remote unauthenticated attackers to extract sensitive database information via the 'product_order' parameter. CVSS 7.5 (High) reflects network-accessible attack vector with no authentication required, but exploitation is limited to specific deployments where WooCommerce was previously installed then deactivated. No active exploitation confirmed (not in CISA KEV), but vulnerability disclosed by Wordfence Threat Intelligence with technical details publicly available.

Time-based blind SQL injection in JoomSport WordPress plugin (all versions ≤5.7.7) enables unauthenticated remote attackers to extract sensitive database contents including credentials, user data, and configuration secrets via the unsanitized 'sortf' parameter. CVSS 7.5 (High) with network attack vector, low complexity, and no authentication required. EPSS data not provided; no CISA KEV listing indicates exploitation not yet confirmed in the wild. Wordfence Threat Intel reported this vulnerability with proof-of-concept code references pointing to specific vulnerable functions in class-jsport-getplayers.php and class-jsport-playerlist.php, enabling straightforward exploitation by security researchers and threat actors alike.

SQL injection in Charitable - Donation Plugin for WordPress versions up to 1.8.10.4 allows authenticated users with donation management admin privileges to inject malicious SQL via the 's' search parameter, enabling extraction of sensitive database information. The vulnerability stems from insufficient escaping and lack of prepared statement usage in the donation search functionality. Attack requires administrator-level access to the donation management area (edit_others_donations capability), limiting scope to internal threats but carrying high confidentiality impact.

SQL injection in multiple Advantech industrial IoT platforms allows remote authenticated attackers with high privileges to execute arbitrary database commands. Affected products include WebAccess/SCADA, SaaS Composer, IoTSuite Growth/Starter, and IoT Edge across Windows and Linux Docker deployments. The vulnerability enables complete database compromise - attackers can read sensitive industrial control system data, modify configurations, or delete critical operational information. CVSS 7.2 reflects high impact across confidentiality, integrity, and availability, though exploitation requires administrative credentials (PR:H), significantly limiting attack surface compared to unauthenticated SQL injection vulnerabilities.

The Court Reservation - Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.

Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user (any role) to execute arbitrary SQL and read data from any table in the database, including data belonging to other organizations. This vulnerability is fixed in 1.20.1.

SQL injection in FortiMail 7.2.0-7.2.8, 7.4.0-7.4.5, and 7.6.0-7.6.3 allows authenticated privileged administrators to execute arbitrary code or commands via crafted HTTP/HTTPS requests. The vulnerability requires high-privilege authentication (administrator role) and affects all recent major versions, with exploitation confirmed possible through network-accessible admin interfaces.

SQL injection in Fortinet FortiNDR 7.0 through 7.6.2 allows authenticated attackers to execute unauthorized code or commands via crafted HTTP requests. The vulnerability affects multiple versions across the 7.x branch and has an EPSS exploitation probability indicator (E:P in CVSS), suggesting feasible attack conditions despite moderate CVSS score (5.1). Patch availability and active exploitation status require confirmation from vendor advisory.

SQL injection in Pandora FMS versions 777-800 allows authenticated attackers with low privileges to exfiltrate or manipulate database contents via the graph container parameter. Attack complexity is high with present attack techniques, requiring specific timing conditions. No active exploitation confirmed per CISA KEV, and EPSS data not provided. Vendor advisory available from PandoraFMS confirms the vulnerability affecting a narrow version range spanning approximately builds 777 through 800.

SQL injection in Ivanti Endpoint Manager web console enables authenticated remote attackers to execute arbitrary code on the server. Affects all versions prior to 2024 SU6. Attack requires only low-privilege authenticated access (CVSS PR:L) with low complexity (AC:L), making exploitation straightforward for any authenticated user. Ivanti has released patched version 2024 SU6 per vendor advisory dated May 2026. No CISA KEV listing or public exploit code identified at time of analysis, indicating exploitation not yet confirmed in the wild despite high severity score.

SQL injection in the Elixir postgrex library allows local attackers with control over PostgreSQL LISTEN/UNLISTEN channel names to execute arbitrary SQL commands including DDL and DML operations. The Postgrex.Notifications module (versions 0.16.0 through 0.22.1) fails to escape double-quote characters in channel arguments, enabling attackers to break out of quoted identifiers and chain multi-statement payloads such as DROP TABLE commands. Vendor patch available in version 0.22.2 per GitHub advisory GHSA-r73h-97w8-m54h. No public exploit code or CISA KEV listing identified at time of analysis, though the technical details and patch diff are publicly disclosed.

Blind SQL injection in WP Travel plugin versions ≤11.4.0 allows authenticated attackers with low-level privileges to extract sensitive database contents through time-based or boolean queries. The vulnerability enables cross-scope confidentiality breach with high impact (CVSS:C:H), permitting unauthorized access to all WordPress database information including user credentials, private travel booking details, and payment data. EPSS data unavailable; no CISA KEV listing indicates exploitation remains targeted rather than widespread. Patchstack's inclusion in their vulnerability database suggests active researcher interest and potential proof-of-concept development.

Blind SQL injection in Xpro Elementor Addons allows authenticated attackers to extract sensitive database contents including user credentials and site configurations. The vulnerability affects WordPress sites running plugin versions up to 1.5.1 and requires only low-privileged authenticated access (CVSS PR:L) with no user interaction. EPSS data not available, but the low attack complexity (AC:L) combined with changed scope (S:C) indicates potential for cross-boundary impact beyond the vulnerable plugin. No active exploitation confirmed in CISA KEV at time of analysis.

Blind SQL injection in BEAR woo-bulk-editor plugin for WordPress up to version 1.1.7.1 allows high-privilege authenticated administrators to extract database contents through specially crafted SQL queries. The scope change in CVSS (S:C) indicates potential impact beyond the plugin itself, enabling access to other WordPress data or resources. No public exploit code or active exploitation indicators identified at time of analysis, but Patchstack public disclosure increases weaponization risk.

Blind SQL injection in APIExperts Square for WooCommerce (WooSquare) plugin versions up to 4.7.1 allows authenticated attackers with low-level privileges to extract sensitive database contents including customer data, order information, and potentially administrative credentials. The vulnerability enables scope escalation from the WordPress application context to the underlying database layer (S:C in CVSS vector), representing a significant data breach risk for WooCommerce stores. Reported by Patchstack, a WordPress vulnerability intelligence provider. No active exploitation confirmed in CISA KEV at time of analysis.

Blind SQL injection in Views for WPForms WordPress plugin (versions ≤3.4.6) allows authenticated low-privilege attackers with network access to extract sensitive database contents. The vulnerability enables cross-scope compromise with high confidentiality impact and limited availability disruption. Patchstack reported this SQLi flaw; no public exploit identified at time of analysis. EPSS data not available, suggesting lower immediate exploitation probability, though the low attack complexity (AC:L) makes exploitation straightforward once authenticated access is obtained.

Blind SQL injection in Ninja Forms Views plugin (versions ≤3.3.2) allows authenticated attackers with low-level privileges to extract sensitive database information via specially crafted queries. The vulnerability carries an 8.5 CVSS score with scope change, enabling attackers to access data beyond the plugin's normal authorization boundaries. Reported by Patchstack with detailed vendor advisory available, though no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

SQL injection in Akilli Commerce E-Commerce Website versions before 4.5.001 allows remote unauthenticated attackers to execute arbitrary SQL commands with complete database access. The vulnerability permits extraction of sensitive customer and transaction data, modification of product catalogs and pricing, and potential complete system compromise. CVSS score of 9.8 (Critical) reflects network-accessible exploitation requiring no authentication or user interaction, though no active exploitation has been reported in CISA KEV and EPSS data is not available.

SQL injection in KACO Meteor server affecting all versions of blueplanet inverter product line allows authorized attackers on the local network to elevate privileges and modify system data. The vulnerability requires high-privilege credentials and abnormal configuration access (AC:H), limiting exploitation to insider threats or attackers who have already compromised administrative access. CVSS 6.0 with integrity and availability impact reflects significant risk within trusted network environments.

Time-based blind SQL injection in the Eight Day Week Print Workflow WordPress plugin (versions up to 1.2.6) via the 'title' parameter in the pp-get-articles AJAX action allows authenticated attackers with Subscriber-level access to extract sensitive database information. The vulnerability stems from insufficient escaping and lack of prepared statement usage, enabling attackers to append arbitrary SQL queries to extract confidential data with high confidentiality impact.

SQL injection in the AIWU AI Chatbot WordPress plugin (versions ≤1.4.17) allows remote unauthenticated attackers to extract sensitive database contents via the getListForTbl() function due to unsanitized user input in SQL queries. Partial mitigation exists in version 1.4.11+ through administrator-only nonce protection, but the underlying SQL injection vulnerability persists. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact. Wordfence provides detailed vulnerable code references across multiple plugin files including controller.php, req.php, and model.php. No evidence of active exploitation (not in CISA KEV) at time of analysis.

SQL injection in SAP HANA Deployment Infrastructure (HDI) deploy library allows high-privileged users to manipulate dynamically constructed SQL queries, potentially altering SELECT statements and compromising confidentiality and availability. Attack requires local access and high privileges (PR:H), limiting real-world risk despite SQL injection severity. No public exploit code or active exploitation has been identified at the time of analysis.

SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. SAP has released security patches (SAP Note 3724838) for this critical vulnerability with CVSS 9.6. No active exploitation confirmed at time of analysis, though the authentication bypass tag suggests potential credential bypass implications.

Authenticated SQL injection in elFinder's MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including those with read-only access, to inject malicious SQL via crafted file hash parameters. The vulnerability stems from improper validation of decoded file hashes before use in SQL queries, enabling attackers to manipulate query logic through the target parameter. This affects only installations using the non-default MySQL volume driver (versions <=2.1.67); the default LocalFileSystem driver is not vulnerable. Vendor-released patch available in version 2.1.68. CVSS 8.8 with network vector and low attack complexity indicates straightforward exploitation for authenticated attackers.

Privilege escalation and OS command execution in CloudNativePG (CNPG) versions prior to 1.28.3 and 1.29.1 allow low-privileged PostgreSQL roles to gain superuser access and execute arbitrary commands inside the primary database pod. The metrics exporter connects as the postgres superuser and only demotes via SET ROLE, leaving session_user as superuser; an attacker who owns a database (including the default `app` role) can shadow unqualified identifiers like `current_database()` referenced in the stock `default-monitoring.yaml`, triggering the chain on the next scrape (≤30s). No public exploit identified at time of analysis, but the vulnerability is highly impactful (CVSS 9.4) and affects default deployments without custom metrics.

Authenticated remote code execution in pgAdmin 4 versions before 9.15 allows low-privilege users to execute arbitrary OS commands on the pgAdmin server via unsanitized input in the Import/Export query export feature. Attackers inject malicious payloads into psql \copy metacommand templates to break out of the query context and invoke PROGRAM directives or write arbitrary files. No public exploit code identified at time of analysis, but exploitation requires only low-privilege authenticated access with no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). EPSS data not provided; KEV status not confirmed.

SQL injection in pgAdmin 4 Maintenance Tool allows authenticated users with tools_maintenance permission to execute arbitrary SQL and escalate to operating-system command execution on PostgreSQL database hosts. Four JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) are concatenated unsafely into VACUUM/ANALYZE/REINDEX commands passed to psql. Attackers can break out of option syntax, inject SQL statements, and leverage PostgreSQL's COPY ... TO PROGRAM to achieve OS-level code execution. Fixed in version 9.15 via server-side allow-listing and proper input sanitization using qtIdent filter. EPSS data not available; no public exploit identified at time of analysis.

SQL injection in Corteza 2024.9.8 allows authenticated remote attackers to execute arbitrary SQL queries against the Microsoft SQL Server backend when filtering Compose records by the meta field, potentially leading to unauthorized data access or manipulation. Exploitation requires valid user credentials and attacker control over filter parameters.

SQL injection in HireFlow v1.2 enables unauthenticated attackers to bypass authentication and exfiltrate the entire database via /login and /search endpoints. Direct string concatenation without parameterization allows both authentication bypass using comment injection (admin'--) and UNION-based data extraction. Public proof-of-concept exists (SSVC: POC, automatable, total technical impact), though EPSS exploitation probability remains low (0.10%, 28th percentile), suggesting limited observed exploitation attempts. CISA SSVC framework classifies this as automatable with total technical impact, warranting immediate patching despite relatively low EPSS score.

SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the /index/controller/Search.php endpoint.

SQL injection in CodeAstro Online Catering Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /deleteorder.php, with publicly available exploit code disclosed. Despite a low CVSS score of 2.1 due to authentication requirements and limited impact scope, the vulnerability enables data exfiltration or manipulation within the application's database with minimal attack complexity.

SQL injection in PHP's PDO Firebird driver allows remote attackers to manipulate database queries when applications use PDO::quote() with attacker-controlled input containing NUL bytes. The vulnerability affects PHP versions 8.2.* through 8.5.* across all maintained branches, with vendor patches released (8.2.31, 8.3.31, 8.4.21, 8.5.6). CVSS 7.4 with network attack vector but requires user interaction and precise timing conditions (AT:P). Proof-of-concept exploitation status confirmed (E:P), though no active exploitation identified in CISA KEV at time of analysis.

SQL injection in Gibbon education platform versions prior to v30.0.01 enables authenticated users with Teacher privileges or higher to execute arbitrary SQL queries through the Tracking/graphing module. Exploitation allows unauthorized read and write access to the underlying database. Project Black Security Services has published detailed exploit documentation demonstrating the attack. While vendor release notes classify this as 'low severity, accessible to admin users only,' the CVSS 7.0 score and authenticated Teacher-level access requirement indicate moderate risk for multi-tenant or compromised-account scenarios.

Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been patched in version 2.6.11.

SQL injection in MikroORM versions ≤7.0.13 (v7) and ≤6.6.13 (v6) allows authenticated attackers to execute arbitrary SQL queries by injecting malicious characters into schema names, JSON property filters, or query builder keys. The vulnerability stems from improper escaping of dialect-specific quote characters in identifier-quoting and JSON-path functions. Multi-tenant applications are at heightened risk of cross-tenant data leakage. Vendor-released patches are available: upgrade to 7.0.14 (v7) or 6.6.14 (v6). No public exploit identified at time of analysis, though the vulnerability was discovered during internal security review by the project maintainer.

SQL injection vulnerability in pgx (Go PostgreSQL driver) prior to version 5.9.2 allows authenticated attackers to manipulate queries when the non-default simple protocol is used in conjunction with dollar-quoted string literals containing attacker-controlled placeholder-like text. The vulnerability requires specific configuration (simple protocol mode enabled) and precise SQL structure (dollar-quoted strings with embedded placeholder syntax), making exploitation unlikely in typical deployments but possible in applications explicitly using QueryExecModeSimpleProtocol.

SQL injection in Beauty Parlour Management System v1.1 enables unauthenticated remote attackers to extract, modify, or delete database contents through the aptnumber parameter at /appointment-detail.php endpoint. With CVSS 9.8 (critical severity) and network-accessible exploit requiring no authentication, this represents a complete compromise vector. Public proof-of-concept code exists on GitHub, and CISA SSVC framework rates it as automatable with total technical impact, though CISA KEV does not yet list active exploitation. EPSS data unavailable, but the combination of public POC, zero authentication requirements, and straightforward SQLi exploitation pattern indicates high probability of opportunistic scanning and exploitation.

SQL injection in PraisonAI's multi-backend conversation storage system allows authenticated attackers to execute arbitrary SQL commands. The incomplete fix for CVE-2026-40315 validated input only in SQLiteConversationStore, leaving nine other database backends (MySQL, PostgreSQL, Turso, SingleStore, Supabase, SurrealDB, and their async variants) vulnerable to f-string SQL injection via unvalidated table_prefix and schema parameters. 52 injection points exist across the codebase. Exploitable in multi-tenant deployments or API-driven configurations where table_prefix is derived from external input. Patches released in praisonai 4.6.9 and praisonaiagents 1.6.9 address all affected backends. EPSS and KEV data unavailable; no public POC confirmed at time of analysis.

Unauthenticated attackers can exploit SQL injection in OttoKit: All-in-One Automation Platform WordPress plugin versions before 1.1.23 due to improper input sanitization in SQL statement construction. The vulnerability allows remote attackers to extract sensitive data and modify database contents without authentication, though integrity impact is limited. Publicly available exploit code exists, and a patch has been released by the vendor.

SQL injection in LiteLLM proxy server versions 1.81.16 through 1.83.6 allows unauthenticated remote attackers to read and modify database contents, gaining unauthorized access to managed LLM API credentials. The vulnerability is exploitable via crafted Authorization headers sent to any LLM API route (e.g., POST /chat/completions), triggering the injection through the proxy's error-handling path. Vendor-released patch available in version 1.83.7. No active exploitation confirmed (not in CISA KEV), but the attack vector is simple (CVSS 4.0: AV:N/AC:L/PR:N) and SQL injection POCs are widely known. Discovered by Tencent YunDing Security Lab.

SQL injection in FilePress up to version 2.2.0 allows unauthenticated remote attackers to manipulate the order parameter in the Shares Filelist API (dzz/shares/admin.php and dzz/shares/ajax.php) to execute arbitrary SQL queries. The vulnerability exploits insufficient input validation on the order parameter, enabling data exfiltration or manipulation. Publicly available exploit code exists, and a vendor patch has been released.

