Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-26696 | 1 Carmelo | 1 Simple Student Alumni System | 2026-03-03 | N/A | 9.8 CRITICAL |
|
code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordteacher_edit.php.
|
|||||
| CVE-2026-3057 | 1 A54552239 | 1 Pearprojectapi | 2026-03-03 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A security flaw has been discovered in a54552239 pearProjectApi up to 2.8.10. Affected is the function dateTotalForProject of the file application/common/Model/Task.php of the component Backend Interface. The manipulation of the argument projectCode results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-2682 | 1 Unigroup | 1 Electronic Archives System | 2026-03-03 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability has been found in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). Impacted is an unknown function of the file /mine/PublicReport/prinReport.html?token=java. Such manipulation of the argument comid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-26713 | 1 Carmelo | 1 Simple Food Order System | 2026-03-03 | N/A | 9.8 CRITICAL |
|
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/cancel-order.php.
|
|||||
| CVE-2026-26712 | 1 Carmelo | 1 Simple Food Order System | 2026-03-03 | N/A | 9.8 CRITICAL |
|
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket-admin.php.
|
|||||
| CVE-2026-26711 | 1 Carmelo | 1 Simple Food Order System | 2026-03-03 | N/A | 9.8 CRITICAL |
|
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket.php.
|
|||||
| CVE-2026-26710 | 1 Carmelo | 1 Simple Food Order System | 2026-03-03 | N/A | 9.8 CRITICAL |
|
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/edit-orders.php.
|
|||||
| CVE-2026-26708 | 1 Oretnom23 | 1 Pharmacy Point Of Sale System | 2026-03-03 | N/A | 9.8 CRITICAL |
|
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_user.php.
|
|||||
| CVE-2026-26704 | 1 Oretnom23 | 1 Pharmacy Point Of Sale System | 2026-03-03 | N/A | 9.8 CRITICAL |
|
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_category.php.
|
|||||
| CVE-2026-26705 | 1 Oretnom23 | 1 Pharmacy Point Of Sale System | 2026-03-03 | N/A | 9.8 CRITICAL |
|
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_product.php.
|
|||||
| CVE-2026-28226 | 1 Phishing.club | 1 Phishing Club | 2026-03-03 | N/A | 6.5 MEDIUM |
|
Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint constructs a raw SQL query and concatenates the user-controlled sortBy value directly into the ORDER BY clause without allowlist validation. Because unknown values are silently passed through `RemapOrderBy()`, an authenticated attacker can inject SQL expressions ...
Show More |
|||||
| CVE-2025-11165 | 1 Dotcms | 1 Dotcms | 2026-03-03 | N/A | 9.9 CRITICAL |
|
A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl.
By dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, a malicious actor can remove the introspector.restrict.classes and introspector.restrict.packages protections.
Once these restrictions are cleared, the attacker can access arbi ...
Show More |
|||||
| CVE-2019-25490 | 2026-03-02 | N/A | 8.2 HIGH | ||
|
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Attackers can send GET requests to the admin/edit.php endpoint with time-based SQL injection payloads to extract sensitive database information.
|
|||||
| CVE-2026-28516 | 2026-03-02 | N/A | N/A | ||
|
openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
|
|||||
| CVE-2025-15498 | 2026-03-02 | N/A | N/A | ||
|
Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges.
This issue was identified in version 1.2.0 of this software. Due to lack of response from the vendor exact version range could not be determined, but the vulnerability should be eliminated in versions released in January 2026 and later.
|
|||||
| CVE-2025-13673 | 2026-03-02 | N/A | 7.5 HIGH | ||
|
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This ...
Show More |
|||||
| CVE-2019-25494 | 2026-03-02 | N/A | 8.2 HIGH | ||
|
Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. Attackers can submit SQL operators like '=' 'or' in both credentials to manipulate the authentication query and gain unauthorized access to the admin panel.
|
|||||
| CVE-2026-2751 | 2026-03-02 | N/A | 8.3 HIGH | ||
|
Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central Server before 25.10.8, 24.10.20, 24.04.24.
|
|||||
| CVE-2019-25493 | 2026-03-02 | N/A | 8.2 HIGH | ||
|
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requests to the admin/getrecord.php endpoint with malicious 'val' values to extract sensitive database information.
|
|||||
| CVE-2019-25491 | 2026-03-02 | N/A | 8.2 HIGH | ||
|
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cms_getpagetitle.php endpoint with malicious catid values to extract sensitive database information.
|
|||||
| CVE-2019-25492 | 2026-03-02 | N/A | 8.2 HIGH | ||
|
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious 'pt' values to extract sensitive database information.
|
|||||
| CVE-2019-25489 | 2026-03-02 | N/A | 8.2 HIGH | ||
|
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET requests to the rooms/ajax_refresh_subtotal endpoint with malicious hosting_id values to extract sensitive database information or cause denial of service.
|
|||||
| CVE-2026-2584 | 2026-03-02 | N/A | N/A | ||
|
A critical SQL Injection (SQLi) vulnerability has been identified in the authentication module of the system. An unauthenticated, remote attacker (AV:N/PR:N) can exploit this flaw by sending specially crafted SQL queries through the login interface. Due to low attack complexity (AC:L) and the absence of specific requirements (AT:N), the vulnerability allows for a total compromise of the system's configuration data (VC:H/VI:H). While the availability of the service remains unaffected (VA:N), the ...
