SQL Injection
SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.
How It Works
SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.
Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.
Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.
Impact
- Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
- Authentication bypass — logging in as any user without knowing passwords
- Data manipulation — unauthorized modification or deletion of critical records
- Privilege escalation — granting administrative rights to attacker-controlled accounts
- Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
- Lateral movement — using compromised database credentials to access other connected systems
Real-World Examples
FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.
E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.
Mitigation
- Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
- Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
- Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
- Least privilege database accounts — applications should use credentials with minimal necessary permissions
- Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
- Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts
Recent CVEs (15159)
SQL injection in the Grav CMS Database plugin (grav-plugin-database) prior to 1.2.0 lets attacker-controlled table names reach a raw SQL query. The PDO::tableExists method interpolates its table argument directly into a query with no sanitization, escaping, quoting, or whitelisting, so any consuming plugin or developer code that forwards untrusted input into that method can execute arbitrary SQL against the configured database. No public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 4.0 base score is 9.2, with an attack-requirement (AT:P) reflecting the dependency on downstream code passing tainted table names.
SQL injection in Dell PowerFlex Manager prior to version 5.1.0.1 allows a remote, low-privileged authenticated attacker to inject crafted SQL commands through the management interface, resulting in information disclosure and unauthorized access to data beyond the attacker's authorized scope. Rated CVSS 8.5 with a scope-changed vector, the flaw is reported by Dell (DSA-2026-066) and carries confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in Dell PowerFlex Manager before 5.1.0.1 lets a low-privileged, remotely authenticated user inject crafted SQL into a backend query, resulting in unauthorized reading of database contents (information exposure). The flaw is fixed in 5.1.0.1 per Dell advisory DSA-2026-066, and there is no public exploit identified at time of analysis. Because exploitation requires a valid low-privilege account, the practical risk is highest in multi-tenant or broadly-provisioned management deployments rather than internet-facing unauthenticated exposure.
SQL injection in Postgrex.Notifications' reconnect replay path allows an attacker who can supply untrusted input as a PostgreSQL LISTEN channel name to corrupt the shared notification connection, silently dropping all channel subscriptions and causing persistent denial of service of the notification subsystem. Affected versions are postgrex 0.16.0 through 0.22.2 in the Elixir ecosystem. No arbitrary SQL execution is possible due to double-quote escaping, and no public exploit or CISA KEV listing exists; the CVSS 4.0 base score of 2.1 reflects the constrained, precondition-heavy impact.
Time-based SQL injection in the JoomSport WordPress plugin (all versions through 5.7.9) enables authenticated contributors to exfiltrate sensitive database contents via unsanitized 'event' shortcode attributes. The flaw exists in at least two code paths - joomsport-shortcodes.php and class-jsport-getplayers.php - where user-supplied shortcode parameters are interpolated into SQL queries without parameterization or adequate escaping. Because WordPress Contributor-level users can embed shortcodes in posts and pages, the effective attacker pool includes any registered user granted that role, broadening realistic exposure beyond typical authenticated-only flaws. No public exploit code or CISA KEV listing identified at time of analysis, but a patch commit (changeset 3594276) is referenced in the plugin repository.
Second-order SQL injection in Mail Mint WordPress plugin (all versions ≤ 1.24.1) allows authenticated administrators to exfiltrate arbitrary data from the WordPress database via the 'recipients' parameter in the campaign REST API. The attack exploits a two-stage flaw: a malicious SQL payload bypasses int-cast input validation at write time and persists unsanitized, then fires during a subsequent campaign retrieval request that passes the raw value into an unparameterized query. No public exploit or CISA KEV listing has been identified at time of analysis; real-world risk is moderated by the required administrator-level authentication.
SQL Injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (versions up to and including 4.3.6) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'scan_id' parameter in the cookie scanner module. Exploitation is constrained to administrator-level accounts (PR:H per CVSS vector), making this a privileged read-only database extraction flaw rather than a broad remote attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis; a patch commit is referenced in the WordPress plugin repository changeset.
SQL Injection in the BetterDocs WordPress plugin (versions up to and including 4.6.0) enables authenticated attackers holding at minimum a custom-level WordPress role to append arbitrary SQL to existing queries via the unsanitized `lang` parameter, extracting sensitive data from the underlying database. The attack surface is restricted to sites where one of five specific multilingual plugins (WPML, Polylang, qTranslate, Weglot, or TranslatePress) is active, as the vulnerable code path is guarded by `Helper::is_multilingual_active()`. No public exploit identified at time of analysis; EPSS data unavailable, and the CVE is not listed in CISA KEV.
Unauthenticated SQL injection in the GEO my WP WordPress plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through the numeric 'distance', 'lat', and 'lng' parameters of the proximity-search feature. Because the values are parsed from the raw query string and only passed through esc_sql() at unquoted numeric positions, payloads such as `1 OR SLEEP(3)` execute directly against the database. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV, but the network, no-auth attack profile makes it a high patching priority.
