Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0678 | 2026-01-14 | N/A | 4.9 MEDIUM | ||
|
The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'cities' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive in ...
Show More |
|||||
| CVE-2023-54340 | 2026-01-14 | N/A | 8.2 HIGH | ||
|
WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. Attackers can inject malicious SQL queries using techniques like OR '1'='1' and stacked queries to access database information or execute administrative commands.
|
|||||
| CVE-2023-54333 | 2026-01-14 | N/A | 8.2 HIGH | ||
|
Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and potentially steal entire database contents.
|
|||||
| CVE-2025-14770 | 2026-01-14 | N/A | 7.5 HIGH | ||
|
The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
|
|||||
| CVE-2022-50805 | 2026-01-14 | N/A | 8.2 HIGH | ||
|
Senayan Library Management System 9.0.0 contains a SQL injection vulnerability in the 'class' parameter that allows attackers to inject malicious SQL queries. Attackers can exploit the vulnerability by submitting crafted payloads to manipulate database queries and potentially extract sensitive information.
|
|||||
| CVE-2024-54026 | 1 Fortinet | 2 Fortisandbox, Fortisandbox Cloud | 2026-01-14 | N/A | 4.3 MEDIUM |
|
An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox Cloud 24.1 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
|
|||||
| CVE-2025-58692 | 1 Fortinet | 1 Fortivoice | 2026-01-14 | N/A | 8.8 HIGH |
|
An improper neutralization of special elements used in an SQL Command ("SQL Injection") vulnerability [CWE-89] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests.
|
|||||
| CVE-2025-15442 | 1 Crmeb | 1 Crmeb | 2026-01-13 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-41006 | 2026-01-13 | N/A | N/A | ||
|
Imaster's MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’.
|
|||||
| CVE-2025-67147 | 2026-01-13 | N/A | 9.8 CRITICAL | ||
|
Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the 'name', 'email', and 'comment' parameters in (1) submit_contact.php, the 'username' and 'pass_key' parameters in (2) secure_login.php, and the 'login_id', 'pwfield', and 'login_key' parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate pr ...
Show More |
|||||
| CVE-2025-41004 | 2026-01-13 | N/A | N/A | ||
|
Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter.
|
|||||
| CVE-2026-0843 | 2026-01-13 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in an ...
Show More |
|||||
| CVE-2025-41005 | 2026-01-13 | N/A | N/A | ||
|
Imaster's MEMS Events CRM contains an SQL injection vulnerability in‘keyword’ parameter in ‘/memsdemo/exchange_offers.php’.
|
|||||
| CVE-2026-0501 | 2026-01-13 | N/A | 9.9 CRITICAL | ||
|
Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application.
|
|||||
| CVE-2023-33945 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-13 | N/A | 6.4 MEDIUM |
|
SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded.
|
|||||
| CVE-2019-25221 | 1 I13websolution | 1 Responsive Filterable Portfolio | 2026-01-12 | N/A | 6.5 MEDIUM |
|
The Responsive Filterable Portfolio plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
|
|||||
| CVE-2025-63724 | 1 Radioinorr | 1 Svx Portal | 2026-01-12 | N/A | 6.0 MEDIUM |
|
SQL injection (SQL-i) vulnerability in SVX Portal 2.7A via crafted POST request to admin/update_setings.php.
|
|||||
| CVE-2026-0699 | 1 Carmelo | 1 Intern Membership Management System | 2026-01-12 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
|
|||||
| CVE-2026-0700 | 1 Carmelo | 1 Intern Membership Management System | 2026-01-12 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was determined in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /intern/admin/check_admin.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
|
|||||
| CVE-2026-22242 | 1 Coreshop | 1 Coreshop | 2026-01-12 | N/A | 4.9 MEDIUM |
|
CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.
|
|||||
| CVE-2026-0606 | 1 Fabian | 1 Online Music Site | 2026-01-12 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
|
|||||
| CVE-2025-65125 | 1 Gosaliajainam | 1 Online-movie-booking | 2026-01-12 | N/A | 9.8 CRITICAL |
|
SQL injection in gosaliajainam/online-movie-booking 5.5 in movie_details.php allows attackers to gain sensitive information.
|
|||||
| CVE-2024-56158 | 1 Xwiki | 1 Xwiki | 2026-01-12 | N/A | 9.8 CRITICAL |
|
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.
|
|||||
| CVE-2023-34976 | 1 Qnap | 1 Video Station | 2026-01-12 | N/A | 10.0 CRITICAL |
|
A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.
We have already fixed the vulnerability in the following version:
Video Station 5.7.0 ( 2023/07/27 ) and later
|
|||||
| CVE-2023-34975 | 1 Qnap | 1 Video Station | 2026-01-12 | N/A | 6.6 MEDIUM |
|
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.
QuTScloud is not affected.
We have already fixed the vulnerability in the following versions:
QuTS hero h4.5.4.2626 build 20231225 and later
QTS 4.5.4.2627 build 20231225 and later
|
|||||
| CVE-2026-0568 | 1 Fabian | 1 Online Music Site | 2026-01-09 | 7.5 HIGH | 7.3 HIGH |
|
A flaw has been found in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Frontend/ViewSongs.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
|
|||||
| CVE-2026-0569 | 1 Fabian | 1 Online Music Site | 2026-01-09 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown function of the file /Frontend/AlbumByCategory.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-15168 | 1 Angeljudesuarez | 1 Student Management System | 2026-01-09 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was identified in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /statistical.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
|
|||||
| CVE-2024-9828 | 1 Taskbuilder | 1 Taskbuilder | 2026-01-09 | N/A | 4.1 MEDIUM |
|
The Taskbuilder WordPress plugin before 3.0.5 does not sanitize user input into the 'load_orders' parameter and uses it in a SQL statement, allowing high privilege users such as admin to perform SQL Injection attacks
|
|||||
| CVE-2025-55343 | 1 Quipux | 1 Quipux | 2026-01-09 | N/A | 9.9 CRITICAL |
|
Quipux 4.0.1 through e1774ac allows authenticated users to conduct SQL injection attacks via busqueda/busqueda.php txt_depe_codi, busqueda/busqueda.php txt_usua_codi, anexos_lista.php radi_temp, Administracion/listas/formArea_ajax.php codDepe, Administracion/listas/formDepeHijo_ajax.php codDepe, Administracion/listas/formDepePadre_ajax.php codInst, asociar_documentos/asociar_borrar_referencia.php radi_nume, asociar_documentos/asociar_documento_buscar_query.php radi_nume, asociar_documentos/asoci ...
Show More |
|||||
| CVE-2025-63585 | 1 Opensource-socialnetwork | 1 Open Source Social Network | 2026-01-09 | N/A | 6.5 MEDIUM |
|
OSSN (Open Source Social Network) 8.6 is vulnerable to SQL Injection in /action/rtcomments/status via the timestamp parameter.
|
|||||
| CVE-2026-0698 | 1 Carmelo | 1 Intern Membership Management System | 2026-01-09 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability has been found in code-projects Intern Membership Management System 1.0. This affects an unknown function of the file /intern/admin/edit_students.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2026-0697 | 1 Carmelo | 1 Intern Membership Management System | 2026-01-09 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A flaw has been found in code-projects Intern Membership Management System 1.0. The impacted element is an unknown function of the file /intern/admin/edit_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
|
|||||
| CVE-2025-13168 | 1 Ury | 1 Ury | 2026-01-09 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A weakness has been identified in ury-erp ury up to 0.2.0. This affects the function overrided_past_order_list of the file ury/ury/api/pos_extend.py. This manipulation of the argument search_term causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. Upgrading to version 0.2.1 is able to mitigate this issue. Patch name: 063384e0dddfd191847cd2d6524c342cc380b058. It is suggested to upgrade the affected componen ...
Show More |
|||||
| CVE-2026-0590 | 1 Fabian | 1 Online Product Reservation System | 2026-01-09 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was determined in code-projects Online Product Reservation System 1.0. The affected element is an unknown function of the file /app/checkout/delete.php of the component POST Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
|
|||||
| CVE-2026-0592 | 1 Fabian | 1 Online Product Reservation System | 2026-01-09 | 7.5 HIGH | 7.3 HIGH |
|
A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This affects an unknown function of the file /handgunner-administrator/register_code.php of the component User Registration Handler. Performing a manipulation of the argument fname/lname/address/city/province/country/zip/tel_no/email/username results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
|
|||||
| CVE-2026-0591 | 1 Fabian | 1 Online Product Reservation System | 2026-01-09 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was identified in code-projects Online Product Reservation System 1.0. The impacted element is an unknown function of the file /app/checkout/update.php of the component Cart Update Handler. Such manipulation of the argument id/qty leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
|
|||||
| CVE-2026-0584 | 1 Fabian | 1 Online Product Reservation System | 2026-01-09 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A weakness has been identified in code-projects Online Product Reservation System 1.0. This issue affects some unknown processing of the file app/products/left_cart.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
|
|||||
| CVE-2026-0585 | 1 Fabian | 1 Online Product Reservation System | 2026-01-09 | 7.5 HIGH | 7.3 HIGH |
|
A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the file /order_view.php of the component GET Parameter Handler. Such manipulation of the argument transaction_id leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
|
|||||
| CVE-2026-0583 | 1 Fabian | 1 Online Product Reservation System | 2026-01-09 | 7.5 HIGH | 7.3 HIGH |
|
A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This vulnerability affects unknown code of the file app/user/login.php of the component User Login. The manipulation of the argument emailadd results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
|
|||||