Export limit exceeded: 18932 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (18932 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65103 | 1 Devcode | 1 Openstamanager | 2026-04-15 | 8.8 High |
| OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.9.5, an authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise. This issue has been patched in version 2.9.5. | ||||
| CVE-2024-6748 | 2026-04-15 | 8.3 High | ||
| Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are vulnerable to authenticated SQL injection in the URL monitoring. | ||||
| CVE-2025-4686 | 1 Kodmatic | 1 Online Exam And Assessment | 2026-04-15 | 8.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection.This issue affects Online Exam and Assessment: through 30012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-45757 | 2026-04-15 | 7.2 High | ||
| An issue was discovered in Centreon centreon-bam 24.04, 23.10, 23.04, and 22.10. SQL injection can occur in the user-settings form. Exploitation is only accessible to authenticated users with high-privileged access. | ||||
| CVE-2024-44541 | 1 Evilnapsis | 1 Inventio-lite | 2026-04-15 | 9.8 Critical |
| evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin." | ||||
| CVE-2024-6456 | 1 Aveva | 1 Historian | 2026-04-15 | N/A |
| AVEVA Historian Server has a vulnerability, if exploited, could allow a malicious SQL command to execute under the privileges of an interactive Historian REST Interface user who had been socially engineered by a miscreant into opening a specially crafted URL. | ||||
| CVE-2025-4510 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was found in Changjietong UFIDA CRM 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /optnty/optntyday.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-35630 | 2026-04-15 | 7.6 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LJ Apps WP TripAdvisor Review Slider allows Blind SQL Injection.This issue affects WP TripAdvisor Review Slider: from n/a through 12.6. | ||||
| CVE-2025-8311 | 1 Dotcms | 1 Dotcms | 2026-04-15 | N/A |
| dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys. The vulnerability was triggered via the sites parameter, which was directly concatenated into a SQL query without proper sanitization. Exploitation allowed an authenticated attacker with low privileges to extract data from database, perform privilege escalation, or trigger denial-of-service conditions. The vulnerability was verified using tools such as SQLMap and confirmed to allow full database exfiltration and potential denial-of-service conditions via crafted payloads. The vulnerability is fixed in the following versions of dotCMS stack: 25.08.14 / 25.07.10-1v2 LTS / 24.12.27v10 LTS / 24.04.24v21 LTS | ||||
| CVE-2025-12504 | 1 Talentsoft | 1 Unis | 2026-04-15 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Talent Software UNIS allows SQL Injection.This issue affects UNIS: before 42321. | ||||
| CVE-2013-10043 | 1 Astium | 1 Voip Pbx | 2026-04-15 | N/A |
| A vulnerability exists in OAstium VoIP PBX astium-confweb-2.1-25399 and earlier, where improper input validation in the logon.php script allows an attacker to bypass authentication via SQL injection. Once authenticated as an administrator, the attacker can upload arbitrary PHP code through the importcompany field in import.php, resulting in remote code execution. The malicious payload is injected into /usr/local/astium/web/php/config.php and executed with root privileges by triggering a configuration reload via sudo /sbin/service astcfgd reload. Successful exploitation leads to full system compromise. | ||||
| CVE-2025-10184 | 2 Google, Oneplus | 2 Android, Oxygenos | 2026-04-15 | N/A |
| The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers. | ||||
| CVE-2025-67147 | 2026-04-15 | 9.8 Critical | ||
| Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the 'name', 'email', and 'comment' parameters in (1) submit_contact.php, the 'username' and 'pass_key' parameters in (2) secure_login.php, and the 'login_id', 'pwfield', and 'login_key' parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level. | ||||
| CVE-2025-0455 | 1 Netvision | 1 Airpass | 2026-04-15 | 9.8 Critical |
| The airPASS from NetVision Information has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | ||||
| CVE-2025-1929 | 2026-04-15 | 7.2 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Risk Yazılım Teknolojileri Ltd. Şti. Reel Sektör Hazine ve Risk Yönetimi Yazılımı allows SQL Injection, CAPEC - 7 - Blind SQL Injection.This issue affects Reel Sektör Hazine ve Risk Yönetimi Yazılımı: through 1.0.0.4. | ||||
| CVE-2024-55971 | 2026-04-15 | 10 Critical | ||
| SQL Injection vulnerability in the default configuration of the Logitime WebClock application <= 5.43.0 allows an unauthenticated user to run arbitrary code on the backend database server. | ||||
| CVE-2025-10870 | 1 Dial | 1 Centrosnet | 2026-04-15 | N/A |
| SQL injection vulnerability in DIAL's CentrosNet v2.64. Allows an attacker to retrieve, create, update, and delete databases by sending POST and GET requests with the 'ultralogin' parameter in '/centrosnet/ultralogin.php'. | ||||
| CVE-2025-2928 | 1 Genetec | 1 Security Center | 2026-04-15 | 7.2 High |
| SQL Injection affecting the Archiver role. | ||||
| CVE-2025-10610 | 1 Sfs | 1 Winsure | 2026-04-15 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting Information Processing Industry and Foreign Trade Inc. Winsure allows Blind SQL Injection.This issue affects Winsure: through Version dated 21.08.2025. | ||||
| CVE-2025-61675 | 1 Freepbx | 1 Endpoint Manager | 2026-04-15 | N/A |
| FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17. | ||||