Blind SQL injection in the Ultimate Member WordPress plugin (all versions through 2.10.1) lets unauthenticated attackers inject arbitrary SQL through the member-directory search parameter, enabling extraction of sensitive database contents such as password hashes and user records. The flaw is a residual gap from the earlier CVE-2025-0308 fix, which was only partially remediated in 2.9.2. No public exploit has been identified at time of analysis, but the plugin's large install base and unauthenticated network reachability make it an attractive target.
Time-based SQL Injection in the Booking Calendar, Appointment Booking System WordPress plugin (versions ≤ 3.2.17) permits unauthenticated remote attackers to extract sensitive database contents via the 'wpdevart_id' parameter. The flaw exists in main_class.php due to insufficient parameter escaping and unprepared SQL queries, but is only triggerable when the Pro version is installed with the 'Delete previous dates' option enabled - a non-default configuration that meaningfully limits the exposed population. No public exploit code and no CISA KEV listing have been identified at time of analysis; the CVSS 5.9 Medium rating reflects both the high confidentiality impact and the high attack complexity imposed by the conditional prerequisites.
Time-based blind SQL injection in the rtMedia for WordPress, BuddyPress and bbPress plugin (versions up to and including 4.6.18) allows authenticated attackers with subscriber-level access or higher to exfiltrate sensitive data from the WordPress database via the `order_by` parameter. The low authentication bar - any registered user qualifies - combined with a network-accessible attack vector and high confidentiality impact makes this a meaningful risk for community or membership sites with open user registration enabled. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique (time-based blind SQLi) is well-understood and requires no specialized tooling.
SQL injection in SiYuan's block-search endpoint (POST /api/search/fullTextSearchBlock) before version 3.7.1 lets an unauthenticated publish-mode visitor read documents they should not see. The endpoint concatenates attacker-controlled `paths` values directly into SQL predicates used by its non-SQL search modes, enabling a UNION SELECT that projects rows from hidden documents by spoofing an allowed visible box and path. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; CVSS is 7.5 reflecting confidentiality-only impact.
Time-based blind SQL injection in Pimcore Studio Backend Bundle (before 2025.4.6 and 2026.1.6) lets an authenticated low-privilege user read arbitrary database contents, including the administrator password hash, via the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints interpolate the columnFilters key field directly into SQL with manual backtick wrapping, so a backtick breaks out of quoting to append SLEEP()/IF() subqueries. No public exploit identified at time of analysis; not listed in CISA KEV and no EPSS score supplied.
{idreaction} and {id} URL path parameters, which are concatenated directly into a LIKE clause. Because YesWiki permits open self-registration, the practical barrier is minimal, and the flaw grants full database read/write - including extraction of yeswiki_users password hashes and emails. Publicly available exploit code exists in the advisory (including a time-based blind variant), but there is no public exploit identified as actively used in the wild and no CISA KEV listing.
{tag} endpoint. An attacker plants a page whose tag contains a SQL-breakout payload (the INSERT escapes it but stores the literal quote), makes the page non-orphaned via an {{include}} link, then triggers deletePage(), where the stored tag is concatenated unescaped into a DELETE FROM _links WHERE to_tag='$tag' query. A detailed proof-of-concept with confirmed time-based blind extraction exists; the flaw enables reading password hashes, ACLs, and private page bodies, acting as a low-priv-to-admin escalation primitive. No public evidence of active exploitation was identified at time of analysis.
Boolean-based blind SQL injection in YesWiki's public Bazar entry-listing API allows unauthenticated attackers to read arbitrary database contents by abusing numeric query/queries filters. Because numeric field values are escaped with mysqli_real_escape_string but inserted into the SQL statement without quotes or numeric validation, injected boolean expressions (e.g. '100 OR (SELECT COUNT(*) FROM yeswiki_users)>0') are evaluated by the database, turning the public endpoints into a data-exfiltration oracle. A detailed, self-contained proof-of-concept is published in the advisory; a vendor patch (commit f3b0dd0) is available, though the issue is not listed in CISA KEV.
Stored SQL injection in YesWiki's `recentchanges` action enables arbitrary read of the underlying MySQL database by any user who can save a wiki page - on default installations, this includes unauthenticated visitors. The payload is persisted as wiki page content and executes on every subsequent page load, leaking rows (including admin usernames and password hashes) rendered directly into the HTML response as hyperlinks. A fully working UNION-based proof-of-concept is included in the GitHub security advisory, confirming practical exploitability with no public exploit identified at time of analysis in CISA KEV.
SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows unauthenticated remote attackers to manipulate the Username parameter on /login.php, potentially bypassing authentication or extracting database contents. A publicly available proof-of-concept exploit exists, published via a GitHub issue and documented in VulDB entry 377116. No CISA KEV listing is present, but the combination of network accessibility, no authentication requirement, and a live POC makes this a practical risk for any exposed deployment.
SQL injection in the AcyMailing newsletter/email-marketing extension for Joomla (all versions before 10.11.1) allows remote attackers to inject crafted database queries, resulting in unauthorized database access and data leakage. The high CVSS 4.0 score (9.2) reflects unauthenticated network reach and high confidentiality impact against the Joomla back-end database. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but a public disclosure write-up exists on mysites.guru.
Authenticated SQL injection in SOPlanning lets a user holding the parameters_all privilege inject SQL through the audit retention configuration form, which is stored and then executed whenever the audit functionality is loaded by that attacker or any other user. Affected installations prior to version 1.56.01 face compromise of the underlying database, including data theft and modification. No public exploit identified at time of analysis; the flaw was reported by CERT-PL and is not listed in CISA KEV.
SQL injection in Inrove BiEticaret e-commerce platform before v3.3.57 allows remote unauthenticated attackers to inject arbitrary SQL commands (CWE-89) through improperly neutralized input, per the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector. Successful exploitation yields full read/write access to the backing database (C:H/I:H/A:H, CVSS 9.8). This flaw was reported by TR-CERT (Turkey's national CERT); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Time-based SQL injection in the Mail Mint WordPress plugin (versions ≤1.24.2) allows authenticated administrators to extract arbitrary data from the underlying database via the unsanitized 'contact_ids' parameter in the contact management API. Reported by Wordfence, the flaw is rooted in insufficient input escaping and missing prepared statements in the ContactModel and ContactController layers. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, a corrective changeset (3597255) has been committed to the WordPress plugin repository.
SQL Injection in WP ERP (wedevs) versions through 1.17.5 allows authenticated HR Manager-level users to exfiltrate arbitrary data from the WordPress database via the unsanitized `orderby` parameter in the leave management module. The flaw resides in `functions-leave.php` and `LeaveRequestsListTable.php`, where user-supplied sort parameters are interpolated directly into SQL queries without escaping or prepared statements. No public exploit code is confirmed and this CVE is not listed in the CISA KEV catalog, but the confidentiality impact is high given the plugin stores HR records, payroll data, and CRM contacts.
SQL injection in code-projects Online Food Order System 1.0 exposes the `/edit_food_items.php` endpoint to unauthenticated remote database manipulation via the `update` parameter. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is remotely exploitable without authentication or special conditions, with limited but confirmed impact across confidentiality, integrity, and availability. A public exploit has been released (E:P), making opportunistic targeting realistic despite the niche deployment footprint; no patch or vendor advisory has been identified.
SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the backend database to unauthenticated remote attackers through the `email` parameter at `/SimpleOnlineLeave/index.php`. Manipulation of this parameter allows an attacker to alter SQL query logic, enabling authentication bypass, database enumeration, and data modification without any credentials or user interaction. A public proof-of-concept exploit has been disclosed via GitHub, significantly lowering the skill barrier for exploitation; the vulnerability is not currently listed in the CISA KEV catalog.
SQL injection in code-projects Interview Management System 1.0 exposes the application to remote, unauthenticated database manipulation via the ID parameter in /inc/classes/View.php. An attacker with network access can read, modify, or partially disrupt data stored in the underlying database with no authentication required and no user interaction needed. A public exploit exists (referenced via GitHub at https://github.com/susususua-AI/CVE/issues/2), though no active exploitation has been confirmed by CISA KEV as of this analysis.
A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the newPassword parameter in the password change functionality.
SQL injection in SOGo's allContactSearch endpoint permits authenticated users to inject arbitrary SQL via the unsanitized search parameter, affecting all SOGo releases before 5.12.7. An attacker with a valid SOGo account can manipulate backend SQL queries to read, alter, or partially disrupt contact database contents - confirmed by both the upstream fix commit and the vendor's 5.12.7 release announcement. EPSS sits at the 5th percentile (0.15%) and no CISA KEV listing exists, indicating no public exploit identified at time of analysis despite the straightforward CWE-89 root cause.
Unauthenticated SQL injection in IBM API Connect's password reset functionality allows remote attackers to inject arbitrary SQL against the backing database without credentials, affecting versions 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3. With a CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and total technical impact, exploitation can lead to full compromise of confidentiality, integrity, and availability of the API management data store. No public exploit identified at time of analysis, and EPSS remains low (0.44%), but IBM has released patches and CISA's SSVC flags the flaw as automatable with total impact.
SQL and DDL injection in the Snowflake Terraform Provider before 2.18.0 lets an attacker who can influence pipeline workspace variables execute arbitrary SQL inside the provider's privileged Snowflake session (CWE-89), enabling data exfiltration and creation of long-lived credentials. A second flaw allows identifier-injection into user-management DDL, so accounts can be minted with attacker-controlled credentials that bypass operator-configured security controls. No public exploit identified at time of analysis; risk is authenticated/insider-driven rather than remote-unauthenticated.
