Total
18765 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-25203 | 1 Wecodex | 1 Online Store System Cms | 2026-03-27 | 8.2 High |
| Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information. | ||||
| CVE-2026-4876 | 1 Itsourcecode | 1 Free Hotel Reservation System | 2026-03-27 | 6.3 Medium |
| A vulnerability was identified in itsourcecode Free Hotel Reservation System 1.0. The impacted element is an unknown function of the file /admin/mod_amenities/index.php?view=editpic. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | ||||
| CVE-2025-55262 | 2 Hcl, Hcltech | 2 Aftermarket Dpc, Aftermarket Cloud | 2026-03-27 | 8.3 High |
| HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database. | ||||
| CVE-2019-25578 | 2 Codnloc, Phptransformer | 2 Phptransformer, Phptransformer | 2026-03-27 | 8.2 High |
| phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries. | ||||
| CVE-2026-4324 | 1 Redhat | 4 Satellite, Satellite Capsule, Satellite Maintenance and 1 more | 2026-03-27 | 5.4 Medium |
| A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database. | ||||
| CVE-2018-25202 | 1 Wecodex | 1 Sat Cfdi | 2026-03-27 | 8.2 High |
| SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Attackers can submit POST requests with boolean-based blind, stacked queries, or time-based blind SQL injection payloads to extract sensitive data or compromise the application. | ||||
| CVE-2018-25205 | 1 Mediasoftpro | 1 Asp.net Jvideo Kit | 2026-03-27 | 8.2 High |
| ASP.NET jVideo Kit 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the 'query' parameter in the search functionality. Attackers can submit malicious SQL payloads via GET or POST requests to the /search endpoint to extract sensitive database information using boolean-based blind or error-based techniques. | ||||
| CVE-2018-25207 | 1 Hscripts | 1 Online Quiz Maker | 2026-03-27 | 7.1 High |
| Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to extract sensitive database information or bypass authentication. | ||||
| CVE-2018-25209 | 1 Sourceforge | 1 Openbiz Cubi Lite | 2026-03-27 | 8.2 High |
| OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Attackers can submit POST requests to /bin/controller.php with malicious SQL code in the username field to extract sensitive database information or bypass authentication. | ||||
| CVE-2026-33539 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-03-26 | 7.2 High |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53. | ||||
| CVE-2026-4839 | 1 Sourcecodester | 1 Food Ordering System | 2026-03-26 | 7.3 High |
| A vulnerability has been found in SourceCodester Food Ordering System 1.0. This affects an unknown function of the file /purchase.php of the component Parameter Handler. The manipulation of the argument custom leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-30655 | 1 Esiclivre | 1 Esiclivre | 2026-03-26 | 6.5 Medium |
| SQL injection in Solicitante::resetaSenha() in esiclivre/esiclivre v0.2.2 and earlier allows unauthenticated remote attackers to gain unauthorized access to sensitive information via the cpfcnpj parameter in /reset/index.php | ||||
| CVE-2026-32534 | 2 Joomsky, Wordpress | 2 Js Help Desk, Wordpress | 2026-03-26 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.3. | ||||
| CVE-2026-32539 | 2 Publishpress, Wordpress | 2 Publishpress Revisions, Wordpress | 2026-03-26 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Revisions revisionary allows Blind SQL Injection.This issue affects PublishPress Revisions: from n/a through <= 3.7.23. | ||||
| CVE-2026-4836 | 1 Code-projects | 1 Accounting System | 2026-03-26 | 6.3 Medium |
| A vulnerability was detected in code-projects Accounting System 1.0. The affected element is an unknown function of the file /my_account/delete.php. Performing a manipulation of the argument cos_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | ||||
| CVE-2026-4841 | 1 Code-projects | 1 Online Food Ordering System | 2026-03-26 | 7.3 High |
| A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file form/cart.php of the component Shopping Cart Module. Executing a manipulation of the argument del can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2025-4764 | 1 Aida | 1 Hotel Guest Hotspot | 2026-03-26 | 8 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection.This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-23921 | 1 Zabbix | 1 Zabbix | 2026-03-26 | N/A |
| A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise. | ||||
| CVE-2026-33352 | 1 Wwbn | 1 Avideo | 2026-03-25 | 9.8 Critical |
| WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this is trivially bypassed using a backslash escape technique to shift SQL string boundaries. The parameter is not covered by any of the application's global input filters in `objects/security.php`. Version 26.0 contains a patch for the issue. | ||||
| CVE-2026-33485 | 1 Wwbn | 1 Avideo | 2026-03-25 | 7.5 High |
| WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations — `LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyExists()` — without parameterized binding or escaping. An unauthenticated attacker can exploit time-based blind SQL injection to extract all database contents including user password hashes, email addresses, and other sensitive data. Commit af59eade82de645b20183cc3d74467a7eac76549 contains a patch. | ||||