SQL Injection

web HIGH

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.

How It Works

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.

Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.

Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.

Impact

  • Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
  • Authentication bypass — logging in as any user without knowing passwords
  • Data manipulation — unauthorized modification or deletion of critical records
  • Privilege escalation — granting administrative rights to attacker-controlled accounts
  • Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
  • Lateral movement — using compromised database credentials to access other connected systems

Real-World Examples

FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.

E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.

Mitigation

  • Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
  • Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
  • Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
  • Least privilege database accounts — applications should use credentials with minimal necessary permissions
  • Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
  • Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts

Recent CVEs (4639)

CVE-2025-4508
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical was found in PHPGurukul e-Diary Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi E Diary Management System
NVD GitHub VulDB
CVE-2025-4507
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical has been found in Campcodes Online Food Ordering System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Food Ordering System
NVD GitHub VulDB
CVE-2025-4506
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in Campcodes Online Food Ordering System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Food Ordering System
NVD GitHub VulDB
CVE-2025-4505
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Apartment Visitors Management System
NVD GitHub VulDB
CVE-2025-4504
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in SourceCodester Online College Library System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online College Library System
NVD GitHub VulDB
CVE-2025-4503
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Sales And Inventory System
NVD GitHub VulDB
CVE-2025-4502
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Sales And Inventory System
NVD GitHub VulDB
CVE-2025-4492
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in Campcodes Online Food Ordering System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Food Ordering System
NVD GitHub VulDB
CVE-2025-4491
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical was found in Campcodes Online Food Ordering System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Food Ordering System
NVD GitHub VulDB
CVE-2025-4490
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical has been found in Campcodes Online Food Ordering System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Food Ordering System
NVD GitHub VulDB
CVE-2025-4489
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in Campcodes Online Food Ordering System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Food Ordering System
NVD GitHub VulDB
CVE-2025-4488
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in itsourcecode Gym Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4487
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in itsourcecode Gym Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4486
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in itsourcecode Gym Management System 1.0 and classified as critical.php?action=delete_plan. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4485
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability has been found in itsourcecode Gym Management System 1.0 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4484
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability, which was classified as critical, was found in itsourcecode Gym Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4483
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability, which was classified as critical, has been found in itsourcecode Gym Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4482
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A vulnerability classified as critical was found in Project Worlds Student Project Allocation System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Student Project Allocation System
NVD GitHub VulDB
CVE-2025-4481
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in SourceCodester Apartment Visitor Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Apartment Visitor Management System
NVD GitHub VulDB
CVE-2025-46192
EPSS 0% CVSS 9.8
CRITICAL Act Now

SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in user_payment_update.php via the order_id POST parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Client Database Management System
NVD GitHub
CVE-2025-46190
EPSS 0% CVSS 9.8
CRITICAL Act Now

SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in user_delivery_update.php via the order_id POST parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Client Database Management System
NVD GitHub
CVE-2025-46189
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in user_order_customer_update.php via the order_id POST parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Client Database Management System
NVD GitHub
CVE-2025-46188
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in superadmin_phpmyadmin.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Client Database Management System
NVD GitHub
CVE-2025-45885
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

PHPGURUKUL Vehicle Parking Management System v1.13 is vulnerable to SQL injection in the /vpms/users/login.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Vehicle Parking Management System
NVD GitHub
CVE-2025-4467
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in SourceCodester Online Student Clearance System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Student Clearance System
NVD GitHub VulDB
CVE-2025-4466
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in itsourcecode Gym Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4465
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in itsourcecode Gym Management System 1.0 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4464
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability has been found in itsourcecode Gym Management System 1.0 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4463
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in itsourcecode Gym Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4459
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in code-projects Patient Record Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Patient Record Management System
NVD GitHub VulDB
CVE-2025-4458
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in code-projects Patient Record Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Patient Record Management System
NVD GitHub VulDB
CVE-2025-4457
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical was found in Project Worlds Car Rental Project 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Car Rental Project
NVD GitHub VulDB
CVE-2025-4456
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical has been found in Project Worlds Car Rental Project 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Car Rental Project
NVD GitHub VulDB
CVE-2025-45820
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/bibliography/pop_author_edit.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Senayan Library Management System Bulian
NVD GitHub
CVE-2025-45819
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/author.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Senayan Library Management System Bulian
NVD GitHub
CVE-2025-45818
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Slims (Senayan Library Management Systems) 9 Bulian 9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/item_status.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Senayan Library Management System Bulian
NVD GitHub
CVE-2025-46828
EPSS 1% CVSS 10.0
CRITICAL POC PATCH Act Now

WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP SQLi Authentication Bypass +1
NVD GitHub
CVE-2025-47657
EPSS 0% CVSS 9.3
CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Productive Minds Productive Commerce allows SQL Injection.1.22. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-47643
EPSS 0% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX Product Feed for WooCommerce allows SQL Injection.1.2. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVE-2025-47587
EPSS 0% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP allows Blind SQL Injection.6.4. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-47544
EPSS 0% CVSS 7.2
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce allows Blind SQL Injection.5.8. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVE-2025-47538
EPSS 0% CVSS 7.2
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdever Cart tracking for WooCommerce allows SQL Injection.0.17. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVE-2025-47537
EPSS 0% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in add-ons.org PDF Invoices for WooCommerce + Drag and Drop Template Builder allows SQL. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVE-2025-47490
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rustaurius Ultimate WP Mail allows SQL Injection.3.4. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVE-2025-47460
EPSS 0% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TrackShip TrackShip for WooCommerce allows SQL Injection.9.1. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVE-2025-29153
EPSS 0% CVSS 5.4
MEDIUM POC This Month

