Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58448 | 1 Rathena | 1 Rathena | 2025-09-17 | N/A | 9.1 CRITICAL |
|
rAthena is an open-source cross-platform massively multiplayer online role playing game (MMORPG) server. Versions prior to commit 0d89ae0 have a SQL Injection in the PartyBooking component via `WorldName` parameter. Commit 0d89ae0 fixes the issue.
|
|||||
| CVE-2025-10473 | 1 Ruoyi | 1 Ruoyi | 2025-09-17 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This impacts the function filterKeyword of the file /com/ruoyi/common/utils/sql/SqlUtil.java of the component Blacklist Handler. The manipulation results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited.
|
|||||
| CVE-2025-10405 | 1 Itsourcecode | 1 Baptism Information Management System | 2025-09-17 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was determined in itsourcecode Baptism Information Management System 1.0. Affected is an unknown function of the file /listbaptism.php. This manipulation of the argument bapt_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
|
|||||
| CVE-2025-10479 | 1 Janobe | 1 Online Student File Management System | 2025-09-17 | 7.5 HIGH | 7.3 HIGH |
|
A security flaw has been discovered in SourceCodester Online Student File Management System 1.0. The impacted element is an unknown function of the file /index.php. Performing manipulation of the argument stud_no results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.
|
|||||
| CVE-2025-58453 | 1 Wegia | 1 Wegia | 2025-09-17 | N/A | 8.2 HIGH |
|
WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in WeGIA versions 3.4.10 and prior in the endpoint /WeGIA/html/memorando/exibe_anexo.php, in the id_anexo parameter. This vulnerability allow an authorized attacker to execute arbitrary SQL queries, allowing access to sensitive information. Version 3.4.11 contains a patch.
|
|||||
| CVE-2025-58454 | 1 Wegia | 1 Wegia | 2025-09-17 | N/A | 8.2 HIGH |
|
WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in WeGIA versions 3.4.10 and prior inthe endpoint /WeGIA/html/memorando/listar_despachos.php, in the id_memorando parameter. This vulnerability allow an authorized attacker to execute arbitrary SQL queries, allowing access to sensitive information. Version 3.4.11 contains a patch.
|
|||||
| CVE-2025-7894 | 1 Onyx | 1 Onyx | 2025-09-17 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability, which was classified as critical, has been found in Onyx up to 0.29.1. This issue affects the function generate_simple_sql of the file backend/onyx/agents/agent_search/kb_search/nodes/a3_generate_simple_sql.py of the component Chat Interface. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-8203 | 1 Jingmen Zeyou | 1 Large File Upload Control | 2025-09-17 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in Jingmen Zeyou Large File Upload Control up to 6.3. Affected is an unknown function of the file /index.jsp. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-13149 | 2025-09-17 | N/A | 9.8 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Arma Store Armalife allows SQL Injection.This issue affects Armalife: through 20250916.
NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.
|
|||||
| CVE-2025-10439 | 2025-09-17 | N/A | 9.8 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yordam Informatics Yordam Library Automation System allows SQL Injection.This issue affects Yordam Library Automation System: from 21.5 & 21.6 before 21.7.
|
|||||
| CVE-2024-13174 | 2025-09-17 | N/A | 8.6 HIGH | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in E1 Informatics Web Application allows SQL Injection.This issue affects Web Application: through 20250916.
NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.
|
|||||
| CVE-2024-35305 | 1 Artica | 1 Pandora Fms | 2025-09-16 | N/A | 9.8 CRITICAL |
|
Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777.
|
|||||
| CVE-2023-44091 | 1 Artica | 1 Pandora Fms | 2025-09-16 | N/A | 7.5 HIGH |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows SQL Injection. This ulnerability allowed SQL injections to be made even if authentication failed.This issue affects Pandora FMS: from 700 through <776.
|
|||||
| CVE-2023-44090 | 1 Artica | 1 Pandora Fms | 2025-09-16 | N/A | 6.8 MEDIUM |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows CVE-2008-5817. This vulnerability allowed SQL changes to be made to several files in the Grafana module. This issue affects Pandora FMS: from 700 through <776.
|
|||||
| CVE-2025-8773 | 1 Dahuatech | 1 Monitoring Platform | 2025-09-16 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability, which was classified as critical, was found in Dinstar Monitoring Platform 甘肃省危险品库监控平台 1.0. Affected is an unknown function of the file /itc/$%7BappPath%7D/login_getPasswordErrorNum.action. The manipulation of the argument userBean.loginName leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-12913 | 2025-09-16 | N/A | 8.8 HIGH | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Megatek Communication System Azora Wireless Network Management allows SQL Injection.This issue affects Azora Wireless Network Management: through 20250916.
NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.
|
|||||
| CVE-2025-4688 | 2025-09-16 | N/A | 9.8 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BGS Interactive SINAV.LINK Exam Result Module allows SQL Injection.This issue affects SINAV.LINK Exam Result Module: before 1.2.
|
|||||
| CVE-2023-3651 | 1 Digital-ant | 1 Digital Ant | 2025-09-16 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Digital Ant E-Commerce Software allows SQL Injection.This issue affects E-Commerce Software: before 11.
|
|||||
| CVE-2025-25221 | 1 Luxsoft | 1 Luxcal Web Calendar | 2025-09-15 | N/A | 9.8 CRITICAL |
|
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
|
|||||
| CVE-2025-25222 | 1 Luxsoft | 1 Luxcal Web Calendar | 2025-09-15 | N/A | 9.8 CRITICAL |
|
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
|
|||||
| CVE-2025-7102 | 1 Boyuncms Project | 1 Boyuncms | 2025-09-15 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in BoyunCMS up to 1.4.20. It has been declared as critical. This vulnerability affects unknown code of the file application/update/controller/Server.php. The manipulation of the argument phone leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-24323 | 1 Linlinjava | 1 Litemall | 2025-09-15 | N/A | 7.2 HIGH |
|
SQL injection vulnerability in linlinjava litemall v.1.8.0 allows a remote attacker to obtain sensitive information via the nickname, consignee, orderSN, orderStatusArray parameters of the AdminOrdercontroller.java component.
|
|||||
| CVE-2025-9807 | 2025-09-15 | N/A | 7.5 HIGH | ||
|
The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
|
|||||
| CVE-2025-10266 | 2025-09-15 | N/A | 9.8 CRITICAL | ||
|
NUP Pro developed by NewType Infortech has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
|
|||||
| CVE-2025-10399 | 2025-09-15 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A weakness has been identified in Korzh EasyQuery up to 7.4.0. This issue affects some unknown processing of the file /api/easyquery/models/nwind/fetch of the component Query Builder UI. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.
|
|||||
| CVE-2025-10210 | 1 Chancms | 1 Chancms | 2025-09-15 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. Impacted is the function Search of the file app/modules/api/service/Api.js. Executing manipulation of the argument key can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-10098 | 1 Phpgurukul | 1 User Management System | 2025-09-12 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A security flaw has been discovered in PHPGurukul User Management System 1.0. Affected is an unknown function of the file /admin/edit-user-profile.php. The manipulation of the argument uid results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited.
|
|||||
| CVE-2025-10100 | 1 Oretnom23 | 1 Simple Forum\/discussion System | 2025-09-12 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was detected in SourceCodester Simple Forum Discussion System 1.0. This impacts an unknown function of the file /admin_class.php?action=login. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
|
|||||
| CVE-2025-52085 | 1 Yoosee | 1 Yoosee | 2025-09-12 | N/A | 8.8 HIGH |
|
An SQL injection vulnerability in Yoosee application v6.32.4 allows authenticated users to inject arbitrary SQL queries via a request to a backend API endpoint. Successful exploitation enables extraction of sensitive database information, including but not limited to, the database server banner and version, current database user and schema, the current DBMS user privileges, and arbitrary data from any table.
|
|||||
| CVE-2025-9391 | 1 Zhiyou-group | 1 Zhiyou Erp | 2025-09-12 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A weakness has been identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this issue is the function getFieldValue of the component com.artery.workflow.ServiceImpl. This manipulation of the argument sql causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-8347 | 1 Kehua | 1 Charging Pile Cloud Platform | 2025-09-12 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability, which was classified as critical, was found in Kehua Charging Pile Cloud Platform 1.0. This affects an unknown part of the file /sys/task/findAllTask. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-54790 | 1 Humhub | 1 Files | 2025-09-12 | N/A | 6.5 MEDIUM |
|
Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10.
|
|||||
| CVE-2025-40687 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | N/A | 9.8 CRITICAL |
|
SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via
'mobilenumber', 'teamleadname' and 'teammember' parameters in the endpoint '/ofrs/admin/add-team.php'.
|
|||||
| CVE-2025-40689 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | N/A | 9.8 CRITICAL |
|
SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via
'remark', 'status' and 'requestid' parameters in the endpoint '/ofrs/admin/request-details.php'.
|
|||||
| CVE-2025-40690 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | N/A | 9.8 CRITICAL |
|
SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'teamid' parameter in the endpoint '/ofrs/admin/edit-team.php'.
|
|||||
| CVE-2025-40691 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | N/A | 9.8 CRITICAL |
|
SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via
'todate' parameter in the endpoint '/ofrs/admin/bwdates-report-result.php'.
|
|||||
| CVE-2025-40692 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | N/A | 9.8 CRITICAL |
|
SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via
'requestid' parameter in the endpoint '/ofrs/details.php'.
|
|||||
| CVE-2023-6436 | 1 Ekolbilisim | 1 Web Sablonu Yazilimi | 2025-09-12 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection.This issue affects Website Template: through 20231215.
|
|||||
| CVE-2025-55472 | 1 Tirreno | 1 Tirreno | 2025-09-11 | N/A | 6.5 MEDIUM |
|
SQL Injection vulnerability exists in Tirreno v0.9.5, specifically in the /admin/loadUsers API endpoint. The vulnerability arises due to unsafe handling of user-supplied input in the columns[0][data] parameter, which is directly used in SQL queries without proper validation or parameterization.
|
|||||
| CVE-2025-9758 | 1 Deepakmisal24 | 1 Chemical Inventory Management System | 2025-09-11 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was identified in deepakmisal24 Chemical Inventory Management System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /inventory_form.php. Such manipulation of the argument chem_name leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.
|
|||||