SQL injection in CodeAstro Leave Management System 1.0 allows remote unauthenticated attackers to manipulate the txt_username parameter in /login.php, enabling database queries to be executed with low confidentiality and integrity impact. Publicly available exploit code exists for this vulnerability, increasing real-world exploitation risk despite the moderate CVSS score of 5.5.

SQL injection in SourceCodester SUP Online Shopping 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the msgid parameter in /admin/replymsg.php, enabling data extraction or modification. Publicly available exploit code exists and the vulnerability has a CVSS score of 5.5 with confirmed low impact to confidentiality, integrity, and availability.

SQL injection in SourceCodester SUP Online Shopping 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the seenid parameter in /admin/message.php. The vulnerability has a publicly available exploit and presents moderate confidentiality and integrity risk with a CVSS score of 5.5, though impact is limited to partial data access and modification without availability impact.

SQL injection in SourceCodester SUP Online Shopping 1.0 allows remote unauthenticated attackers to manipulate the delwlistid parameter in wishlist.php, enabling arbitrary SQL query execution with potential impact on data confidentiality and integrity. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk despite the moderate CVSS 5.5 score.

SQL injection in SourceCodester SUP Online Shopping 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via manipulation of the msgid parameter in /admin/viewmsg.php. The vulnerability has a publicly available exploit and impacts data confidentiality, integrity, and availability with a CVSS score of 5.5. While actively demonstrated through public proof-of-concept code, the lack of authentication requirements combined with network accessibility presents moderate real-world risk to exposed instances.

SQL injection in SourceCodester Comment System 1.0 allows remote unauthenticated attackers to manipulate the Name argument in post_comment.php, enabling arbitrary SQL query execution with low confidentiality and integrity impact. Publicly available exploit code exists and the attack requires no special user interaction or authentication, making it accessible to any network-connected attacker.

SQL injection in code-projects Simple Chat System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the type, length, or business parameters in sendMessage.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists and the vulnerability carries a CVSS score of 6.3 with authenticated network access.

SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the condition parameter in the /sys/dict/loadTreeData endpoint, leading to unauthorized data access with limited confidentiality impact. The vulnerability affects the JSON Object Handler component and has publicly available exploit code, though the low CVSS score (2.1) and required authentication significantly limit practical risk despite confirmed vendor awareness.

SQL injection in code-projects Feedback System 1.0 admin login panel allows remote unauthenticated attackers to bypass authentication and access administrative functions via crafted email parameter. Publicly available proof-of-concept exploit code exists on GitHub. CVSS 7.3 (High) with network vector and low complexity indicates straightforward exploitation requiring no special configuration. EPSS data not provided, but public POC significantly lowers exploitation barrier for opportunistic attacks against internet-exposed instances.

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the squeryx parameter in /askquery.php, enabling unauthorized data access, modification, and potential denial of service. Publicly available exploit code exists and the vulnerability affects the default installation with no special configuration required.

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=save_user. The vulnerability has a publicly available exploit and CVSS 5.5 score reflecting limited confidentiality, integrity, and availability impact on the vulnerable component.

SQL injection in Dagster orchestration platform allows authenticated users with 'Add Dynamic Partitions' permission to execute arbitrary SQL against DuckDB, Snowflake, BigQuery, and DeltaLake databases via crafted partition keys. Affected I/O managers interpolate dynamic partition values into WHERE clauses without sanitization, enabling attackers to read or modify data under the I/O manager's database credentials. Only deployments using dynamic partitions are vulnerable - static and time-window partitions are unaffected. Vendor-released patches are available (Dagster Core 1.13.1, libraries 0.29.1). No public exploit code identified at time of analysis, though exploitation is straightforward for authenticated users with the specific permission.

SQL injection in Team Member WordPress plugin versions up to 8.5 allows authenticated administrators to extract database contents via blind SQL injection. Reported by Patchstack, this vulnerability requires high-level privileges (PR:H) but enables cross-scope confidentiality breach (S:C), allowing attackers to read sensitive data beyond their normal authorization boundaries. EPSS data and KEV status not provided; no public exploit code confirmed at time of analysis.

{formId} endpoint to dump database contents, extract credentials, or manipulate data. Time-based blind SQLi confirmed via SLEEP() injection with 3-second delays, and error-based extraction confirmed via extractvalue() technique. Patched in version 4.6.1. EPSS data not available; no CISA KEV listing identified at time of analysis.