SQL Injection vulnerability in lemeconsultoria HCM galera.app v.4.58.0 allows an attacker to execute arbitrary code via the Data export, filters functions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE SQLi Galera
NVD
CVE-2025-0668
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.4.5. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi XSS Boinc Server
NVD
CVE-2025-0853
EPSS 0% CVSS 7.5
HIGH This Week

The PGS Core plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'save_header_builder' function in all versions up to, and including, 5.8.0 due to insufficient. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVE-2025-44073
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_comment_news.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Seacms
NVD GitHub
CVE-2025-4363
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in itsourcecode Gym Management System 1.0.php?action=end_membership. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4362
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical was found in itsourcecode Gym Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4361
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical has been found in PHPGurukul Company Visitor Management System 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Company Visitor Management System
NVD GitHub VulDB
CVE-2025-4360
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in itsourcecode Gym Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4359
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical was found in itsourcecode Gym Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVE-2025-4358
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical has been found in PHPGurukul Company Visitor Management System 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Company Visitor Management System
NVD GitHub VulDB
CVE-2025-4353
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in Brilliance Golden Link Secondary System up to 20250424. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Golden Link Secondary System
NVD GitHub VulDB
CVE-2025-4352
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in Brilliance Golden Link Secondary System up to 20250424.htm. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Golden Link Secondary System
NVD GitHub VulDB
CVE-2025-40624
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Gim
NVD
CVE-2025-40623
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Gim Android
NVD
CVE-2025-40622
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Gim
NVD
CVE-2025-40621
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Gim
NVD
CVE-2025-40620
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Gim
NVD
CVE-2025-2011
EPSS 52% CVSS 7.5
HIGH POC THREAT Act Now

The Depicter Slider & Popup Builder WordPress plugin through version 3.6.1 contains an unauthenticated SQL injection via the 's' search parameter. The insufficient escaping allows attackers to append additional SQL queries, extracting the entire WordPress database without authentication.

WordPress SQLi PHP
NVD GitHub Exploit-DB
CVE-2025-4332
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in PHPGurukul Company Visitor Management System 2.0 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Company Visitor Management System
NVD GitHub VulDB
CVE-2025-4331
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical was found in SourceCodester Online Student Clearance System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Student Clearance System
NVD GitHub VulDB
CVE-2025-4314
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability has been found in SourceCodester Advanced Web Store 1.0 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Advanced Web Store
NVD GitHub VulDB
CVE-2025-4313
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in SourceCodester Advanced Web Store 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Advanced Web Store
NVD GitHub VulDB
CVE-2025-4312
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in SourceCodester Advanced Web Store 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Advanced Web Store
NVD GitHub VulDB
CVE-2025-4311
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical was found in itsourcecode Content Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Content Management System
NVD GitHub VulDB
CVE-2025-4309
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Art Gallery Management System
NVD GitHub VulDB
CVE-2025-4308
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Art Gallery Management System
NVD GitHub VulDB
CVE-2025-4307
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Art Gallery Management System
NVD GitHub VulDB
CVE-2025-4306
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0 and classified as critical.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Nipah Virus Testing Management System
NVD GitHub VulDB
CVE-2025-4304
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in PHPGurukul Cyber Cafe Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cyber Cafe Management System
NVD GitHub VulDB
CVE-2025-4303
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Human Metapneumovirus Testing Management System
NVD GitHub VulDB
CVE-2025-4301
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical was found in itsourcecode Content Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Content Management System
NVD GitHub VulDB
CVE-2025-4300
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical has been found in itsourcecode Content Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Content Management System
NVD GitHub VulDB
CVE-2025-4297
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in PHPGurukul Men Salon Management System 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Men Salon Management System
NVD GitHub VulDB
CVE-2025-44074
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_topic.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Seacms
NVD GitHub
CVE-2025-44072
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_manager.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Seacms
NVD GitHub
CVE-2025-4283
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in SourceCodester/oretnom23 Stock Management System 1.0 and classified as critical.php?f=login. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Stock Management System
NVD GitHub VulDB
CVE-2025-45240
EPSS 0% CVSS 6.5
MEDIUM POC This Month

foxcms v1.2.5 was discovered to contain a SQL injection vulnerability via the executeCommand method in DataBackup.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Foxcms
NVD GitHub
CVE-2025-45322
EPSS 0% CVSS 8.8
HIGH POC This Week

kashipara Online Service Management Portal V1.0 is vulnerable to SQL Injection in osms/Requester/CheckStatus.php via the checkid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Service Management Portal
NVD GitHub
CVE-2025-45321
EPSS 0% CVSS 8.8
HIGH POC This Week

kashipara Online Service Management Portal V1.0 is vulnerable to SQL Injection in /osms/Requester/Requesterchangepass.php via the parameter: rPassword. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Service Management Portal
NVD GitHub
CVE-2025-26241
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Osticket
NVD
CVE-2025-4267
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in SourceCodester/oretnom23 Stock Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Stock Management System
NVD GitHub VulDB
CVE-2025-4266
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in PHPGurukul Notice Board System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Notice Board System
NVD GitHub VulDB
CVE-2025-4265
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical was found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Emergency Ambulance Hiring Portal
NVD GitHub VulDB
CVE-2025-4264
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical has been found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Emergency Ambulance Hiring Portal
NVD GitHub VulDB
CVE-2025-4263
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in PHPGurukul Online DJ Booking Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Dj Booking Management System
NVD GitHub VulDB
Prev Page 37 of 52 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
4639

Related CWEs

MITRE ATT&CK

References

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy