Skip to main content

SQL Injection

web HIGH

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.

How It Works

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.

Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.

Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.

Impact

  • Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
  • Authentication bypass — logging in as any user without knowing passwords
  • Data manipulation — unauthorized modification or deletion of critical records
  • Privilege escalation — granting administrative rights to attacker-controlled accounts
  • Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
  • Lateral movement — using compromised database credentials to access other connected systems

Real-World Examples

FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.

E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.

Mitigation

  • Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
  • Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
  • Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
  • Least privilege database accounts — applications should use credentials with minimal necessary permissions
  • Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
  • Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts

Recent CVEs (15171)

EPSS 0% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AIOSEO Plugin Team Broken Link Checker broken-link-checker-seo allows SQL Injection.This issue affects Broken Link Checker: from n/a through <= 1.2.6.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Blind SQL Injection.This issue affects All In One SEO Pack: from n/a through <= 4.9.1.

SQLi
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A flaw has been found in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This vulnerability affects unknown code of the file /controller/api/hotelList.php. This manipulation of the argument pickedHotelName/type causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way.

PHP SQLi Hotels Server
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This affects an unknown part of the file /controller/api/OrderList.php. The manipulation of the argument telephone results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SQLi Hotels Server
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

SQL injection in ketr JEPaaS up to version 7.2.8 allows high-privileged remote attackers to manipulate the keyWord argument in the readAllPostil function (/je/postil/postil/readAllPostil), resulting in limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, though the CVSS score of 2.0 reflects the requirement for high-level privileges (PR:H), significantly limiting real-world exploitation scope.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in campcodes Advanced Online Examination System 1.0. This affects an unknown function of the file /query/loginExe.php. Performing a manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

PHP SQLi Advanced Online Examination System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security vulnerability has been detected in itsourcecode COVID Tracking System 1.0. The impacted element is an unknown function of the file /admin/?page=system_info. Such manipulation of the argument meta_value leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

SQLi Covid Tracking System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A weakness has been identified in itsourcecode COVID Tracking System 1.0. The affected element is an unknown function of the file /admin/?page=user. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.

SQLi Covid Tracking System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in Campcodes Supplier Management System 1.0. This issue affects some unknown processing of the file /admin/view_unit.php. The manipulation of the argument chkId[] leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

PHP SQLi Supplier Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in itsourcecode Student Managemen System 1.0. Affected by this issue is some unknown functionality of the file /advisers.php. Such manipulation of the argument sy leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Student Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was determined in itsourcecode Student Management System 1.0. Impacted is an unknown function of the file /addrecord.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

PHP SQLi Student Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in itsourcecode Online Cake Ordering System 1.0. This issue affects some unknown processing of the file /admindetail.php?action=edit. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.

PHP SQLi Online Cake Ordering System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A flaw has been found in itsourcecode Online Cake Ordering System 1.0. This affects an unknown part of the file /cakeshop/product.php. Executing manipulation of the argument Product can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.

PHP SQLi Online Cake Ordering System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in itsourcecode Online Cake Ordering System 1.0. Affected by this issue is some unknown functionality of the file /cakeshop/supplier.php. Performing manipulation of the argument supplier results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.

PHP SQLi Online Cake Ordering System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A weakness has been identified in code-projects Computer Book Store 1.0. Affected is an unknown function of the file /admin_delete.php. This manipulation of the argument bookisbn causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.

PHP SQLi Computer Book Store
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in code-projects Student File Management System 1.0. This impacts an unknown function of the file /admin/delete_student.php. The manipulation of the argument stud_id results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited.

PHP SQLi Student File Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in code-projects Student File Management System 1.0. This affects an unknown function of the file /admin/delete_user.php. The manipulation of the argument user_id leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

PHP SQLi Student File Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was determined in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /update_subject.php. Executing manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

PHP SQLi Student Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in code-projects Simple Attendance Record System 2.0. The affected element is an unknown function of the file /check.php. Performing manipulation of the argument student results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

PHP SQLi Simple Attendance Record System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A flaw has been found in code-projects Student File Management System 1.0. The affected element is an unknown function of the file /admin/save_student.php. Executing manipulation of the argument stud_no can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

PHP SQLi Student File Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in itsourcecode Student Management System 1.0. Impacted is an unknown function of the file /uprec.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

PHP SQLi Student Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security vulnerability has been detected in itsourcecode Online Pet Shop Management System 1.0. This issue affects some unknown processing of the file /pet1/update_cnp.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

PHP SQLi Online Pet Shop Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A weakness has been identified in itsourcecode Online Pet Shop Management System 1.0. This vulnerability affects unknown code of the file /pet1/addcnp.php. This manipulation of the argument cnpname causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.

