Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2620 | 2026-02-18 | 7.5 HIGH | 7.3 HIGH | ||
|
A weakness has been identified in Huace Monitoring and Early Warning System 2.2. Affected by this issue is some unknown functionality of the file /Web/SysManage/ProjectRole.aspx. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-1317 | 2026-02-18 | N/A | 6.5 MEDIUM | ||
|
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious ...
Show More |
|||||
| CVE-2026-2576 | 2026-02-18 | N/A | 7.5 HIGH | ||
|
The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'payment' parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from t ...
Show More |
|||||
| CVE-2025-59920 | 2026-02-18 | N/A | N/A | ||
|
When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request is made with the TWAdmin user with the sysadmin role enabled, exploiting the vulnerability will allow commands to be executed on the system; if the user does not belong to the sysadmin role, they will still be able to query d ...
Show More |
|||||
| CVE-2025-70311 | 1 Huayi-tec | 1 Jeewms | 2026-02-18 | N/A | 6.5 MEDIUM |
|
JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack.
|
|||||
| CVE-2024-6308 | 1 Clive 21 | 1 Simple Online Hotel Reservation System | 2026-02-18 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was found in itsourcecode Simple Online Hotel Reservation System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file index.php. The manipulation of the argument username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269620.
|
|||||
| CVE-2025-69213 | 1 Devcode | 1 Openstamanager | 2026-02-18 | N/A | 8.8 HIGH |
|
OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists.
|
|||||
| CVE-2025-69215 | 1 Devcode | 1 Openstamanager | 2026-02-18 | N/A | 8.8 HIGH |
|
OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publication, no known patch exists.
|
|||||
| CVE-2020-36645 | 1 Squareup | 1 Squalor | 2026-02-18 | 5.2 MEDIUM | 5.5 MEDIUM |
|
A vulnerability, which was classified as critical, was found in square squalor. This affects an unknown part. The manipulation leads to sql injection. Upgrading to version v0.0.0 is able to address this issue. The patch is named f6f0a47cc344711042eb0970cb423e6950ba3f93. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217623.
|
|||||
| CVE-2026-1701 | 1 Itsourcecode | 1 School Management System | 2026-02-18 | 7.5 HIGH | 7.3 HIGH |
|
A security vulnerability has been detected in itsourcecode School Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Due to contradicting product definitions in the original disclosure, this CVE was initially incorrectly assigned to the Student Management System.
|
|||||
| CVE-2026-21643 | 1 Fortinet | 1 Forticlientems | 2026-02-17 | N/A | 9.8 CRITICAL |
|
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
|
|||||
| CVE-2026-2058 | 1 Vishalmathur | 1 Cloudclassroom-php-project | 2026-02-17 | 7.5 HIGH | 7.3 HIGH |
|
A flaw has been found in mathurvishal CloudClassroom-PHP-Project up to 5dadec098bfbbf3300d60c3494db3fb95b66e7be. This impacts an unknown function of the file /postquerypublic.php of the component Post Query Details Page. This manipulation of the argument gnamex causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affect ...
Show More |
|||||
| CVE-2025-62192 | 1 Groupsession | 1 Groupsession | 2026-02-17 | N/A | 5.4 MEDIUM |
|
SQL Injection vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If exploited, information stored in the database may be obtained or altered by an authenticated user.
|
|||||
| CVE-2026-24854 | 1 Churchcrm | 1 Churchcrm | 2026-02-17 | N/A | 8.8 HIGH |
|
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.
|
|||||
| CVE-2023-1211 | 1 Phpipam | 1 Phpipam | 2026-02-16 | N/A | 7.2 HIGH |
|
SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2.
|
|||||
| CVE-2025-59213 | 1 Microsoft | 3 Configuration Manager 2403, Configuration Manager 2409, Configuration Manager 2503 | 2026-02-13 | N/A | 8.8 HIGH |
|
Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an unauthorized attacker to elevate privileges over an adjacent network.
|
|||||
| CVE-2024-51962 | 1 Esri | 1 Arcgis Server | 2026-02-13 | N/A | 8.7 HIGH |
|
A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.
|
|||||
| CVE-2026-1688 | 1 Clive 21 | 1 Directory Management System | 2026-02-13 | 7.5 HIGH | 7.3 HIGH |
|
A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
|
|||||
| CVE-2020-37053 | 1 Naviwebs | 1 Navigate Cms | 2026-02-13 | N/A | 7.1 HIGH |
|
Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts.
|
|||||
| CVE-2019-25335 | 2026-02-13 | N/A | 7.5 HIGH | ||
|
PRO-7070 Hazır Profesyonel Web Sitesi version 1.0 contains an authentication bypass vulnerability in the administration panel login page. Attackers can bypass authentication by using '=' 'or' as both username and password to gain unauthorized access to the administrative interface.
