Export limit exceeded: 363699 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363699 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 19686 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (19686 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-25173 | 1 Sms | 1 Rmedia Sms | 2026-04-15 | 8.2 High |
| Rmedia SMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the gid parameter. Attackers can send GET requests to editgrp.php with malicious gid values using EXTRACTVALUE and CONCAT functions to retrieve schema names and sensitive database data. | ||||
| CVE-2018-25189 | 1 Sourceforge | 1 Data Center Audit | 2026-04-15 | 8.2 High |
| Data Center Audit 2.6.2 contains an SQL injection vulnerability in the username parameter of dca_login.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted SQL payloads through POST requests to extract sensitive database information including usernames, database names, and version details. | ||||
| CVE-2018-25165 | 1 Galaxy | 1 Galaxy Forces Mmorpg | 2026-04-15 | 7.1 High |
| Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'type' parameter. Attackers can send POST requests to ads.php with crafted SQL payloads in the type parameter to extract sensitive database information including usernames, databases, and version details. | ||||
| CVE-2018-25191 | 1 Obedalvarado | 1 Facturation System | 2026-04-15 | 7.1 High |
| Facturation System 1.0 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'mod_id' parameter. Attackers can send POST requests to the editar_producto.php endpoint with crafted SQL payloads in the mod_id parameter to extract sensitive database information including usernames, database names, and version details. | ||||
| CVE-2019-25507 | 1 Ashopsoftware | 1 Ashop Shopping Cart Software | 2026-04-15 | 8.2 High |
| Ashop Shopping Cart Software contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'shop' parameter. Attackers can send GET requests to index.php with malicious 'shop' values using UNION-based SQL injection to extract sensitive database information. | ||||
| CVE-2026-34455 | 2 Hi.events, Hieventsdev | 2 Hi.events, Hi.events | 2026-04-15 | 8.8 High |
| Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta. | ||||
| CVE-2025-60542 | 1 Typeorm | 1 Typeorm | 2026-04-15 | 6.5 Medium |
| SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false. | ||||
| CVE-2025-62173 | 1 Freepbx | 1 Freepbx | 2026-04-15 | N/A |
| ## Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API | ||||
| CVE-2025-7886 | 2026-04-15 | 7.3 High | ||
| A vulnerability, which was classified as critical, was found in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. This affects the function getUserLanguage of the file classes/class.database.php. The manipulation of the argument user_id leads to sql injection. It is possible to initiate the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2585 | 2026-04-15 | 8.8 High | ||
| EBM Maintenance Center From EBM Technologies has a SQL Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary SQL commands to read, modify, and delete database contents. | ||||
| CVE-2025-69310 | 2 Teconcetheme, Wordpress | 2 Woodly Core, Wordpress | 2026-04-15 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Woodly Core woodly-core allows Blind SQL Injection.This issue affects Woodly Core: from n/a through <= 1.4. | ||||
| CVE-2025-22214 | 2026-04-15 | 4.3 Medium | ||
| Landray EIS 2001 through 2006 allows Message/fi_message_receiver.aspx?replyid= SQL injection. | ||||
| CVE-2021-47763 | 1 Aimeos | 1 Aimeos Laravel Ecommerce Platform | 2026-04-15 | 8.2 High |
| Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint. | ||||
| CVE-2021-47782 | 1 Odinesolutions | 1 Gatekeeper | 2026-04-15 | 8.2 High |
| Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. Attackers can exploit the vulnerability by sending crafted payloads to the /rass/api/v1/trafficCycle/ endpoint to manipulate PostgreSQL database queries and potentially extract sensitive information. | ||||
| CVE-2025-3571 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was found in Fannuo Enterprise Content Management System 凡诺企业网站管理系统 1.1/4.0. It has been declared as critical. This vulnerability affects unknown code of the file admin/cms_chip.php. The manipulation of the argument del leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-61455 | 1 Bhabishya-123 | 1 E-commerce | 2026-04-15 | 9.8 Critical |
| SQL Injection vulnerability exists in Bhabishya-123 E-commerce 1.0, specifically within the signup.inc.php endpoint. The application directly incorporates unsanitized user inputs into SQL queries, allowing unauthenticated attackers to bypass authentication and gain full access. | ||||
| CVE-2025-10310 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.9 Medium |
| The Rich Snippet Site Report plugin for WordPress is vulnerable to SQL Injection via the 'last' parameter in all versions up to, and including, 2.0.0105 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This can also be exploited via CSRF. | ||||
| CVE-2025-10045 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.9 Medium |
| The onOffice for WP-Websites plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-14259 | 1 Jihai | 1 Jshop Miniprogram Mall System | 2026-04-15 | 6.3 Medium |
| A vulnerability was found in Jihai Jshop MiniProgram Mall System 2.9.0. Affected by this issue is some unknown functionality of the file /index.php/api.html. The manipulation of the argument cat_id results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-14207 | 1 Tushar-2223 | 1 Hotel-management-system | 2026-04-15 | 7.3 High |
| A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. The impacted element is an unknown function of the file /admin/invoiceprint.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | ||||