Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28785 | 2026-03-06 | N/A | N/A | ||
|
Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.
|
|||||
| CVE-2026-27005 | 2026-03-06 | N/A | N/A | ||
|
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew (MySQL, PostgreSQL). This allows reading, modifying, or deleting data in those databases depending on the database user's privileges. This issue has been patched in version 4.8.3.
|
|||||
| CVE-2026-28501 | 2026-03-06 | N/A | 9.8 CRITICAL | ||
|
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has b ...
Show More |
|||||
| CVE-2025-48650 | 1 Google | 1 Android | 2026-03-06 | N/A | 8.4 HIGH |
|
In multiple locations, there is a possible information disclosure due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-48544 | 1 Google | 1 Android | 2026-03-06 | N/A | 7.8 HIGH |
|
In multiple locations, there is a possible way to read files belonging to other apps due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2026-3616 | 2026-03-06 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability was detected in DefaultFuction Jeson Customer Relationship Management System 1.0.0. Impacted is an unknown function of the file /modules/customers/edit.php. Performing a manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. The patch is named f0e991870e9d33701cca3a1d0fd4eec135af01a6. It is suggested to install a patch to address this issue.
|
|||||
| CVE-2019-25501 | 1 Simplejobscript | 1 Simplejobscript | 2026-03-05 | N/A | 8.2 HIGH |
|
Simple Job Script contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the app_id parameter. Attackers can send POST requests to delete_application_ajax.php with crafted payloads to extract sensitive data, bypass authentication, or modify database contents.
|
|||||
| CVE-2021-35484 | 1 Nokia | 1 Impact | 2026-03-05 | N/A | 8.2 HIGH |
|
Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the View Campaign page) via the sortColumn HTTP GET parameter. This allows an attacker to access sensitive data from the database and obtain access to the database user, database name, and database version information.
|
|||||
| CVE-2026-26892 | 1 Oretnom23 | 1 Simple Logistic Hub Parcel\'s Management System | 2026-03-05 | N/A | 7.2 HIGH |
|
Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL Injection in /manage_carrier.php.
|
|||||
| CVE-2025-70821 | 1 Renren | 1 Renren-security | 2026-03-05 | N/A | 9.8 CRITICAL |
|
renren-secuity before v5.5.0 is vulnerable to SQL Injection in the BaseServiceImpl.java component
|
|||||
| CVE-2026-29081 | 2026-03-05 | N/A | 6.5 MEDIUM | ||
|
Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0.
|
|||||
| CVE-2026-28443 | 2026-03-05 | N/A | N/A | ||
|
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0.
|
|||||
| CVE-2026-2122 | 1 Xiaopi | 1 Panel | 2026-03-05 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A security flaw has been discovered in Xiaopi Panel up to 20260126. This impacts an unknown function of the file /demo.php of the component WAF Firewall. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-14710 | 1 Fantasticlbp | 1 Hotels Server | 2026-03-05 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was detected in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This affects an unknown part of the file /controller/api/OrderList.php. The manipulation of the argument telephone results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted ea ...
Show More |
|||||
| CVE-2025-14711 | 1 Fantasticlbp | 1 Hotels Server | 2026-03-05 | 7.5 HIGH | 7.3 HIGH |
|
A flaw has been found in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This vulnerability affects unknown code of the file /controller/api/hotelList.php. This manipulation of the argument pickedHotelName/type causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did n ...
Show More |
|||||
| CVE-2019-25505 | 2026-03-05 | N/A | 7.1 HIGH | ||
|
Tradebox 5.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the symbol parameter. Attackers can send POST requests to the monthly_deposit endpoint with malicious symbol values using boolean-based blind, time-based blind, error-based, or union-based SQL injection techniques to extract sensitive database information.
|
|||||
| CVE-2019-25499 | 2026-03-05 | N/A | 8.2 HIGH | ||
|
Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the job_id parameter. Attackers can send POST requests to get_job_applications_ajax.php with malicious job_id values to bypass authentication, extract sensitive data, or modify database contents.
|
|||||
| CVE-2019-25500 | 2026-03-05 | N/A | 8.2 HIGH | ||
|
Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the employerid parameter. Attackers can send POST requests to the register-recruiters endpoint with time-based SQL injection payloads to extract sensitive data or modify database contents.
|
|||||
| CVE-2019-25507 | 2026-03-05 | N/A | 8.2 HIGH | ||
|
Ashop Shopping Cart Software contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'shop' parameter. Attackers can send GET requests to index.php with malicious 'shop' values using UNION-based SQL injection to extract sensitive database information.
|
|||||
| CVE-2019-25498 | 2026-03-05 | N/A | 8.2 HIGH | ||
|
Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landing_location parameter. Attackers can send POST requests to the searched endpoint with malicious SQL payloads to bypass authentication and extract sensitive database information.
|
|||||
| CVE-2019-25506 | 2026-03-05 | N/A | 8.2 HIGH | ||
|
FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function.
|
|||||
| CVE-2026-20003 | 2026-03-05 | N/A | 4.9 MEDIUM | ||
|
A vulnerability in the REST API of Cisco Secure FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.
This vulnerability is due to inadequate validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests to an affected device. A successful exploit could allow the attacker to obtain read access to the database and read certain files on the underlying operating system. To exploit this vuln ...
Show More |
|||||
| CVE-2026-20001 | 2026-03-05 | N/A | 6.5 MEDIUM | ||
|
A vulnerability in the REST API of Cisco Secure FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.
This vulnerability is due to inadequate validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests to an affected device. A successful exploit could allow the attacker to obtain read access to the database and read certain files on the underlying operating system. To exploit this vuln ...
Show More |
|||||
| CVE-2026-20002 | 2026-03-05 | N/A | 8.1 HIGH | ||
|
A vulnerability in the web-based management interface of Cisco Secure FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.
This vulnerability is due to inadequate validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests to an affected device. A successful exploit could allow the attacker to obtain full access to the database and read certain files on the underlying operating system ...
Show More |
|||||
| CVE-2019-25503 | 2026-03-05 | N/A | 7.1 HIGH | ||
|
PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bannerID parameter in click.php3. Attackers can submit crafted bannerID values using SQL comment syntax and functions like extractvalue to extract sensitive database information such as the current database name.
|
|||||
| CVE-2019-25504 | 2026-03-05 | N/A | 8.2 HIGH | ||
|
NCrypted Jobgator contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the experience parameter. Attackers can send POST requests to the agents Find-Jobs endpoint with malicious experience values to extract sensitive database information.
|
|||||
| CVE-2025-69338 | 2026-03-05 | N/A | 9.3 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Riode Core riode-core allows Blind SQL Injection.This issue affects Riode Core: from n/a through <= 1.6.26.
|
|||||
| CVE-2026-3523 | 2026-03-05 | N/A | 4.9 MEDIUM | ||
|
The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protec ...
Show More |
|||||
| CVE-2026-27428 | 2026-03-05 | N/A | N/A | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eagle-Themes Eagle Booking eagle-booking allows SQL Injection.This issue affects Eagle Booking: from n/a through <= 1.3.4.3.
|
|||||
| CVE-2026-27373 | 2026-03-05 | N/A | N/A | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Essekia Tablesome tablesome allows Blind SQL Injection.This issue affects Tablesome: from n/a through <= 1.2.3.
|
|||||
| CVE-2026-28284 | 2026-03-05 | N/A | N/A | ||
|
FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL injection vulnerabilities. This issue has been patched in versions 16.0.10 and 17.0.5.
|
|||||
| CVE-2026-28210 | 2026-03-05 | N/A | N/A | ||
|
FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnerable to SQL query injection. This issue has been patched in versions 16.0.49 and 17.0.7.
|
|||||
| CVE-2026-28115 | 2026-03-05 | N/A | 9.3 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Blind SQL Injection.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25.
|
|||||
| CVE-2026-2893 | 2026-03-05 | N/A | 6.5 MEDIUM | ||
|
The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensiti ...
Show More |
|||||
| CVE-2026-26709 | 2026-03-05 | N/A | 9.8 CRITICAL | ||
|
code-projects Simple Gym Management System v1.0 is vulnerable to SQL Injection in /gym/trainer_search.php.
|
|||||
| CVE-2026-26695 | 1 Carmelo | 1 Simple Student Alumni System | 2026-03-05 | N/A | 9.8 CRITICAL |
|
code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordstudent_edit.php.
|
|||||
| CVE-2025-66944 | 2026-03-05 | N/A | 9.8 CRITICAL | ||
|
SQL Injection vulnerability in vran-dev databaseir v.1.0.7 and before allows a remote attacker to execute arbitrary code via the query parameter in the search API endpoint
|
|||||
| CVE-2026-28562 | 1 Gvectors | 1 Wpforo Forum | 2026-03-05 | N/A | 8.2 HIGH |
|
wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.
|
|||||
| CVE-2025-66678 | 2026-03-05 | N/A | 9.8 CRITICAL | ||
|
An issue in the HwRwDrv.sys component of Nil Hardware Editor Hardware Read & Write Utility v1.25.11.26 and earlier allows attackers to execute arbitrary read and write operations via a crafted request.
|
|||||
| CVE-2026-3487 | 1 Angeljudesuarez | 1 College Management System | 2026-03-05 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/class-result.php. Performing a manipulation of the argument course_code results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
|
|||||