PHP SQLi Online Pet Shop Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A weakness has been identified in code-projects Student File Management System 1.0. This issue affects some unknown processing of the file /admin/update_student.php. This manipulation of the argument stud_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.

PHP SQLi Student File Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/save_user.php. The manipulation of the argument firstname results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited.

PHP SQLi Student File Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php. The manipulation of the argument user_id leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

PHP SQLi Student File Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was determined in code-projects Student File Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/login_query.php. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

PHP SQLi Student File Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in code-projects Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file login_query.php. Performing manipulation of the argument stud_no results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.

PHP SQLi Student File Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security vulnerability has been detected in code-projects Prison Management System 2.0. Impacted is an unknown function of the file /admin/search1.php. The manipulation of the argument keyname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.

PHP SQLi Prison Management System
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in code-projects Prison Management System 2.0 allows authenticated remote attackers to execute arbitrary SQL commands via the keyname parameter in /admin/search.php, with publicly available exploit code but limited real-world impact due to authentication requirement and restricted scope (confidentiality only, CVSS 2.1).

PHP SQLi Prison Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /update_program.php. Performing manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.

PHP SQLi Student Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in itsourcecode Online Pet Shop Management System 1.0. This affects an unknown part of the file /pet1/available.php. Such manipulation of the argument Name leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.

PHP SQLi Online Pet Shop Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in itsourcecode COVID Tracking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/?page=zone. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.

SQLi Covid Tracking System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in itsourcecode COVID Tracking System 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Covid Tracking System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A weakness has been identified in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /update_account.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.

PHP SQLi Student Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Affected by this issue is some unknown functionality of the file /borrow_book.php. Such manipulation of the argument roll_number leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Advanced Library Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A flaw has been found in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.

PHP SQLi Advanced Library Management System
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in haxxorsid Stock-Management-System up to commit fbbbf213e9c93b87183a3891f77e3cc7095f22b0 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the employee_id, id, or admin parameters in model/User.php. The vulnerability has a low CVSS score (2.1) due to limited scope and impact, but carries low but non-zero exploitation probability (EPSS 0.05%). Public exploit code exists and the product is no longer maintained, eliminating vendor-supplied patch availability.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. The impacted element is an unknown function of the file /Profilers/SProfile/reg.php. Performing a manipulation of the argument USN results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.

PHP SQLi Courseselectionsystem
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. The affected element is an unknown function of the file /Profilers/SProfile/login1.php. Such manipulation of the argument Username leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.

PHP SQLi Courseselectionsystem
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A weakness has been identified in code-projects Class and Exam Timetable Management 1.0. Affected by this issue is some unknown functionality of the file /preview7.php. This manipulation of the argument course_year_section/semester causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.

PHP SQLi Class And Exam Timetable Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in code-projects Class and Exam Timetable Management 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login. The manipulation of the argument username/password results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited.

PHP SQLi Class And Exam Timetable Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0. The affected element is an unknown function of the file /admin/admin_running.php. This manipulation of the argument pid causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.

PHP SQLi Retro Basketball Shoes Online Store
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A weakness has been identified in projectworlds Advanced Library Management System 1.0. This vulnerability affects unknown code of the file /view_book.php. Executing a manipulation of the argument book_id can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.

PHP SQLi Advanced Library Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in Campcodes Supplier Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add_unit.php. Such manipulation of the argument txtunitDetails leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Supplier Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A flaw has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/add_distributor.php. This manipulation of the argument txtDistributorAddress causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.

PHP SQLi Supplier Management System
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

A SQL injection vulnerability exists in LangGraph SQLite Checkpoint, an implementation of LangGraph CheckpointSaver for SQLite databases. The vulnerability affects versions 3.0.0 and below of the langgraph-checkpoint-sqlite Python package, allowing attackers with local access and low privileges to manipulate SQL queries through unvalidated metadata filter keys in checkpoint search operations. A proof-of-concept exploit is publicly available, though the EPSS score of 0.02% (6th percentile) suggests minimal active exploitation in the wild currently.

SQLi Langgraph Checkpoint Sqlite
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was determined in itsourcecode Student Management System 1.0. This affects an unknown part of the file /new_grade.php. This manipulation of the argument grade causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

PHP SQLi Student Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in itsourcecode Student Management System 1.0. Affected by this issue is some unknown functionality of the file /promote.php. The manipulation of the argument sy results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.

PHP SQLi Student Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /new_school_year.php. The manipulation of the argument sy leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Student Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A flaw has been found in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /new_adviser.php. Executing manipulation of the argument Name can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.

PHP SQLi Student Management System
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tiny Solutions Media Library Tools media-library-tools allows SQL Injection.This issue affects Media Library Tools: from n/a through <= 1.6.15.

SQLi
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.3.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Blind SQL Injection.This issue affects Accordion Slider PRO: from n/a through <= 1.2.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection.This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2.

SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.6.2.

WordPress SQLi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows SQL Injection.This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7.

SQLi
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated SQL injection in Talent Software UNIS versions prior to 42321 allows remote attackers to manipulate backend database queries over the network without any authentication or user interaction. The vulnerability carries a CVSS 9.8 rating reflecting full compromise potential across confidentiality, integrity, and availability, and was reported by Turkey's national CSIRT (USOM), though no public exploit code or CISA KEV listing has been identified at time of analysis.

SQLi
NVD VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

SQL injection in Frappe HelpDesk 1.14.0 dashboard functionality allows authenticated attackers to execute arbitrary SQL queries via the get_dashboard_data endpoint. Unsafe concatenation of user-controlled parameters into dynamic SQL statements enables data exfiltration and database manipulation. Publicly available exploit code exists. With CVSS 8.6 (Network/Low Complexity/Low Privilege Required), this represents a high-severity risk for organizations running the affected version, though no active exploitation (CISA KEV) has been confirmed.

SQLi Helpdesk
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file edit_personnel.php. The manipulation of the argument per_id results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.

PHP SQLi Employee Profile Management System
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter.

PHP SQLi Patients Waiting Area Queue Management System
NVD
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was found in Jihai Jshop MiniProgram Mall System 2.9.0. Affected by this issue is some unknown functionality of the file /index.php/api.html. The manipulation of the argument cat_id results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SQLi
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /newsubject.php. The manipulation of the argument sub leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A flaw has been found in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /newrecord.php. Executing manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in itsourcecode Student Management System 1.0. This impacts an unknown function of the file /newcurriculm.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security vulnerability has been detected in code-projects Online Ordering System 1.0. This affects an unknown function of the file /admin/ of the component Admin Login. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A weakness has been identified in code-projects Online Ordering System 1.0. The impacted element is an unknown function of the file /user_contact.php. This manipulation of the argument Name causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in code-projects Online Ordering System 1.0. The affected element is an unknown function of the file /user_school.php. The manipulation of the argument product_id results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in code-projects Simple Shopping Cart 1.0. Impacted is an unknown function of the file /adminlogin.php. The manipulation of the argument admin_username leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was determined in code-projects Simple Shopping Cart 1.0. This issue affects some unknown processing of the file /Admin/additems.php. Executing manipulation of the argument item_name can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was found in code-projects Simple Shopping Cart 1.0. This vulnerability affects unknown code of the file /Customers/settings.php. Performing manipulation of the argument user_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in IdeaCMS up to 1.8. This affects the function whereRaw of the file app/common/logic/index/Coupon.php. Such manipulation of the argument params leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was detected in code-projects Daily Time Recording System 4.5.0. The impacted element is an unknown function of the file /admin/add_payroll.php. Performing manipulation of the argument detail_Id results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A security flaw has been discovered in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. This issue affects some unknown processing of the file /edit.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /edit_user.php. The manipulation of the argument fname leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Other parameters might be affected as well.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.

SQLi Vitalsesp
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.

SQLi Vitalsesp
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability has been found in code-projects Simple Leave Manager 1.0. Affected by this vulnerability is an unknown functionality of the file /request.php. Such manipulation of the argument staff_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A flaw has been found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file /print_personnel_report.php. This manipulation of the argument per_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security flaw has been discovered in code-projects Currency Exchange System 1.0. The affected element is an unknown function of the file /editotheraccount.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.

Microsoft PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was identified in code-projects Currency Exchange System 1.0. Impacted is an unknown function of the file /edittrns.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.

Microsoft PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was determined in code-projects Currency Exchange System 1.0. This issue affects some unknown processing of the file /viewserial.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

Microsoft PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in code-projects Currency Exchange System 1.0. This vulnerability affects unknown code of the file /edit.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

Microsoft PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability has been found in itsourcecode Student Information System 1.0. This affects an unknown part of the file /section_edit1.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A flaw has been found in projectworlds Advanced Library Management System 1.0. Affected by this issue is some unknown functionality of the file /member_search.php. Executing a manipulation of the argument roll_number can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /delete_book.php. Performing a manipulation of the argument book_id results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A security vulnerability has been detected in projectworlds Advanced Library Management System 1.0. Affected is an unknown function of the file /delete_member.php. Such manipulation of the argument user_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A weakness has been identified in Campcodes School File Management System 1.0. This impacts an unknown function of the file /update_query.php. This manipulation of the argument stud_id causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. The impacted element is an unknown function of the file /admin/invoiceprint.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A flaw has been found in code-projects Question Paper Generator up to 1.0. This vulnerability affects unknown code of the file /selectquestionuser.php. This manipulation of the argument subid causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

PHP SQLi
NVD GitHub VulDB
Prev Page 29 of 169 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
15171

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy