Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-29881 | 1 Phpok | 1 Phpok | 2025-06-13 | N/A | 6.5 MEDIUM |
|
phpok 6.4.003 is vulnerable to SQL injection in the function index_f() in phpok64/framework/api/call_control.php.
|
|||||
| CVE-2024-40560 | 1 Project Team | 1 Tmall Demo | 2025-06-13 | N/A | 7.3 HIGH |
|
Tmall_demo before v2024.07.03 was discovered to contain a SQL injection vulnerability.
|
|||||
| CVE-2025-25426 | 1 Guchengwuyue | 1 Yshopmall | 2025-06-12 | N/A | 7.2 HIGH |
|
yshopmall <=v1.9.0 is vulnerable to SQL Injection in the image listing interface.
|
|||||
| CVE-2025-26047 | 1 Olajowon | 1 Loggrove | 2025-06-12 | N/A | 5.1 MEDIUM |
|
Loggrove v1.0 is vulnerable to SQL Injection in the read.py file.
|
|||||
| CVE-2025-45240 | 1 Qianfox | 1 Foxcms | 2025-06-12 | N/A | 6.5 MEDIUM |
|
foxcms v1.2.5 was discovered to contain a SQL injection vulnerability via the executeCommand method in DataBackup.php.
|
|||||
| CVE-2025-44073 | 1 Seacms | 1 Seacms | 2025-06-12 | N/A | 9.8 CRITICAL |
|
SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_comment_news.php.
|
|||||
| CVE-2024-11269 | 1 Mitchelllevy | 1 Ahathat | 2025-06-12 | N/A | 7.2 HIGH |
|
The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks.
|
|||||
| CVE-2024-11267 | 1 Joomlaserviceprovider | 1 Jsp Store Locator | 2025-06-12 | N/A | 8.8 HIGH |
|
The JSP Store Locator WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing user with Contributor to perform SQL injection attacks.
|
|||||
| CVE-2025-47785 | 1 Emlog | 1 Emlog | 2025-06-12 | N/A | 8.3 HIGH |
|
Emlog is an open source website building system. In versions up to and including 2.5.9, SQL injection occurs because the $origContent parameter in admin/article_save.php is not strictly filtered. Since admin/article_save.php can be accessed by ordinary registered users, this will cause SQL injection to occur when the registered site is enabled, resulting in the injection of the admin account and password, which is then exploited by the backend remote code execution. As of time of publication, it ...
Show More |
|||||
| CVE-2025-2203 | 1 Funnelkit | 1 Funnel Builder | 2025-06-12 | N/A | 6.1 MEDIUM |
|
The FunnelKit WordPress plugin before 3.10.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
|
|||||
| CVE-2024-9879 | 1 Melapress | 1 Melapress File Monitor | 2025-06-12 | N/A | 5.4 MEDIUM |
|
The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
|
|||||
| CVE-2024-9838 | 1 Flamescorpion | 1 Auto Affiliate Links | 2025-06-12 | N/A | 5.4 MEDIUM |
|
The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
|
|||||
| CVE-2024-9831 | 1 Taskbuilder | 1 Taskbuilder | 2025-06-12 | N/A | 7.2 HIGH |
|
The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
|
|||||
| CVE-2025-4863 | 1 Advayasoftech | 1 Gems Erp Portal | 2025-06-12 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability, which was classified as critical, was found in Advaya Softech GEMS ERP Portal 2.1. This affects an unknown part of the file /studentLogin/studentLogin.action. The manipulation of the argument userId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-4940 | 1 1000projects | 1 Daily College Class Work Report Book | 2025-06-12 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability, which was classified as critical, has been found in 1000 Projects Daily College Class Work Report Book 1.0. This issue affects some unknown processing of the file /admin_info.php. The manipulation of the argument batch leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-26086 | 1 Rsiqueue | 1 Management System | 2025-06-12 | N/A | 7.5 HIGH |
|
An unauthenticated blind SQL injection vulnerability exists in RSI Queue Management System v3.0 within the TaskID parameter of the get request handler. Attackers can remotely inject time-delayed SQL payloads to induce server response delays, enabling time-based inference and iterative extraction of sensitive database contents without authentication.
|
|||||
| CVE-2025-5857 | 1 Fabianros | 1 Patient Record Management System | 2025-06-12 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in code-projects Patient Record Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /urinalysis_record.php. The manipulation of the argument itr_no leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-32888 | 2025-06-12 | N/A | 10.0 CRITICAL | ||
|
The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in the Java Platform, Enterprise Editions. Prior to version 2.1.0.28, SQL injection is possible when using the non-default connection property `preferQueryMode=simple` in combination with application code which has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default, ex ...
Show More |
|||||
| CVE-2025-31920 | 2025-06-12 | N/A | 8.5 HIGH | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AmentoTech WP Guppy allows SQL Injection. This issue affects WP Guppy: from n/a through 4.3.3.
|
|||||
| CVE-2025-47651 | 2025-06-12 | N/A | 8.5 HIGH | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global allows SQL Injection. This issue affects Infility Global: from n/a through 2.12.4.
|
|||||
| CVE-2025-48141 | 2025-06-12 | N/A | 9.3 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alex Zaytseff Multi CryptoCurrency Payments allows SQL Injection. This issue affects Multi CryptoCurrency Payments: from n/a through 2.0.3.
|
|||||
| CVE-2025-47608 | 2025-06-12 | N/A | 9.3 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce allows SQL Injection. This issue affects Recover abandoned cart for WooCommerce: from n/a through 2.5.
|
|||||
| CVE-2025-31059 | 2025-06-12 | N/A | 9.3 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in woobewoo WBW Product Table PRO allows SQL Injection. This issue affects WBW Product Table PRO: from n/a through 2.1.3.
|
|||||
| CVE-2025-48281 | 2025-06-12 | N/A | 9.3 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mystyleplatform MyStyle Custom Product Designer allows Blind SQL Injection. This issue affects MyStyle Custom Product Designer: from n/a through 3.21.1.
|
|||||
| CVE-2025-48122 | 2025-06-12 | N/A | 9.3 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows SQL Injection. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37.
|
|||||
| CVE-2025-24767 | 2025-06-12 | N/A | 9.3 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in facturaone TicketBAI Facturas para WooCommerce allows Blind SQL Injection. This issue affects TicketBAI Facturas para WooCommerce: from n/a through 3.19.
|
|||||
| CVE-2025-31424 | 2025-06-12 | N/A | 9.3 CRITICAL | ||
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through 2.3.
|
|||||
| CVE-2025-32466 | 2025-06-12 | N/A | N/A | ||
|
A SQL injection vulnerability in RSMediaGallery! component 1.7.4 - 2.1.7 for Joomla was discovered. The issue occurs within the dashboard component, where user-supplied input is not properly sanitized before being stored and rendered. An attacker can inject malicious JavaScript code into text fields or other input points, which is subsequently executed in the browser of any user who clicks on the crafted text in the dashboard.
|
|||||
| CVE-2024-25308 | 1 Code-projects | 1 Simple School Management System | 2025-06-12 | N/A | 8.8 HIGH |
|
Code-projects Simple School Managment System 1.0 allows SQL Injection via the 'name' parameter at School/teacher_login.php.
|
|||||
| CVE-2024-24029 | 1 Jfinalcms Project | 1 Jfinalcms | 2025-06-12 | N/A | 9.8 CRITICAL |
|
JFinalCMS 5.0.0 is vulnerable to SQL injection via /admin/content/data.
|
|||||
| CVE-2024-24013 | 1 Xxyopen | 1 Novel-plus | 2025-06-12 | N/A | 9.8 CRITICAL |
|
A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/pay/list
|
|||||
| CVE-2025-46052 | 1 Weberp | 1 Weberp | 2025-06-12 | N/A | 9.8 CRITICAL |
|
An error-based SQL Injection (SQLi) vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL command and extract sensitive data by injecting a crafted payload into the DEL form field in a POST request to /StockCounts.php
|
|||||
| CVE-2025-46053 | 1 Weberp | 1 Weberp | 2025-06-12 | N/A | 5.1 MEDIUM |
|
A SQL Injection vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL commands and extract sensitive data by injecting a crafted payload into the ReportID and ReplaceReportID parameters within a POST request to /reportwriter/admin/ReportCreator.php
|
|||||
| CVE-2025-4541 | 1 Lmxcms | 1 Lmxcms | 2025-06-12 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in LmxCMS 1.41. Affected is the function manageZt of the file c\admin\ZtAction.class.php of the component POST Request Handler. The manipulation of the argument sortid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-25064 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 8.8 HIGH |
|
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
|
|||||
| CVE-2024-25722 | 1 Qanything | 1 Qanything | 2025-06-11 | N/A | 9.8 CRITICAL |
|
qanything_kernel/connector/database/mysql/mysql_client.py in qanything.ai QAnything before 1.2.0 allows SQL Injection.
|
|||||
| CVE-2024-10009 | 1 Melapress | 1 Melapress File Monitor | 2025-06-11 | N/A | 4.1 MEDIUM |
|
The Melapress File Monitor WordPress plugin before 2.1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
|
|||||
| CVE-2023-6030 | 1 Deryckoe | 1 Logdash Activity Log | 2025-06-11 | N/A | 5.4 MEDIUM |
|
The LogDash Activity Log WordPress plugin before 1.1.4 hooks the wp_login_failed function (from src/Hooks/Users.php) in order to log failed login attempts to the database but it doesn't escape the username when it perform some SQL request leading to a SQL injection vulnerability which can be exploited using time-based technique by unauthenticated attacker
|
|||||
| CVE-2023-6373 | 1 Artplacer | 1 Artplacer Widget | 2025-06-11 | N/A | 8.8 HIGH |
|
The ArtPlacer Widget WordPress plugin before 2.20.7 does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also be exploited via a CSRF against a logged editor (or above)
|
|||||
| CVE-2023-48793 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2025-06-11 | N/A | 9.8 CRITICAL |
|
Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.
|
|||||