SQL Injection
SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.
How It Works
SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.
Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.
Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.
Impact
- Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
- Authentication bypass — logging in as any user without knowing passwords
- Data manipulation — unauthorized modification or deletion of critical records
- Privilege escalation — granting administrative rights to attacker-controlled accounts
- Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
- Lateral movement — using compromised database credentials to access other connected systems
Real-World Examples
FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.
E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.
Mitigation
- Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
- Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
- Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
- Least privilege database accounts — applications should use credentials with minimal necessary permissions
- Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
- Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts
Recent CVEs (15167)
SQL injection in itsourcecode Online House Rental System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter of the /ajax.php?action=login endpoint to inject arbitrary SQL. Publicly available exploit code exists (VulDB-referenced PoC on GitHub), increasing the practical risk despite the application's limited deployment footprint. No CISA KEV listing is present, so this represents publicly available exploit code without confirmed active exploitation.
SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'hospital' parameter in /admin/campsdetails.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the practical risk despite the application being a relatively niche PHP-based healthcare management product. No CISA KEV listing or EPSS score is provided in the source intelligence, so widespread automated exploitation is not confirmed.
SQL injection in itsourcecode Online Blood Bank Management System 1.0 allows remote unauthenticated attackers to manipulate the 'ID' parameter on /admin/viewrequest.php to inject arbitrary SQL into backend database queries. Publicly available exploit code exists per VulDB, raising the practical risk despite the moderate CVSS 7.3 score. No CISA KEV listing or EPSS data was provided, so widespread automated exploitation cannot be confirmed at this time.
SQL injection in SOPlanning 1.55 and earlier allows authenticated low-privileged users to inject arbitrary SQL commands across multiple endpoints and parameters, potentially leading to full database compromise. The flaw was reported by CERT Polska and carries a CVSS 4.0 score of 8.7, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
SQL injection in itsourcecode Content Management System 1.0 exposes the /instructions.php endpoint to database manipulation via the unsanitized topic_id parameter. Low-privileged remote attackers can read, modify, or delete data within the application's database scope. A public proof-of-concept exploit has been published (VulDB submission 823558 / GitHub issue), lowering the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects limited blast radius due to low-impact CIA triad ratings and the low-privilege prerequisite.
SQL injection in SourceCodester Water Billing Management System 1.0 exposes the User Management Module to database manipulation by authenticated administrators via the ID parameter at /admin/?page=user/manage_user. A publicly available proof-of-concept exploit exists per the CVSS E:P supplemental metric and a researcher's GitHub advisory. Despite network reachability, practical impact is low across confidentiality, integrity, and availability, and exploitation is gated behind high administrative privileges, earning a CVSS 4.0 base score of 2.0.
SQL injection in CodeAstro Ingredients Stock Management System 1.0 exposes authenticated remote attackers a direct path to database manipulation through the unsanitized `txt_search_category` parameter in `/Ingredients-Stock/stock_manager.php`. The CVSS vector (PR:L) confirms that low-privilege authentication is required, partially limiting exposure, but a publicly available proof-of-concept on GitHub significantly lowers the exploitation barrier. No confirmed active exploitation (CISA KEV) has been reported; however, the combination of low complexity, network accessibility, and public exploit code makes this a realistic threat against any internet-facing deployment where attacker credential acquisition is feasible.
SQL injection in raisulislamg4's PHP-based Student Management System allows remote unauthenticated attackers to manipulate the 'role' parameter in add_user_check.php to inject arbitrary SQL queries. Publicly available exploit code exists per VulDB disclosure, and the project (a rolling-release GitHub repository) has not responded to the reporter's issue, leaving deployments unpatched. CVSS 7.3 with low complexity and no privileges required makes this an attractive low-effort target despite the limited deployment footprint of this open-source educational project.
SQL injection in raisulislamg4's Student Management System (PHP) allows remote unauthenticated attackers to manipulate database queries via the user_id, course_id, teacher_id, student_id, or application_id parameters in delete.php. Publicly available exploit code exists, and the project operates on a rolling release model with no formal versioning, complicating patch tracking. The maintainer has been notified but has not responded, leaving deployments exposed.
SQL injection in raisulislamg4's PHP-based Student Management System allows remote unauthenticated attackers to manipulate the Username parameter in login_check.php to inject arbitrary SQL. Publicly available exploit code exists per the GitHub issue tracker, and the project follows a rolling-release model with no fixed version available. The vendor was notified early but has not responded, leaving deployments unpatched.
Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication bypass when the backing MySQL/MariaDB instance runs with the NO_BACKSLASH_ESCAPES SQL mode. The flaw carries a CVSS of 9.1 with network-reachable, no-privileges-required exploitation against confidentiality and integrity, but no public exploit identified at time of analysis and the issue is gated by a specific non-default database configuration.
SQL injection in code-projects Online Hospital Management System 1.0 exposes backend database contents via the `editid` parameter in `appointmentdetail.php`. A low-privilege authenticated attacker can remotely manipulate SQL queries to read, modify, or corrupt patient and appointment records. A proof-of-concept exploit is publicly available per the GitHub reference, raising the likelihood of opportunistic exploitation against internet-facing deployments of this PHP application.
SQL injection in code-projects Online Hospital Management System 1.php enables remote unauthenticated attackers to manipulate the Username parameter sent to the login_user function in login_1.php, allowing arbitrary SQL query execution against the backend database. Publicly available exploit code exists (published on GitHub by researcher Mi0uno), increasing the likelihood of opportunistic exploitation, though the CVE is not listed in CISA KEV and EPSS data is not provided. Per CVSS, exploitation requires no authentication or user interaction and impacts confidentiality, integrity, and availability at a low level (CVSS 7.3).
SQL injection in OFCMS 1.1.3 enables authenticated remote attackers to manipulate database queries through the JSON Query Interface exposed in SysUserController.java. Publicly available exploit code exists (confirmed by CVSS 4.0 E:P modifier and the CVE description), raising the practical risk above what the low CVSS 4.0 score of 2.1 implies. The project maintainers were notified via a Gitee issue report but have not responded, meaning no vendor patch exists at time of analysis - defenders must rely entirely on compensating controls.
SQL injection in OFCMS 1.1.3's JSON Query Interface allows authenticated remote attackers to manipulate database queries via the `Query` function in `SystemParamController.java`. A public proof-of-concept exploit has been released (CVSS E:P confirmed), while the vendor has not responded to the responsible disclosure report, leaving the vulnerability unpatched. The CVSS 4.0 score of 2.1 reflects low-privilege authentication requirements and limited blast radius, but the existence of public exploit code and the absence of any vendor patch elevates practical concern for deployments with internet-exposed admin interfaces.
SQL injection in OFCMS 1.1.3 allows remote low-privileged attackers to manipulate database queries through the Query function of SystemDictController.java's JSON Query Interface. Attackers with a valid low-privilege account can send crafted input to this endpoint to read, modify, or partially disrupt data within the application's database scope. No public exploit identified at time of analysis beyond publicly available proof-of-concept code; the project maintainer has not responded to the responsible disclosure filed via Gitee issue, leaving the vulnerability unpatched.
SQL injection in OFCMS versions up to 1.1.3 allows remote low-privileged attackers to inject arbitrary SQL through the `system.user.query` argument within the `ComnController.Query` function, achieving partial compromise of confidentiality, integrity, and availability against the underlying database. Publicly available exploit code exists - referenced via Gitee issue IJLFCA - elevating practical risk above what the moderate CVSS base score of 6.3 alone suggests. No vendor patch has been released; the project maintainer has not responded to the responsible disclosure report, leaving all 1.1.3-and-below deployments unmitigated.
SQL injection in code-projects Online Hospital Management System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `editid` parameter in /patient.php, potentially exposing or modifying patient records. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-authentication, network-accessible exploitation with no special conditions, and a public proof-of-concept has been disclosed via GitHub. While the CVSS 5.5 score reflects limited per-component impact (Low confidentiality, integrity, and availability), the absence of any access barrier combined with POC availability makes this an actionable risk for any exposed deployment.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive medical data to unauthenticated remote attackers through the ID parameter of the /classes/Users.php?f=save endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote access requiring no credentials or user interaction, and a publicly available proof-of-concept exploit (E:P) further elevates real-world risk beyond the moderate 5.5 base score. No vendor-released patch has been identified, leaving all known deployments of version 1.0 exposed to data exfiltration and manipulation of patient health records.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /classes/Users.php?f=delete, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. While CVSS impact scores are rated Low across confidentiality, integrity, and availability, the unauthenticated network accessibility combined with a live POC elevates the practical deployment risk for any internet-exposed instance.
SQL injection in OpenCATS 0.9.1a and later allows authenticated attackers to execute arbitrary SQL queries against the backend database by abusing DataGrid filter handling on the Candidates module's Tags column. The flaw bypasses the application's column filterable restrictions, enabling data theft or modification of the recruitment platform's stored candidate records. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in OpenCATS through 0.9.7.4 allows authenticated users to extract arbitrary database contents by injecting malicious SQL into the sortDirection parameter of ajax/getDataGridPager.php. Publicly available exploit code exists (Exploit-DB 52579, Packet Storm), and the issue was disclosed via a GitHub Security Advisory coordinated with VulnCheck. The CVSS 4.0 base score of 8.4 reflects high confidentiality impact with a subsequent-system scope change, though exploitation requires a valid low-privileged account.
SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /Administrator/PHP/AdminEditAlbum.php to inject arbitrary SQL queries. Publicly available exploit code exists (disclosed via VulDB submission 819912 and a GitHub issue), though there is no CISA KEV listing and no EPSS data provided to gauge exploitation probability. The vulnerability carries a CVSS 7.3 score reflecting low complexity and no authentication requirement, but only partial CIA impact.
SQL injection in Aider-AI Aider 0.86.3's Code Generation Workflow component allows authenticated remote attackers with low privileges to manipulate internal SQL queries, resulting in partial compromise of confidentiality, integrity, and availability. A publicly available proof-of-concept exploit exists via GitHub issue #5077, raising near-term exploitation risk despite the medium CVSS score of 6.3. The vendor has not yet responded to the responsible disclosure and no patch has been released, leaving users without an official remediation path.
SQL injection in code-projects Online Music Site 1.0 exposes the administrator backend endpoint /Administrator/PHP/AdminUpdateAlbum.php to database manipulation via an unsanitized ID parameter. Exploitation requires high-privilege (administrator) credentials per CVSS PR:H, meaning only authenticated admins - or attackers who have already compromised an admin account - can trigger the flaw. A public proof-of-concept has been disclosed via GitHub, but no CISA KEV listing exists, and no public exploitation activity has been confirmed at this time.
SQL injection in code-projects Visitor Management System 1.0 exposes the `/vms/php/phone_0.php` endpoint to database manipulation via the unsanitized `phone` parameter, exploitable by authenticated remote attackers. A publicly available exploit chain on GitHub (by Xmyronn) explicitly demonstrates escalation from this SQL injection to remote code execution, elevating the real-world severity beyond the CVSS 6.3 base score. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), but the published RCE chain makes this a meaningful risk for any internet-exposed deployment.
SQL injection in Bdtask Multi-Store Inventory Management System 1.0 exposes backend database contents through the Accounts Report Handler's date-range search functionality. The vulnerability resides in the accounts_report_search function (Accounts.php), where the dtpToDate argument is passed to a SQL query without sanitization, allowing an authenticated high-privileged user to read, modify, or partially disrupt database data. Publicly available exploit code exists (CVSS 4.0 E:P), though the high-privilege prerequisite significantly limits the realistic attacker population; the vulnerability is not listed in CISA KEV.
Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in the GEO my WP WordPress plugin (versions ≤4.5.5) allows unauthenticated remote attackers to append arbitrary SQL via the 'swlatlng' and 'nelatlng' query-string parameters, enabling extraction of sensitive database contents. The flaw stems from reading parameters directly from $_SERVER['QUERY_STRING'] with parse_str(), bypassing WordPress's wp_magic_quotes sanitization. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV, but exploitation requires only a public page hosting the Posts Locator results shortcode.
SQL injection in sambitraj's Student Management System 1.0 exposes the login page to unauthenticated remote exploitation via a crafted email parameter, enabling attackers to manipulate backend database queries. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special conditions are required for exploitation. A public proof-of-concept exploit exists via a published GitHub issue, and the vendor has not responded to responsible disclosure - no patch is available at time of analysis.
SQL injection in code-projects Student Details Management System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized `roll` parameter in /index.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction required, and a public proof-of-concept exploit is hosted on GitHub, materially lowering the barrier to exploitation. Impact is rated as partial across confidentiality, integrity, and availability (VC:L/VI:L/VA:L), though SQL injection primitives often enable escalation beyond the initial access implied by the base score.
Union-based SQL injection in eZ Publish Legacy's dfscleanup.php script allows a local authenticated attacker with sufficient privileges to extract sensitive data, including user credentials, from the underlying MySQL database. The flaw resides in the `_getFileList` function of the `eZDFSFileHandlerMySQLiBackend` class and is permanently unpatched because all branches of the project have reached end of life. No public exploit identified at time of analysis, though a detailed researcher write-up exists on GitHub.
SQL injection in agno 2.6.5's ClickHouse vector database backend allows authenticated attackers to inject arbitrary SQL via metadata keys and values passed to delete_by_metadata(). The flaw stems from unsafe f-string interpolation in clickhousedb.py and enables row deletion, targeted data tampering, and information extraction through error-based or blind SQLi. No public exploit identified at time of analysis, but a vendor patch (PR #7883) is available and the issue was disclosed by VulnCheck.
SQL Injection in Bolt CMS through version 3.7.0 exposes sensitive database contents to any authenticated low-privilege user via the unsanitized 'order' parameter on content listing pages. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms network-exploitable, low-complexity access requiring only a low-privileged account, with full confidentiality impact but no integrity or availability impact - placing this squarely in the data-exfiltration threat category. No public exploit confirmed at time of analysis, and no vendor-released patch has been identified from available data.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the feature_id parameter of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the release_id parameter of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter sent to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'nama_kelompok' POST parameter sent to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
E-Registrasi Pencak Silat 18.10 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id_partai. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Zechat 1.5 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the uname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in FreePBX CDR Reports module prior to versions 16.0.50 and 17.0.11 allows authenticated users with CDR section access to execute arbitrary SQL queries via the order and sort POST parameters. The flaw requires a valid Administration Control Panel account but not full administrator privileges, and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV. The CVSS 4.0 score of 8.5 reflects high confidentiality and integrity impact against the call detail records database.
SQL Injection in the Frontend Admin by DynamiApps WordPress plugin (all versions through 3.28.28) allows authenticated administrators to extract arbitrary data from the WordPress database via the 'order' parameter in the payments list view. The vulnerability stems from unsanitized concatenation of user-supplied input into a raw SQL query, reachable only when a valid 'orderby' parameter is also present in the same request. No public exploit has been identified at time of analysis, and the high privilege requirement (administrator-level) substantially limits the realistic attacker pool, keeping this a medium-severity, low-urgency finding despite the AV:N classification.
Authenticated SQL injection in Mautic's API contact filtering allows API users to execute arbitrary SQL by abusing insufficient recursive sanitization of nested query parameters. The flaw (CWE-89) yields full read access to database contents and partial availability impact, but requires valid API credentials (PR:L). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Time-based blind SQL injection in the Photo Gallery by 10Web WordPress plugin (all versions through 1.8.40) allows authenticated attackers holding contributor-level access or above to exfiltrate sensitive database contents by embedding a crafted shortcode in a post or draft. The `order_by` parameter is passed unsanitized into existing SQL queries, and the injected payload executes when the shortcode is rendered - targeting WordPress databases containing credentials, user PII, and site configuration. No public exploit code or CISA KEV listing has been identified at time of analysis, though the high confidentiality impact and low attack complexity make this a meaningful risk on any site with non-administrative contributors.
Time-based blind SQL injection in the Simply Schedule Appointments WordPress plugin (versions up to and including 1.6.11.8) allows unauthenticated remote attackers to extract sensitive database contents through the 'append_where_sql' parameter on the /appointments/bulk REST endpoint. The endpoint's permission check accepts a public nonce embedded in the booking widget's frontend JavaScript, and a PUT request with a urlencoded body bypasses the plugin's blocklist by preventing PHP from populating the relevant superglobals. No public exploit identified at time of analysis, though Wordfence has documented the technique in detail.
Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.
SQL injection in Symfony's PdoAdapter cache component allows any caller who can influence the `$prefix` argument to `AbstractAdapterTrait::clear()` to inject arbitrary SQL into a DELETE statement, potentially deleting unintended rows from the cache table or reshaping query semantics. Affected versions span symfony/cache across four maintained branches: below 5.4.52, 6.x below 6.4.40, 7.x below 7.4.12, and 8.x below 8.0.12. No public exploit has been identified at time of analysis and the CVE is not listed in CISA KEV, but vendor-released patches are available across all affected branches.
Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.
Unauthenticated SQL injection in Pi.Alert (a WiFi/LAN intruder detection and web-service monitoring tool by leiweibau) lets remote attackers manipulate backend database queries through the public devices.php endpoint. The flaw affects builds from 2024-06-29 up to the 2026-05-07 fix, and the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms it is trivially reachable over the network with no authentication or user interaction, while the high-confidentiality / no-integrity / no-availability impact (VC:H/VI:N/VA:N) indicates the primary risk is database disclosure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided in the source data.
SQL injection in uzy-ssm-mall v1.1.0 exposes sensitive database information to unauthenticated remote attackers via unsanitized input passed through the ProductMapper.xml MyBatis mapper and OrderUtil.java components. The vulnerability requires no authentication or user interaction, making it trivially automatable according to the SSVC framework. No public exploit identified at time of analysis, and EPSS sits at 0.04% (12th percentile), indicating low current exploitation pressure despite the permissive attack surface.
Authentication bypass via SQL injection in OpenRapid RapidCMS v1.3.1 allows unauthenticated remote attackers to manipulate the application's authentication logic by injecting crafted SQL payloads into the `name` cookie parameter processed by the `/template/default/menu.php` component. The CVSS 6.5 (AV:N/AC:L/PR:N/UI:N) score reflects trivial remote exploitability with no prior authentication required, though the confidentiality and integrity impacts are rated Low and availability is unaffected. A public researcher writeup is linked in references, suggesting exploit techniques are documented, but no confirmed active exploitation (CISA KEV) has been recorded and EPSS sits at 0.03% (11th percentile), indicating low observed exploitation activity at time of analysis.
PHP object injection in Pimcore (packages pimcore/pimcore and admin-ui-classic-bundle) up to and including version 12.3.6 arises from six code paths calling unserialize() without the allowed_classes restriction on values read from database columns and filesystem files. An attacker who can already write to one of those sources - for example through SQL injection into the tmp_store, sites, or custom_layouts tables, or a file write to the WebDAV delete log - can plant a serialized PHP gadget chain that executes arbitrary code with web-server privileges once the data is deserialized. No public exploit identified at time of analysis (the vendor advisory documents only a conceptual PoC procedure), the CVE is not in CISA KEV, and EPSS is not provided; the issue is fixed in 12.3.7 and rated CVSS 8.0, with the High attack-complexity reflecting its dependence on a separate write primitive and a working gadget chain.
Blind SQL injection in the WordPress plugin Duplicate Page and Post (by Arjun Thakur) through version 2.9.5 lets authenticated low-privilege users inject crafted SQL into a database query, enabling extraction of arbitrary database contents including WordPress user hashes and secrets. The CVSS:3.1 base score is 8.5 with a changed scope, reflecting impact beyond the plugin into the shared WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through the Patchstack research program.
Privilege escalation in PostgreSQL Anonymizer (all versions prior to 3.1.0) allows an authenticated database user to gain superuser privileges by embedding malicious SQL code within a column identifier of a user-created table. When a superuser invokes the k-anonymity function against such a table, the injected code executes with superuser-level privileges, yielding full confidentiality, integrity, and availability impact across the database. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though SSVC rates technical impact as total due to the complete privilege escalation outcome.
Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and including 1.0.9) allows remote unauthenticated attackers to inject SQL into backend database queries and infer sensitive data through boolean or time-based responses. The CVSS 3.1 vector (PR:N/UI:N) indicates exploitation requires no authentication or user interaction, and the changed scope (S:C) reflects that compromise of the WordPress database can affect the entire site beyond the plugin itself. There is no public exploit identified at time of analysis, and no KEV listing or EPSS score was provided.
Unauthenticated blind SQL injection in the RealMag777 TableOn (posts-table-filterable) WordPress plugin through version 1.0.5.1 lets remote attackers inject crafted SQL into backend queries without credentials or user interaction. Because the CVSS scope is marked changed (S:C) with high confidentiality impact, a successful attack can read data beyond the vulnerable component, including the WordPress database. No public exploit is identified at time of analysis, and the EPSS score is very low (0.03%, 9th percentile), indicating no current sign of widespread exploitation despite the 9.3 base score.
Blind SQL injection in the Easy Form Builder WordPress plugin (by hassantafreshi), affecting all versions up to and including 4.0.6, lets remote unauthenticated attackers inject crafted SQL into backend database queries. With a CVSS of 9.3 and a scope-changed vector, a successful attack can read sensitive data across the database and impact availability. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 9th percentile), indicating no observed mass exploitation yet despite the high severity rating.
Blind SQL injection in the Tainacan WordPress plugin (versions up to and including 1.0.3) lets remote unauthenticated attackers inject crafted SQL into backend database queries. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates exploitation requires no authentication or user interaction, and the changed scope plus high confidentiality impact drive the 9.3 score. There is no public exploit identified at the time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and unauthenticated reach make it a high-priority patch candidate.
