Skip to main content

SQL Injection

web HIGH

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.

How It Works

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.

Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.

Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.

Impact

  • Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
  • Authentication bypass — logging in as any user without knowing passwords
  • Data manipulation — unauthorized modification or deletion of critical records
  • Privilege escalation — granting administrative rights to attacker-controlled accounts
  • Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
  • Lateral movement — using compromised database credentials to access other connected systems

Real-World Examples

FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.

E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.

Mitigation

  • Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
  • Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
  • Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
  • Least privilege database accounts — applications should use credentials with minimal necessary permissions
  • Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
  • Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts

Recent CVEs (15171)

EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to execute arbitrary SQL queries via the getDictItems API endpoint due to insufficient validation in the isExistSqlInjectKeyword function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete database contents. No patch is currently available, and public exploit code has been disclosed.

SQLi
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

PostgreSQL RCE SQLi +3
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in WordPress Community Events plugin up to version 1.5.8 allows authenticated administrators to extract sensitive database information through malicious CSV file uploads exploiting inadequately sanitized venue name fields. The vulnerability requires high-level privileges and manual interaction but poses a significant confidentiality risk to WordPress installations using this plugin. No patch is currently available.

WordPress SQLi File Upload
NVD
EPSS 0% CVSS 7.5
HIGH This Week

ZIP Code Based Content Protection (WordPress plugin) versions up to 1.0.2 is affected by sql injection (CVSS 7.5).

WordPress SQLi
NVD
EPSS 0% CVSS 8.2
HIGH POC This Week

OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through multiple parameters. [CVSS 8.2 HIGH]

PHP SQLi Php Oop Cms Blog
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. [CVSS 8.2 HIGH]

PHP SQLi Path Traversal
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Facturation System 1.0 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'mod_id' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Data Center Audit 2.6.2 contains an SQL injection vulnerability in the username parameter of dca_login.php that allows unauthenticated attackers to execute arbitrary SQL queries. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Tina4 Stack 1.0.3 contains multiple vulnerabilities allowing unauthenticated attackers to access sensitive database files and execute SQL injection attacks. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Maitra 1.7.2 contains an sql injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the mailid parameter in outmail and inmail modules. [CVSS 7.1 HIGH]

SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Gumbo CMS 0.99 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the language parameter. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. [CVSS 8.2 HIGH]

RCE SQLi CSRF
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Alienor Web Libre 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the identifiant parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Rmedia SMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the gid parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Pedidos 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

EdTv 2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. [CVSS 8.2 HIGH]

SQLi File Upload
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

DoceboLMS 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id, idC, and idU parameters. [CVSS 8.2 HIGH]

PHP SQLi CSRF
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Net-Billetterie 2.9 contains an SQL injection vulnerability in the login parameter of login.inc.php that allows unauthenticated attackers to execute arbitrary SQL queries. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Meneame English Pligg 5.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'type' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

BitZoom 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rollno and username parameters in forgot.php and login.php. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection in SiYuan prior to version 3.6.0 allows any authenticated user, including those with read-only access, to execute arbitrary database queries through the /api/query/sql endpoint due to insufficient authorization checks. Public exploit code exists for this vulnerability, enabling attackers to extract sensitive data or modify the knowledge base contents. No patch is currently available for affected versions.

SQLi Siyuan Suse
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in CocoIndex Doris connector before 0.3.34. Patch available.

SQLi AI / ML Cocoindex
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in Ghostfolio before 2.244.0 via symbol validation bypass. Patch available.

RCE SQLi Ghostfolio
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated SQL injection in AVideo before 24.0.

PHP SQLi Avideo
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in DefaultFunction Jeson CRM 1.0.0 allows authenticated attackers to manipulate the ID parameter in /modules/customers/edit.php and execute arbitrary SQL queries, potentially compromising data confidentiality and integrity. Public exploit code exists for this vulnerability, and no patch is currently available despite the identified fix commit hash.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Frappe versions prior to 14.100.1 and 15.100.0 contain a SQL injection vulnerability in an endpoint that allows authenticated attackers to extract sensitive information from the database. An attacker with valid credentials can craft malicious requests to bypass query protections and access confidential data without modifying or disrupting system availability. No patch is currently available for affected deployments.

SQLi Frappe
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in OpenReplay session replay before 1.20.0.

SQLi Openreplay
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection in the FreePBX logfiles module allows authenticated attackers to manipulate database queries and potentially extract sensitive data or modify system records. Versions prior to 16.0.10 and 17.0.5 are vulnerable, and attackers with valid FreePBX credentials can exploit this weakness to achieve high-impact unauthorized access to confidential information and system integrity. No patch is currently available for affected deployments.

SQLi Freepbx
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Unauthenticated SQL injection in the FreePBX CDR module (versions before 16.0.49 and 17.0.7) allows authenticated users to execute arbitrary SQL commands and potentially compromise the entire database. An attacker with valid credentials can exploit this vulnerability to read sensitive call records, modify system data, or escalate privileges within the FreePBX system. No patch is currently available, leaving affected installations at high risk until upgrades are deployed.

SQLi Freepbx
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in WordPress Page and Post Clone plugin up to version 6.3 allows authenticated contributors and above to extract sensitive database information through a second-order injection via the meta_key parameter. The vulnerability stems from insufficient input escaping and query preparation in the content_clone() function, with malicious payloads stored as post metadata and executed during the clone operation. No patch is currently available.

WordPress SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in WP Attractive Donations System WordPress plugin.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Eagle Booking plugin versions 1.3.4.3 and earlier contain an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries over the network. An attacker with user-level privileges can exploit this to extract sensitive data from the database or potentially modify application data, though no patch is currently available.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Essekia Tablesome versions up to 1.2.3 contain a blind SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries through improper input sanitization. An attacker with valid credentials can exploit this to extract sensitive data from the database, though no patch is currently available. The vulnerability has a CVSS score of 8.5 and requires network access with low attack complexity.

SQLi
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in Riode Core (riode-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in the Apocalypse Meow WordPress plugin up to version 22.1.0 allows authenticated administrators to execute arbitrary SQL queries due to a flawed validation check combined with improper quote escaping. An authenticated attacker with administrator privileges can exploit this via the 'type' parameter to extract sensitive database information. No patch is currently available.

WordPress PHP SQLi
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in Cisco Secure FMC REST API allows authenticated users with administrative roles to extract sensitive database contents and read operating system files. The vulnerability stems from insufficient input validation on user-supplied requests, requiring valid credentials but posing significant risk to organizations using affected systems. No patch is currently available.

Cisco SQLi
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated SQL injection in Cisco Secure FMC's web management interface allows authenticated attackers to manipulate database queries and extract sensitive data or read operating system files. The vulnerability stems from insufficient input validation on user-supplied requests, requiring valid credentials to exploit. No patch is currently available.

Cisco SQLi
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in Cisco Secure FMC REST API allows authenticated attackers with administrative privileges to read sensitive database contents and operating system files. The vulnerability stems from insufficient input validation on API endpoints and requires valid credentials (Administrator, Security Approver, Access Admin, or Network Admin roles) to exploit. No patch is currently available.

Cisco SQLi
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

Ashop Shopping Cart Software contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'shop' parameter. [CVSS 8.2 HIGH]

PHP SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass +1
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

Tradebox 5.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the symbol parameter. [CVSS 7.1 HIGH]

SQLi Tradebox
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

NCrypted Jobgator contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the experience parameter. [CVSS 8.2 HIGH]

SQLi
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bannerID parameter in click.php3. [CVSS 7.1 HIGH]

PHP SQLi Phpads
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Simple Job Script contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the app_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass +1
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the employerid parameter. [CVSS 8.2 HIGH]

SQLi Simplejobscript
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the job_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass +1
NVD Exploit-DB
EPSS 0% CVSS 8.2
HIGH POC This Week

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landing_location parameter. [CVSS 8.2 HIGH]

SQLi Authentication Bypass Simplejobscript
NVD Exploit-DB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in databaseir v.1.0.7 via query parameter. PoC available.

SQLi Databasir
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Code execution via HwRwDrv.sys in Nil Hardware Editor. PoC available.

RCE SQLi Hardware Read Write Utility
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

The JS Help Desk - AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the 'js-support-ticket-token-tkstatus' cookie in version 2.8.2 due to an incomplete fix for CVE-2023-50839 where a second sink was left with insufficient escaping on the user supplied values and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The WP-Members Membership Plugin for WordPress through version 3.5.5.1 contains a SQL injection vulnerability in the [wpmem_user_membership_posts] shortcode's 'order_by' parameter due to insufficient input escaping and query preparation. Authenticated attackers with Contributor-level access or higher can exploit this to execute arbitrary SQL queries and extract sensitive database information. No patch is currently available.

WordPress SQLi
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the Email Subscribers by Icegram Express WordPress plugin through version 5.9.16 allows authenticated administrators to execute arbitrary database queries via the 'workflow_ids' parameter due to insufficient input escaping. An attacker with admin-level access could exploit this to extract sensitive information from the database. No patch is currently available for this vulnerability.

WordPress SQLi
NVD GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0 allows authenticated remote attackers to manipulate the course_code parameter in /admin/class-result.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but can be executed over the network with minimal complexity.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0 via the roll_no parameter in /admin/student-fee.php allows authenticated administrators to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but poses a risk to confidentiality, integrity, and availability of student records.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH POC This Week

Simple Logistic Hub Parcel\'S Management System versions up to 1.0 is affected by sql injection (CVSS 7.2).

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Simple Logistic Hub Parcel\'S Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_category.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_stock.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_product.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the View Campaign page) via the sortColumn HTTP GET parameter. [CVSS 8.2 HIGH]

SQLi Impact
NVD
EPSS 0% CVSS 2.7
LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection in renren-security before v5.5.0 in BaseServiceImpl.java. PoC available.

Java SQLi Renren Security
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Calendar Booking Plugin for Appointments and Event versions up to 5.2.7 is affected by sql injection (CVSS 6.5).

WordPress SQLi
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Simple Food Order System v1.0 has SQL injection in cancel-order.

PHP SQLi Simple Food Order System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Simple Food Order System v1.0 has SQL injection in view-ticket-admin.

PHP SQLi Simple Food Order System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Simple Food Order System v1.0 has SQL injection in view-ticket.

PHP SQLi Simple Food Order System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Simple Food Order System v1.0 has SQL injection in edit-order.

PHP SQLi Simple Food Order System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Simple Gym Management System v1.0 has SQL injection in trainer search.

PHP SQLi Simple Gym Management System
NVD GitHub
EPSS 0% CVSS 8.4
HIGH This Week

In multiple locations, there is a possible information disclosure due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

SQLi Privilege Escalation Information Disclosure +2
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Unauthenticated attackers can exploit blind SQL injection in the Contest Gallery WordPress plugin through improperly sanitized email parameters to extract sensitive database information without authentication. Affected versions through 28.1.4 fail to properly escape user input in the 'cgLostPasswordEmail' and 'cgl_mail' parameters, allowing attackers to inject arbitrary SQL commands. No patch is currently available for all vulnerable versions.

WordPress SQLi
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Pharmacy POS has a fifth SQL injection in view_sales.

PHP SQLi Pharmacy Point Of Sale System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Pharmacy POS has a fourth SQL injection in view_reports.

PHP SQLi Pharmacy Point Of Sale System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Pharmacy POS has a third SQL injection in view_products.

PHP SQLi Pharmacy Point Of Sale System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Pharmacy POS has a second SQL injection in view_categories.

PHP SQLi Pharmacy Point Of Sale System
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in NocoDB versions prior to 0.301.3 allows authenticated users with Creator role to execute arbitrary SQL commands through the DATEADD formula's unit parameter. This high-severity vulnerability enables attackers to compromise data confidentiality, integrity, and system availability with network access and low complexity. No patch is currently available for affected installations.

SQLi Nocodb
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Pharmacy Point of Sale System v1.0 has SQL injection in manage endpoints.

PHP SQLi Pharmacy Point Of Sale System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Personnel Property Equipment System has a fourth SQL injection.

PHP SQLi Personnel Property Equipment System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Personnel Property Equipment System v1.0 has a third SQL injection.

PHP SQLi Personnel Property Equipment System
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Personnel Property Equipment System v1.0 has a second SQL injection in a different admin endpoint.

PHP SQLi Personnel Property Equipment System
NVD GitHub
Prev Page 21 of 169 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
15171

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy