Total
17301 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-36545 | 1 Hashenudara | 1 Edoc-doctor-appointment-system | 2025-12-16 | 9.8 Critical |
| Edoc-doctor-appointment-system v1.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /patient/settings.php. | ||||
| CVE-2022-36544 | 1 Hashenudara | 1 Edoc-doctor-appointment-system | 2025-12-16 | 9.8 Critical |
| Edoc-doctor-appointment-system v1.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /patient/booking.php. | ||||
| CVE-2022-36543 | 1 Hashenudara | 1 Edoc-doctor-appointment-system | 2025-12-16 | 9.8 Critical |
| Edoc-doctor-appointment-system v1.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /patient/doctors.php. | ||||
| CVE-2025-68054 | 1 Wordpress | 1 Wordpress | 2025-12-16 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup CountDown With Image or Video Background countdown_with_background allows Blind SQL Injection.This issue affects CountDown With Image or Video Background: from n/a through <= 1.5. | ||||
| CVE-2025-14537 | 2 Code-projects, Fabian | 2 Class And Exam Timetable Management, Class And Exam Timetable Management System | 2025-12-16 | 7.3 High |
| A weakness has been identified in code-projects Class and Exam Timetable Management 1.0. Affected by this issue is some unknown functionality of the file /preview7.php. This manipulation of the argument course_year_section/semester causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-14536 | 2 Code-projects, Fabian | 2 Class And Exam Timetable Management, Class And Exam Timetable Management System | 2025-12-16 | 7.3 High |
| A security flaw has been discovered in code-projects Class and Exam Timetable Management 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login. The manipulation of the argument username/password results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-14529 | 1 Campcodes | 1 Retro Basketball Shoes Online Store | 2025-12-16 | 7.3 High |
| A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0. The affected element is an unknown function of the file /admin/admin_running.php. This manipulation of the argument pid causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2025-14515 | 1 Campcodes | 1 Supplier Management System | 2025-12-16 | 7.3 High |
| A vulnerability has been found in Campcodes Supplier Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add_unit.php. Such manipulation of the argument txtunitDetails leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-14514 | 1 Campcodes | 1 Supplier Management System | 2025-12-16 | 7.3 High |
| A flaw has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/add_distributor.php. This manipulation of the argument txtDistributorAddress causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | ||||
| CVE-2023-34991 | 1 Fortinet | 1 Fortiwlm | 2025-12-16 | 9.3 Critical |
| A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 and 8.4.0 through 8.4.2 and 8.3.0 through 8.3.2 and 8.2.2 allows attacker to execute unauthorized code or commands via a crafted http request. | ||||
| CVE-2024-31445 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2025-12-16 | 8.8 High |
| Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue. | ||||
| CVE-2025-55703 | 1 Sunbirddcim | 1 Power Iq | 2025-12-16 | 2.5 Low |
| An error-based SQL injection vulnerability exists in the Sunbird Power IQ 9.2.0 API. The vulnerability is due to an outdated API endpoint that applied arrays without proper input validation. This can allow attackers to manipulate SQL queries. This has been addressed in Power IQ version 9.2.1, where the API call code was updated to ensure safe handling of input values. | ||||
| CVE-2023-38913 | 1 Anirbandutta9 | 1 News-buzz | 2025-12-16 | 5.3 Medium |
| SQL injection vulnerability in anirbandutta9 NEWS-BUZZ v.1.0 allows a remote attacker to execute arbitrary code via a crafted script. | ||||
| CVE-2023-53877 | 1 Phpjabbers | 1 Bus Reservation System | 2025-12-16 | N/A |
| Bus Reservation System 1.1 contains a SQL injection vulnerability in the pickup_id parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to steal information from the database. | ||||
| CVE-2025-67751 | 1 Churchcrm | 1 Churchcrm | 2025-12-16 | 7.2 High |
| ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated user with event management permissions (`isAddEvent`) to execute arbitrary SQL queries. Version 6.5.0 fixes the issue. | ||||
| CVE-2025-68053 | 1 Wordpress | 1 Wordpress | 2025-12-16 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup xPromoter top_bar_promoter allows Blind SQL Injection.This issue affects xPromoter: from n/a through <= 1.3.4. | ||||
| CVE-2025-67962 | 2 Aioseo, Wordpress | 2 Broken Link Checker, Wordpress | 2025-12-16 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AIOSEO Plugin Team Broken Link Checker broken-link-checker-seo allows SQL Injection.This issue affects Broken Link Checker: from n/a through <= 1.2.6. | ||||
| CVE-2025-67999 | 2 Stefanno Lissa, Wordpress | 2 Newsletter, Wordpress | 2025-12-16 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stefano Lissa Newsletter newsletter allows Blind SQL Injection.This issue affects Newsletter: from n/a through <= 9.0.9. | ||||
| CVE-2025-68055 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2025-12-16 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.32. | ||||
| CVE-2024-58309 | 1 Xbtitfm | 1 Xbtitfm | 2025-12-16 | N/A |
| xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database. | ||||