Export limit exceeded: 18850 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (18850 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13809 | 2026-04-15 | 6.5 Medium | ||
| The Hero Slider - WordPress Slider Plugin plugin for WordPress is vulnerable to SQL Injection via several parameters in all versions up to, and including, 1.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-4688 | 1 Bgs Interactive | 1 Sinav.link | 2026-04-15 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BGS Interactive SINAV.LINK Exam Result Module allows SQL Injection.This issue affects SINAV.LINK Exam Result Module: before 1.2. | ||||
| CVE-2024-42533 | 2026-04-15 | 9.8 Critical | ||
| SQL injection vulnerability in the authentication module in Convivance StandVoice 4.5 through 6.2 allows remote attackers to execute arbitrary code via the GEST_LOGIN parameter. | ||||
| CVE-2025-7798 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability classified as critical has been found in Beijing Shenzhou Shihan Technology Multimedia Integrated Business Display System up to 8.2. This affects an unknown part of the file /admin/system/structure/getdirectorydata/web/baseinfo/companyManage. The manipulation of the argument Struccture_ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-32323 | 2026-04-15 | 8.1 High | ||
| SQL Injection vulnerability in cnhcit.com Haichang OA v.1.0.0 allows a remote attacker to obtain sensitive information via the if parameter in hcit.project.rte.agents.UploadImages.class. | ||||
| CVE-2019-25431 | 1 Delpino73 | 1 Blue-smiley-organizer | 2026-04-15 | 8.2 High |
| delpino73 Blue-Smiley-Organizer 1.32 contains an SQL injection vulnerability in the datetime parameter that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL code through POST requests to extract sensitive data using boolean-based blind and time-based blind techniques, or write files to the server using INTO OUTFILE statements. | ||||
| CVE-2019-25432 | 2 Part-db, Part-db Project | 2 Part-db, Part-db | 2026-04-15 | 7.5 High |
| Part-DB 0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to login by injecting SQL syntax into authentication parameters. Attackers can submit a single quote followed by 'or' in the login form to bypass credential validation and gain unauthorized access to the application. | ||||
| CVE-2021-47902 | 1 Testa | 1 Online Test Management System | 2026-04-15 | 8.2 High |
| Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. Attackers can inject malicious SQL code in the search field to extract database information, potentially accessing sensitive user or system data. | ||||
| CVE-2021-47909 | 1 Techraft | 1 Mult-e-cart Ultimate | 2026-04-15 | 8.1 High |
| Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system. | ||||
| CVE-2025-11319 | 1 Nahiduddinahammed | 1 Hospital Management System | 2026-04-15 | 6.3 Medium |
| A weakness has been identified in nahiduddinahammed Hospital-Management-System-Website up to e6562429e14b2f88bd2139cae16e87b965024097. This issue affects some unknown processing of the file /delete.php. This manipulation of the argument ai causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-37777 | 2026-04-15 | 9.8 Critical | ||
| A SQL injection vulnerability exists in Synnefo Internet Management Software (IMS) version 2023 and earlier. This vulnerability occurs due to improper input validation in a specific API endpoint parameter allowing an attacker to manipulate SQL queries via crafted input. Successful exploitation could lead to unauthorized access to database records with DB administrator privileges which can be leveraged to escalate privileges further and execute arbitrary OS commands. | ||||
| CVE-2024-10546 | 1 Shanghai Gedan Network Technology | 1 Teaching | 2026-04-15 | 6.3 Medium |
| A vulnerability classified as critical was found in open-scratch Teaching 在线教学平台 up to 2.7. This vulnerability affects unknown code of the file /api/sys/ng-alain/getDictItemsByTable/ of the component URL Handler. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-13673 | 2 Themeum, Wordpress | 2 Tutor Lms – Elearning And Online Course Solution, Wordpress | 2026-04-15 | 7.5 High |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6. | ||||
| CVE-2024-2804 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| The Network Summary plugin for WordPress is vulnerable to SQL Injection via the 'category' parameter in all versions up to, and including, 2.0.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-5433 | 1 Fengoffice | 1 Feng Office | 2026-04-15 | 6.3 Medium |
| A vulnerability was found in Fengoffice Feng Office 3.5.1.5 and classified as critical. Affected by this issue is some unknown functionality of the file /index.php?c=account&a=set_timezone. The manipulation of the argument tz_offset leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-9150 | 1 Surbowl | 1 Dormitory-management-php | 2026-04-15 | 7.3 High |
| A vulnerability was identified in Surbowl dormitory-management-php up to 9f1d9d1f528cabffc66fda3652c56ff327fda317. Affected is an unknown function of the file /admin/violation_add.php?id=2. Such manipulation of the argument ID leads to sql injection. The attack may be performed from a remote location. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-11025 | 2026-04-15 | 5.4 Medium | ||
| An authenticated attacker with low privileges may use a SQL Injection vulnerability in the affected products administration panel to gain read and write access to a specific log file of the device. | ||||
| CVE-2025-26855 | 2026-04-15 | 9.8 Critical | ||
| A SQL injection in Articles Calendar extension 1.0.0 - 1.0.1.0007 for Joomla allows attackers to execute arbitrary SQL commands. | ||||
| CVE-2025-9148 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects an unknown function of the file ai/chat2db/server/web/api/controller/data/source/DataSourceController.java of the component JDBC Connection Handler. The manipulation results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-28145 | 2026-04-15 | 5.9 Medium | ||
| An unauthenticated attacker can perform an SQL injection by accessing the /class/dbconnect.php file and supplying malicious GET parameters. The HTTP GET parameters search, table, field, and value are vulnerable. For example, one SQL injection can be performed on the parameter "field" with the UNION keyword. | ||||