Show More |
|||||
| CVE-2025-12462 | 2026-03-02 | N/A | N/A | ||
|
A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path resulting in Blind SQL Injection.
This issue was fixed in versions above 8.0.
|
|||||
| CVE-2025-30062 | 2026-03-02 | N/A | N/A | ||
|
In the "CheckUnitCodeAndKey.pl" service, the "validateOrgUnit" function is vulnerable to SQL injection.
|
|||||
| CVE-2026-3180 | 2026-03-02 | N/A | 7.5 HIGH | ||
|
The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cgl_mail’ parameter in all versions up to, and including, 28.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to ex ...
Show More |
|||||
| CVE-2025-10350 | 2026-03-02 | N/A | N/A | ||
|
SQL Injection vulnerability in "imageserver" module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions before 7.9.0.
|
|||||
| CVE-2026-27149 | 1 Discourse | 1 Discourse | 2026-03-02 | N/A | 6.5 MEDIUM |
|
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
|
|||||
| CVE-2026-22206 | 1 Spip | 1 Spip | 2026-03-02 | N/A | 8.8 HIGH |
|
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.
|
|||||
| CVE-2026-26186 | 1 Fleetdm | 1 Fleet | 2026-03-02 | N/A | 8.8 HIGH |
|
Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query parameter. Due to unsafe use of `goqu.I()` when constructing the `ORDER BY` clause, specially crafted input could escape identifier quoting and be interpreted as executable SQL. An authenticated attacker with access to the affected endpoint could inject SQL expressions into the underlying MySQL query. ...
Show More |
|||||
| CVE-2026-3287 | 1 Youlai | 1 Youlai-mall | 2026-03-02 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A security flaw has been discovered in youlaitech youlai-mall 2.0.0. This affects the function listPagedSpuForApp of the file mall-pms/pms-boot/src/main/java/com/youlai/mall/pms/controller/app/SpuController.java of the component App-side Product Pagination Endpoint. Performing a manipulation of the argument sortField/sort results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early ...
Show More |
|||||
| CVE-2026-27747 | 1 Spip | 1 Interface Traduction Objets | 2026-03-02 | N/A | 8.8 HIGH |
|
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly into a SQL WHERE clause in a call to sql_getfetsel() without input validation or parameterization. An authenticated attacker with editor-level privileges can inject crafted SQL expressions into the id_p ...
Show More |
|||||
| CVE-2022-50895 | 1 Aerocms Project | 1 Aerocms | 2026-03-02 | N/A | 9.8 CRITICAL |
|
Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system.
|
|||||
| CVE-2019-25461 | 1 Web-ofisi | 1 Ticaret | 2026-03-02 | N/A | 7.5 HIGH |
|
Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. Attackers can send POST requests to the ajax/productsFilterSearch endpoint with malicious 'q' values using time-based blind SQL injection techniques to extract sensitive database information.
|
|||||
| CVE-2019-25460 | 1 Web-ofisi | 1 Platinum E-ticaret | 2026-03-02 | N/A | 7.5 HIGH |
|
Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' GET parameter. Attackers can send requests to the arama endpoint with malicious 'q' values using time-based SQL injection techniques to extract sensitive database information.
|
|||||
| CVE-2019-25459 | 1 Web-ofisi | 1 Emlak | 2026-03-02 | N/A | 9.8 CRITICAL |
|
Web Ofisi Emlak V2 contains multiple SQL injection vulnerabilities in the endpoint that allow unauthenticated attackers to manipulate database queries through GET parameters. Attackers can inject SQL code into parameters like emlak_durumu, emlak_tipi, il, ilce, kelime, and semt to extract sensitive database information or perform time-based blind SQL injection attacks.
|
|||||
| CVE-2019-25458 | 1 Web-ofisi | 1 Firma Rehberi | 2026-03-02 | N/A | 9.8 CRITICAL |
|
Web Ofisi Firma Rehberi v1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can send requests to with malicious payloads in the 'il', 'kat', or 'kelime' parameters to extract sensitive database information or perform time-based blind SQL injection attacks.
|
|||||
| CVE-2019-25457 | 1 Web-ofisi | 1 Firma | 2026-03-02 | N/A | 7.5 HIGH |
|
Web Ofisi Firma v13 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'oz' array parameter. Attackers can send GET requests to category pages with malicious 'oz[]' values using time-based blind SQL injection payloads to extract sensitive database information.
|
|||||
| CVE-2019-25456 | 1 Web-ofisi | 1 Emlak | 2026-03-02 | N/A | 9.1 CRITICAL |
|
Web Ofisi Emlak v2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'ara' GET parameter. Attackers can send requests to with time-based SQL injection payloads to extract sensitive database information or cause denial of service.
|
|||||
| CVE-2019-25455 | 1 Web-ofisi | 1 E-ticaret | 2026-03-02 | N/A | 7.5 HIGH |
|
Web Ofisi E-Ticaret v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'a' parameter. Attackers can send GET requests to with malicious 'a' parameter values to extract sensitive database information.
|
|||||