|
|||||
| CVE-2019-25320 | 2026-02-13 | N/A | 6.5 MEDIUM | ||
|
E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. Attackers can exploit the /login.php file by sending a specific payload '=''or' to bypass authentication and gain unauthorized access to the system.
|
|||||
| CVE-2019-25325 | 2026-02-13 | N/A | 8.2 HIGH | ||
|
Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code like ' or 1=1# to manipulate login queries and gain unauthorized access to the application.
|
|||||
| CVE-2025-59473 | 1 Expressionengine | 1 Expressionengine | 2026-02-13 | N/A | 7.2 HIGH |
|
SQL Injection vulnerability in the Structure for Admin authenticated user
|
|||||
| CVE-2024-43468 | 1 Microsoft | 3 Configuration Manager 2403, Configuration Manager 2409, Configuration Manager 2503 | 2026-02-13 | N/A | 9.8 CRITICAL |
|
Microsoft Configuration Manager Remote Code Execution Vulnerability
|
|||||
| CVE-2025-13379 | 1 Ibm | 1 Aspera Console | 2026-02-12 | N/A | 8.6 HIGH |
|
IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
|
|||||
| CVE-2020-37112 | 1 Gunet | 1 Open Eclass Platform | 2026-02-12 | N/A | 7.1 HIGH |
|
GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. Attackers can exploit the 'month' parameter in the agenda module and other endpoints to extract sensitive database information using error-based or time-based injection techniques.
|
|||||
| CVE-2025-64092 | 1 Zenitel | 4 Icx500, Icx500 Firmware, Icx510 and 1 more | 2026-02-12 | N/A | 7.5 HIGH |
|
This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.
|
|||||
| CVE-2025-10878 | 1 Omran | 1 Fikir Odalari Adminpando | 2026-02-12 | N/A | 10.0 CRITICAL |
|
A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).
|
|||||
| CVE-2026-2073 | 1 Itsourcecode | 1 School Management System | 2026-02-12 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
|
|||||
| CVE-2026-2083 | 1 Code-projects | 1 Social Networking Site | 2026-02-12 | 7.5 HIGH | 7.3 HIGH |
|
A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file /delete_post.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
|
|||||
| CVE-2026-2059 | 1 Bontrofftech | 1 Medical Center Portal Management System | 2026-02-12 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability has been found in SourceCodester Medical Center Portal Management System 1.0. Affected is an unknown function of the file /emp_edit1.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2026-1602 | 1 Ivanti | 1 Endpoint Manager | 2026-02-12 | N/A | 6.5 MEDIUM |
|
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
|
|||||
| CVE-2025-10969 | 2026-02-12 | N/A | 9.8 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Blind SQL Injection.This issue affects E-Commerce Package: through 27112025.
|
|||||
| CVE-2025-39474 | 1 Thememove | 1 Amely | 2026-02-11 | N/A | 9.3 CRITICAL |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Amely allows SQL Injection. This issue affects Amely: from n/a through 3.1.4.
|
|||||
| CVE-2021-47918 | 1 Simplephpscripts | 1 Simple Cms Php | 2026-02-11 | N/A | 8.1 HIGH |
|
Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application.
|
|||||
| CVE-2021-47915 | 1 Phpsugar | 1 Php Melody | 2026-02-11 | N/A | 8.1 HIGH |
|
PHP Melody version 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to inject malicious SQL commands. Attackers can exploit the unvalidated 'vid' parameter to execute arbitrary database queries and potentially compromise the web application and database management system.
|
|||||
| CVE-2025-63624 | 1 Sdkede | 2 Iot Smart Water Meter, Iot Smart Water Meter Firmware | 2026-02-11 | N/A | 9.8 CRITICAL |
|
SQL Injection vulnerability in Shandong Kede Electronics Co., Ltd IoT smart water meter monitoring platform v.1.0 allows a remote attacker to execute arbitrary code via the imei_list.aspx file.
|
|||||
| CVE-2025-52025 | 1 Aptsys | 1 Gemscms Backend | 2026-02-11 | N/A | 9.4 CRITICAL |
|
An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backend thru 2025-05-28. The vulnerability arises because user input is directly inserted into a dynamic SQL query syntax without proper sanitization or parameterization. This allows an attacker to inject and execute arbitrary SQL code by submitting crafted input in the id parameter, leading to unauthorized data access or modification.
|
|||||
| CVE-2026-2060 | 1 Fabian | 1 Simple Blood Donor Management System | 2026-02-11 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was found in code-projects Simple Blood Donor Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /simpleblooddonor/editcampaignform.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
|
|||||
| CVE-2025-69662 | 1 Geopandas | 1 Geopandas | 2026-02-11 | N/A | 8.6 HIGH |
|
SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.
|
|||||