SQL injection in the Snowflake Snowpark Python SDK (snowpark-python) before 1.53.0 lets an authenticated low-privilege Snowflake user execute SQL beyond their authorization scope, enabling cross-tenant data theft and source-database compromise. Three distinct injection points are involved - malicious source column names via DataFrameReader.dbapi(), a crafted location parameter that redirects COPY INTO in DataFrameWriter, and a backslash-single-quote bypass of normalize_path() in DataFrame.to_csv(). Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in n8n's legacy MySQL v1 node (executeQuery operation) exposes the connected MySQL database to arbitrary query execution when workflow expressions interpolate attacker-controlled input without parameterization. Versions before 1.123.61 (1.x branch), 2.27.4 (2.x branch), and 2.28.1 (2.28.x branch) are affected when workflows combine the MySQL v1 node with externally-reachable triggers such as a Webhook node. No public exploit or CISA KEV listing is identified at time of analysis; however, deployments exposing such workflows to untrusted networks face high-severity database confidentiality and integrity risk.
SQL injection in Webbeyaz Web Design's Mediküm Web application (all versions through build 08072026) lets remote unauthenticated attackers inject arbitrary SQL commands, yielding full read/write control over the backend database. The CVSS 9.8 rating reflects network-reachable exploitation with no authentication or user interaction; no public exploit has been identified at time of analysis. Critically, the vendor confirmed to TR-CERT that the product is end-of-life and unsupported, so no fix will be issued.
Unauthenticated blind SQL injection in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.8) lets remote attackers inject SQL through the 'mc_auth' parameter, enabling extraction of sensitive database contents such as user credentials and secret keys. The flaw stems from unescaped user input concatenated into an unprepared query, and being reachable without authentication makes it broadly exploitable on any site running a vulnerable version. No public exploit identified at time of analysis, but the technique (time-based blind extraction) is well understood and readily automatable.
SQL Injection in the Recurio - Ultimate Subscription for WooCommerce WordPress plugin (versions up to and including 1.1.3) exposes the full WordPress database to authenticated shop managers via an unsanitized 'data' parameter in the subscription engine. Attackers with shop manager-level credentials or higher can append arbitrary SQL clauses to existing queries, enabling extraction of sensitive records including customer PII, order history, and WordPress user data. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the high privilege requirement substantially limits the real-world attack surface.
SQL injection in the Tainacan WordPress plugin (versions ≤ 1.0.3) lets unauthenticated attackers exfiltrate database contents through the 'geoquery' parameter, which is concatenated into a SQL query without proper escaping or prepared-statement binding. Because the injection is time-based blind, attackers infer data character-by-character from response delays rather than direct output. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the network-reachable, no-authentication vector makes it a realistic target for automated scanning once details spread.
SQL injection in the Eventer WordPress event manager plugin (all versions through 4.4.2) lets unauthenticated attackers inject arbitrary SQL through the 'code' parameter, extracting database contents such as user credentials and session data. The flaw stems from unescaped user input concatenated into an existing query, exploitable remotely without authentication (PR:N). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 7.5 reflects confidentiality-only impact via time-based blind extraction.
Account takeover in the Eventer WordPress event-manager plugin (all versions through 4.4.2) stems from the plugin writing the password-reset key in cleartext to the `eventer_verification_code` field in `wp_usermeta`; any actor who can read that value can drive the plugin's custom reset action to set an arbitrary password for any user, including administrators. Chained with the companion SQL injection flaw CVE-2026-9700, remote attackers can extract the stored key without authentication and fully hijack accounts. There is no public exploit identified at time of analysis, and exploitation is constrained to sites running PHP 7.4 or earlier, where the reset routine functions.
SQL injection in DataEase before 2.10.24 lets an authenticated user inject arbitrary SQL into queries run against configured datasources by supplying malicious quota (chart aggregation) or Y-axis filter values. The flaw sits in Quota2SQLObj.getYWheres(), which embeds attacker-controlled filter values directly into generated SQL while skipping the literal validation and escaping that other filter paths enforce. No public exploit identified at time of analysis, but the fixing commit and GitHub Security Advisory publicly disclose the exact vulnerable code path.
Prompt-to-Cypher injection in Langroid's Neo4jChatAgent (pip package langroid <= 0.65.4) lets anyone who can influence the agent's prompt — directly, or indirectly through content pulled in via RAG — steer arbitrary Cypher into the Neo4j driver with no validation or opt-out gate, allowing unauthorized read, modification, and full destruction of all graph data, plus a LOAD CSV SSRF/remote-fetch primitive. When APOC or dbms.security procedures are granted to the database role, the same primitive escalates to OS-command and filesystem access, making it RCE-equivalent and matching the Critical parent issue CVE-2026-25879. No public weaponized exploit is identified at time of analysis, though the GHSA advisory documents a static grep-based reproduction; no KEV or EPSS signal is present in the source data.
SQL injection in FOSSBilling's Massmailer module exposes the application database to read access by authenticated administrators who can supply crafted filter values during mass email message updates. Affected versions span 0.6.0 through 0.7.2, with the fix shipped in version 0.8.0. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the high confidentiality impact (VC:H per CVSS 4.0) means a malicious or compromised administrator account could extract sensitive billing and client data from the underlying database.