Blind SQL injection in the Stylemix MasterStudy LMS WordPress plugin (all versions through 3.7.29) lets authenticated low-privilege users inject crafted SQL into a backend database query, enabling extraction of arbitrary database contents including user credentials and configuration secrets. The CVSS 8.5 (scope-changed) rating reflects that a successful injection can reach data beyond the plugin's own scope, i.e. the entire shared WordPress database. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 9th percentile), but the network-reachable, low-complexity nature of the flaw makes it a meaningful risk for sites that grant accounts to students or instructors.
Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and including 1.0.8) lets remote attackers inject SQL commands via an unsanitized parameter to read arbitrary data from the WordPress/WooCommerce database. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with a changed scope, meaning the injection reaches the backend database beyond the plugin component itself. There is no public exploit identified at time of analysis and no EPSS score was provided, so probability of exploitation cannot be quantified from the available data.
Unauthenticated SQL injection in mbCONNECT24 and the related MB connect line / Helmholz remote-maintenance portals (myREX24V2, myREX24V2.virtual, mymbCONNECT24) version 2.20.0 and earlier lets a remote attacker reach the getAccountData function and inject crafted input into its SQL SELECT statement. Because authentication is not required, an attacker can read arbitrary database contents, resulting in total loss of confidentiality, though integrity and availability are unaffected. There is no public exploit identified at time of analysis and EPSS is very low (0.05%, 15th percentile), so widespread opportunistic exploitation has not yet materialized despite the high CVSS 4.0 base score of 8.7.
SQL injection in the mbCONNECT24 and myREX24V2 industrial remote-access portals (all variants at or below version 2.20.0) lets a low-privileged remote attacker read arbitrary database contents through the user_alarmprofile view, which fails to neutralize special characters in a SQL SELECT statement (CWE-89). Reported to CERT@VDE and tracked as VDE-2026-044/EUVD-2026-32148, the flaw causes total loss of confidentiality but does not affect integrity or availability. There is no public exploit identified at time of analysis, and EPSS scores it at the 11th percentile (0.03%).
SQL injection in the tag view of MB connect line's mbCONNECT24 and myREX24 remote-maintenance platforms (all variants through 2.20.0) lets a remote attacker manipulate a SQL SELECT statement to read arbitrary database contents, yielding a total loss of confidentiality (VC:H, with no integrity or availability impact). The CVSS 4.0 vector requires low privileges (PR:L), yet the description labels the flaw 'unauthenticated' - a discrepancy defenders should resolve against the vendor advisory before scoping risk. No public exploit is identified at time of analysis, EPSS is very low (0.03%, 11th percentile), and CISA's SSVC framework marks current exploitation as none.
SQL injection in the system_tag view of the mbCONNECT24 family of industrial remote-maintenance portals (mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual) versions 0.0.0 through 2.20.0 lets a remote attacker manipulate a SQL SELECT statement and read arbitrary database contents, yielding a total loss of confidentiality (CVSS 4.0 7.1, VC:H). The CVSS vector indicates a low-privileged account is required (PR:L), though the description text describes the flaw as 'unauthenticated' - this discrepancy should be verified with the vendor. There is no public exploit identified at time of analysis, and EPSS is very low (0.03%, 11th percentile), consistent with CISA SSVC scoring exploitation as 'none.'
SQL injection in MB connect line's mbCONNECT24/myREX24V2 industrial remote-maintenance portals (all versions up to and including 2.20.0) lets a low-privileged authenticated user read arbitrary database contents through the 'system view', where special characters are not neutralized inside a SQL SELECT command, yielding a total loss of confidentiality (CVSS 4.0 base 7.1). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; EPSS is very low at 0.03% (11th percentile), indicating limited near-term mass-exploitation likelihood. The flaw was reported by CERT@VDE and is tracked under advisory VDE-2026-044 and ENISA EUVD-2026-32145. Note the description calls it 'unauthenticated' while the CVSS vector specifies PR:L (low-privileged), a discrepancy that should be resolved with the vendor.
SQL injection in the devices_configuration view of MB connect line / Red Lion mbCONNECT24 and myREX24V2 remote-maintenance platforms (versions up to and including 2.20.0) lets a low-privileged remote user read arbitrary database contents. The CVSS 4.0 vector scores it 7.1 with high confidentiality impact and no integrity or availability impact, while EPSS rates exploitation probability at only 0.03% (11th percentile). No public exploit is identified at time of analysis and the issue is not in CISA KEV.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 15167