Server-side file disclosure in Langroid's SQLChatAgent (Python, pip package `langroid` <= 0.65.0) lets an attacker who can influence the agent's LLM-generated SQL bypass the `_validate_query` safety guard and execute PostgreSQL file-read functions such as `pg_read_file`. The default `allow_dangerous_operations=False` blocklist relies on a raw-text regex requiring `pg_...` names to be immediately followed by `(`, which is evaded by quoted identifiers, inline comments, or schema qualification while still parsing as a permitted SELECT. This is a bypass of the earlier CVE-2026-25879 / GHSA-pmch-g965-grmr regex fix; a working reproduction harness is published in the GHSA advisory, though there is no public exploit identified as being used in active attacks and no CISA KEV listing.
SQL injection in the Amazon (agentic-community) mcp-gateway-registry before 1.0.13 allows an authenticated remote user to execute arbitrary SQL queries by supplying a crafted table_name that the metrics-service retention policy component interpolates directly into SQL in identifier position. Because the injection sits in an identifier (table name) position rather than a parameterizable value, it bypasses ordinary prepared-statement protections and grants broad read/write access to the metrics datastore. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; a vendor patch (v1.0.13) is available.
SQL injection in PROG MIS's Prog Management System allows unauthenticated remote attackers to inject arbitrary SQL commands and read arbitrary database contents. The flaw carries a CVSS 4.0 base score of 8.7 (High) and requires no authentication, privileges, or user interaction, but its impact is limited to confidentiality (data disclosure) rather than data modification or service disruption. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was disclosed via Taiwan's TWCERT.
SQL injection in CodeAstro Ecommerce Website 1.0 exposes the `/customer/my_account.php?my_wishlist` endpoint to database manipulation via the unsanitized `delete_wishlist` parameter, allowing remote attackers with a valid customer account to read or modify backend database contents. The CVSS 4.0 vector (PR:L) confirms exploitation requires an authenticated customer session, constraining the attack surface to registered users. A public proof-of-concept exploit has been released, no public exploit identified as confirmed actively exploited (not in CISA KEV), though the low barrier to exploitation once authenticated elevates practical risk.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the visname parameter in /apartment-visitor/visitor-entry.php. The flaw, classified as CWE-89, yields partial confidentiality, integrity, and availability impact against the vulnerable system. A publicly available proof-of-concept exploit exists on GitHub, lowering the skill bar for exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the application's database to remote authenticated attackers through the unsanitized `editid` parameter in `/apartment-visitor/edit-apartment.php`. Low-privilege authenticated users can manipulate this parameter to read, modify, or partially disrupt database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified in CISA KEV at time of analysis), making this a realistic risk for any internet-exposed deployment of this PHP application.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes backend database contents to authenticated low-privileged remote attackers via the unsanitized `fromdate` parameter in `/apartment-visitor/report.php`. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low-privilege credentials. Publicly available exploit code has been published on GitHub (github.com/lilukun337/cve/issues/7), though no active exploitation has been confirmed by CISA KEV. The injection enables read and limited write access to the underlying database, with a moderate combined impact score of 5.3.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate database queries through the `remark` parameter of `/apartment-visitor/action-visitor.php`. A low-privileged user can extract, modify, or delete underlying database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified as CISA KEV, but POC availability lowers the bar for exploitation).
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/paymentdischarge.php` endpoint to database manipulation via the unsanitized `patientid` parameter. Low-privileged authenticated attackers can exploit this remotely with no user interaction required, achieving limited read, write, and availability impact against the underlying database. No public KEV listing, but a proof-of-concept exploit is publicly disclosed on GitHub, meaningfully lowering the bar for opportunistic exploitation in any internet-exposed deployment.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the /edit_course1.php endpoint to remote, unauthenticated database manipulation via an unsanitized ID parameter. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required and the attack is trivially executable over the network. Exploit code has been publicly disclosed per VulDB submission and a GitHub issue report, with the E:P modifier in the CVSS 4.0 vector corroborating proof-of-concept availability - though no CISA KEV listing indicates confirmed active exploitation at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the /payment.php endpoint to database manipulation via an unsanitized `patientid` parameter, exploitable by any authenticated low-privilege user over the network. The CVSS 4.0 vector (PR:L, AV:N) confirms remote exploitation is feasible with only a basic account, and partial confidentiality, integrity, and availability impact is expected against the underlying database. Publicly available exploit code exists on GitHub, materially lowering the skill threshold for exploitation despite the moderate 5.3 CVSS score.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /edit_exam1.php to execute arbitrary SQL commands against the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, and the exploit has been publicly published on GitHub. Real-world impact is limited by the niche, educational-software footprint of this SourceCodester application, but any internet-exposed instance is trivially exploitable given the available POC.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized ID parameter in /edit_room.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or special conditions are required, and the E:P supplemental metric confirms public exploit code exists. An attacker can read, modify, or partially disrupt the underlying database without any prior access to the application.
SQL injection in code-projects Real State Services 1.0 exposes the `/builderHome.php` endpoint to unauthenticated remote attackers who can manipulate database queries via the unsanitized `loc` parameter. A public proof-of-concept exploit exists (referenced via GitHub), lowering the exploitation barrier to script-kiddie level. No KEV listing exists, and the product's limited real-world deployment constrains overall population risk despite the trivial attack conditions.
SQL injection in CodeAstro Ecommerce Website 1.0 exposes the order confirmation endpoint to authenticated remote attackers who can manipulate the unsanitized `invoice_no` POST parameter to alter backend SQL queries. Exploitation is constrained to authenticated customer accounts (PR:L per CVSS 4.0 vector) but requires no additional configuration or user interaction. A public proof-of-concept has been released via GitHub Gist (E:P), lowering the technical bar for abuse despite a low CVSS 4.0 score of 2.1; no confirmed active exploitation or CISA KEV listing exists at time of analysis.
SQL injection in code-projects Real State Services 1.0 exposes the `/pay.php` endpoint to remote unauthenticated attackers who can manipulate the `Bankname` parameter to execute arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote reachability, though partial CIA impact scores indicate constrained blast radius rather than full database takeover; no public confirmation of active exploitation (CISA KEV) exists at time of analysis.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the `/apartment-visitor/search-result.php` endpoint to remote exploitation via the `searchdata` POST parameter, allowing low-privileged authenticated attackers to read, modify, or partially disrupt underlying database contents. A public proof-of-concept exploit exists on GitHub, lowering the skill barrier for opportunistic attacks against any internet-facing deployment. No CISA KEV listing has been confirmed, and the CVSS 4.0 score of 5.3 reflects a limited partial-impact scope; however, the POC's availability meaningfully elevates real-world exploitation probability above what the score alone suggests.
SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the backend database via the fdetails parameter in /admin/add_event.php. The flaw is reachable over the network with no authentication required per the CVSS 4.0 vector, enabling data extraction, modification, or disruption against the application's database. A public exploit has been disclosed on GitHub; no patch has been identified at time of analysis.
SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the backend database through the Room Management Page at /admin/rooms.php, where the `delete` parameter is passed unsanitized into SQL queries. Remote attackers can exploit this to read, modify, or potentially delete database records. Publicly available exploit code exists per the GitHub advisory by anubhavv106, raising the operational risk despite the moderate CVSS 4.0 score of 5.5 and absence of a CISA KEV listing.
SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the unsanitized `tour` parameter in /admin/tour_reserves.php, enabling arbitrary SQL query execution against the backend database. The CVSS 4.0 vector assigns PR:N (no privileges required), though the admin-panel endpoint raises questions about whether authentication is genuinely absent or misconfigured - a discrepancy worth verifying in deployments. A public proof-of-concept exploit has been published via GitHub, raising the practical risk despite the medium CVSS 4.0 score of 6.9 and absence of CISA KEV listing.
SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the reservation database to remote manipulation via the `delete_image` parameter in the admin Tour Management Page (`/admin/add_tour.php`). The CVSS 4.0 vector asserts no privileges required (PR:N), yet the vulnerable endpoint sits under an `/admin/` path - this conflict is unresolved in available data and defenders must verify whether the admin panel is publicly accessible without authentication. A public proof-of-concept is available on GitHub, elevating practical risk beyond the moderate base score, though no CISA KEV listing indicates confirmed widespread exploitation at time of analysis.
SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the admin panel endpoint /admin/add_room.php to database manipulation via multiple unsanitized parameters. A proof-of-concept exploit has been publicly documented in a Medium article, lowering the barrier for opportunistic exploitation. The CVSS 4.0 vector rates this as network-reachable with no authentication required (PR:N), though this conflicts with the admin-panel location of the endpoint - a discrepancy that should be verified, as exploitation scope depends entirely on whether the admin interface enforces access controls.
SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the /admin/reservations.php endpoint to database manipulation via the unsanitized `delete` parameter. The vulnerability is reachable over the network with no confirmed complexity barriers, and a public proof-of-concept exploit has been disclosed. No vendor patch has been identified, leaving all deployments of version 1.0 exposed to database read, write, and potential full compromise of hosted reservation data.
SQL injection in stumasy's notes search functionality exposes authenticated remote attackers to database manipulation via the unsanitized `field_name` parameter in `Notes_controller::search_scratch_data`. The affected PHP application by developer mjperpinosa has a publicly available proof-of-concept exploit filed as GitHub issue #7, and the maintainer has not responded to disclosure, leaving all users on any commit through 327d1b0f2915ba79d7ef8ebb74553e987609d9be without a remediation path. No public exploit identified at time of analysis meets the KEV threshold, but the confirmed POC and absence of vendor response meaningfully elevate operational risk.
SQL injection in stumasy's Notes_controller grants remote unauthenticated attackers the ability to manipulate database queries through the unsanitized Password argument in the accessing_dictionary_authorization function. The affected codebase is an obscure PHP application maintained by mjperpinosa, pinned to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be as the last known vulnerable state. Publicly available exploit code exists via a GitHub issue report, and the project maintainer has not responded to disclosure, leaving no vendor-released patch at time of analysis.
SQL injection in code-projects Real State Services 1.0 exposes the application's database to remote unauthenticated manipulation via the `amen` parameter in `/addprojectsale.php`. Any attacker with network access to the PHP web application can craft a malicious HTTP request to read, modify, or partially disrupt the underlying database without authentication. No active exploitation is confirmed in CISA KEV, but a GitHub issue filed under the researcher's CVE repository suggests reproduction steps or proof-of-concept detail is publicly accessible.
SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the backend database via the `amen` parameter in `/addprojectrent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no attack preconditions. A publicly available proof-of-concept exploit has been disclosed via GitHub, elevating the realistic threat beyond theoretical; however, this CVE is not currently listed in the CISA KEV catalog, and the product's limited enterprise footprint constrains broad impact.
SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the `id` parameter of `/single-list_rent.php` to read, modify, or corrupt backend database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction unauthenticated network exploitation against a standard installation. A public proof-of-concept exploit is available on GitHub (E:P confirmed in CVSS 4.0 supplemental metrics), raising realistic risk of opportunistic automated attacks against any internet-exposed instance; no CISA KEV listing and no patch are confirmed at time of analysis.
SQL injection in code-projects Real State Services 1.0 exposes unauthenticated remote attackers a direct path to manipulate the backend database via the `loc` parameter in `/normalHomeRent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special configuration are required against default deployments. A public proof-of-concept exploit has been released on GitHub, materially increasing opportunistic exploitation risk despite the moderate aggregate score; no CISA KEV listing has been identified at time of analysis.
SQL injection in code-projects Real State Services 1.0 exposes the `/normalHomeSale.php` endpoint to unauthenticated remote database manipulation via the unsanitized `loc` parameter. Any internet-accessible deployment of this PHP real estate application is vulnerable to data extraction or modification without credentials. A public proof-of-concept exploit is available on GitHub, lowering the skill barrier for opportunistic attackers; however, no CISA KEV listing has been issued and no patch has been identified from the vendor.
SQL injection in code-projects Smart Parking System 1.0 exposes the `/parkings/parkings.php` endpoint to remote unauthenticated exploitation via unsanitized `street`, `city`, and `status` parameters. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier network access with no authentication or user interaction required. A public proof-of-concept has been disclosed via a Medium article specifically documenting escalation from SQL injection to arbitrary file read, materially increasing real-world risk beyond the moderate base score of 5.5.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to remote, unauthenticated attackers through the unsanitized ID parameter in /edit_product.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial remote access with no prerequisites, yielding low-rated but real confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is contradicted by the description and E:P supplemental metric - a public exploit exists, elevating the practical risk above what the 5.5 base score alone suggests for any internet-exposed instance.
SQL injection in Hanwang e-Face General Management Platform 6.3.5.4 exposes the /sysAuthStr/querySysAuthStr.do endpoint to unauthenticated remote database manipulation via the unsanitized `order` parameter. The endpoint handles system authorization strings, meaning successful exploitation likely targets credential or access-control records - a high-sensitivity data class despite the vendor-assigned Low impact ratings. A public proof-of-concept is documented via VulDB (no CISA KEV listing at time of analysis); no EPSS score was provided in the source intelligence.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers through the unsanitized 'ID' parameter in /edit_coursea.php. The CVSS 4.0 E:P modifier and the CVE description both confirm that public exploit code exists, lowering the bar for opportunistic exploitation. Impact is assessed as limited across confidentiality, integrity, and availability (all Low), but the absence of authentication requirements makes this accessible to any network-reachable attacker.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database through the unsanitized ID parameter in /edit_exam.php, reachable by unauthenticated remote attackers. The exploit has been publicly disclosed (CVSS 4.0 E:P), allowing any actor with network access to enumerate, read, or manipulate database contents. No KEV listing is present; exploitation appears opportunistic rather than targeted, consistent with the niche deployment footprint of this product.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientreport.php` endpoint to remote manipulation via the `editid` parameter, allowing an authenticated attacker to craft arbitrary SQL statements against the backend database. The CVSS 4.0 base score is 2.1 (Low), reflecting constrained confidentiality, integrity, and availability impact, with no scope change to adjacent systems. Publicly available exploit code exists (E:P per the CVSS 4.0 threat metric), though no active exploitation has been confirmed via CISA KEV.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the patient database to authenticated low-privilege attackers via the `patientname` parameter in `/patientprofile.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L) confirms network-accessible exploitation with no attack complexity, while the E:P supplemental metric confirms publicly available proof-of-concept exploit code. No vendor patch has been released, leaving deployments reliant on compensating controls; however, real-world risk is bounded by the product's extremely limited production footprint as an educational PHP project.
SQL injection in itsourcecode Hospital Management System 1.0 allows remote attackers with low-level privileges to manipulate the `loginid` parameter in `/patientlogin.php`, enabling unauthorized database read, modification, or deletion operations. The vulnerability scores 5.3 on CVSS 4.0 and is compounded by a publicly available proof-of-concept exploit published on GitHub, materially lowering the barrier to opportunistic attack. No CISA KEV listing has been identified, but the public POC and low attack complexity make any internet-exposed deployment an actionable target.
SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 exposes the application to unauthenticated remote database compromise via the `id` parameter in `/admin/ajax.php?action=confirm_order`. The CVSS 4.0 vector (PR:N) indicates the vulnerable admin endpoint is reachable without authentication, compounding the severity of the unsanitized input. A publicly available exploit exists on GitHub, though the product is not listed in the CISA KEV catalog and has a very limited production deployment footprint.
SQL injection in code-projects Online Examination 1.0 allows authenticated remote attackers to manipulate database queries through multiple unsanitized parameters in the Quiz Creation Feature. The endpoint /update.php?q=addquiz accepts user-supplied input for the name, total, right, wrong, time, tag, and desc arguments without adequate sanitization, enabling read and write access to the underlying database. A public proof-of-concept exploit exists on GitHub, though the application's extremely limited deployment footprint constrains real-world impact.
SQL injection in code-projects Online Examination 1.0 exposes the login endpoint to unauthenticated remote attackers via the uname and password parameters in head.php. Manipulation of either parameter enables classic SQL injection, allowing database enumeration, authentication bypass, and potential data manipulation against any deployed instance. A public proof-of-concept exploit is available on GitHub (no public exploit identified as KEV), making weaponization trivial for low-skill attackers targeting this application.
SQL injection in itsourcecode Hospital Management System 1.0 allows authenticated remote attackers to manipulate the `editid` parameter in `/patientorder.php`, potentially exposing or modifying patient order records and underlying database contents. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and that a public exploit has been disclosed via GitHub. While the base impact metrics are rated Low across confidentiality, integrity, and availability, the sensitivity of healthcare data in scope and the trivially available proof-of-concept raise practical risk above what the numeric score alone suggests.
SQL injection in code-projects Internship Management System 1.0 exposes authenticated employer accounts to database query manipulation via the `Current` parameter in the password change endpoint (`employer/details/change_password.php`). The flaw carries a CVSS 4.0 score of 5.3, is rooted in unsanitized PHP input passed directly into SQL queries (CWE-89), and has a publicly available proof-of-concept exploit on GitHub. No public exploit identified as confirmed in CISA KEV, but the combination of low attack complexity and public PoC meaningfully raises real-world exploitation likelihood against any internet-exposed deployment.
SQL injection in code-projects Internship Management System 1.0 permits unauthenticated remote attackers to manipulate the email and password parameters of employer/login.php, altering backend SQL query logic to bypass authentication or partially expose database contents. A proof-of-concept exploit has been publicly disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 score of 6.9 with PR:N and no attack complexity reflects straightforward unauthenticated access, though impact is bounded at Low across confidentiality, integrity, and availability - suggesting partial rather than full database compromise.
SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows unauthenticated remote attackers to manipulate backend database queries via the Name argument in the save_client function of the registration handler. The vulnerability resides in classes/Users.php and is exploitable without any prior authentication, as it targets the public-facing user registration flow. A public proof-of-concept exploit has been published on GitHub, and no KEV listing exists, though the low-friction exploitation path and public PoC elevate urgency for any live deployment of this software.
SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a remote low-privileged attacker to manipulate database queries via the `ID` POST parameter in the `cancel_order` function of `classes/Master.php`. The flaw is a classic CWE-89 unsanitized parameter passed directly into a SQL statement, enabling data extraction, modification, or potential authentication bypass within the application database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references), raising the practical risk beyond the conservative CVSS 4.0 base score of 2.1.
SQL injection in SourceCodester Multi-Vendor Online Grocery Management System versions 1.0 and 5.7.26 allows remote authenticated attackers to manipulate backend database queries through unsanitized POST parameters passed to the `save_shop_type` function in `classes/Master.php`. A public proof-of-concept exploit is available via GitHub, lowering the exploitation barrier for any actor who has obtained application credentials. The CVSS 4.0 score of 2.1 reflects partial confidentiality, integrity, and availability impact rather than full database compromise, and no patch has been confirmed available at time of analysis.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 enables remote, low-privilege authenticated attackers to manipulate backend database queries via the `apartmentno` parameter in `/apartment-visitor/add-apartment.php`. The CVSS 4.0 score of 2.1 reflects a constrained impact scope (low C/I/A on the vulnerable system, no downstream system impact), but the presence of a publicly available proof-of-concept lowers the exploitation bar significantly. Real-world impact could extend beyond the CVSS score if the database user holds elevated permissions, potentially enabling unauthorized data extraction or record manipulation across the application's dataset. No public exploit identified via CISA KEV; no vendor patch identified at time of analysis.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 15159