Export limit exceeded: 19690 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (19690 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-4466 2026-04-15 9.8 Critical
SQL injection vulnerability in Gescen on the centrosdigitales.net platform. This vulnerability allows an attacker to send a specially crafted SQL query to the pass parameter and retrieve all the data stored in the database.
CVE-2024-28816 1 Aaravrajsingh 1 Chatbot 2026-04-15 7.1 High
Student Information Chatbot a0196ab allows SQL injection via the username to the login function in index.php.
CVE-2024-28389 2026-04-15 9.8 Critical
SQL injection vulnerability in KnowBand spinwheel v.3.0.3 and before allows a remote attacker to gain escalated privileges and obtain sensitive information via the SpinWheelFrameSpinWheelModuleFrontController::sendEmail() method.
CVE-2025-68881 1 Wordpress 1 Wordpress 2026-04-15 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal AppExperts appexperts allows SQL Injection.This issue affects AppExperts: from n/a through <= 1.4.5.
CVE-2025-0404 1 Liujianview 1 Gymxmjpa 2026-04-15 6.3 Medium
A vulnerability has been found in liujianview gymxmjpa 1.0 and classified as critical. This vulnerability affects the function CoachController of the file src/main/java/com/liujian/gymxmjpa/controller/CoachController.java. The manipulation of the argument coachName leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-5543 1 Tribulant 1 Slideshow Gallery Lite 2026-04-15 8.1 High
The Slideshow Gallery LITE plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in all versions up to, and including, 1.8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-40635 2026-04-15 N/A
SQL injection vulnerability in Comerzzia Backoffice: Sales Orchestrator 3.0.15. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘uidActivity’, ‘codCompany’ and ‘uidInstance’ parameters of the ‘/comerzzia/login’ endpoint.
CVE-2024-11437 2026-04-15 4.9 Medium
The Timeline Designer plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2020-37163 1 Quickdate 1 Quickdate 2026-04-15 8.2 High
QuickDate 1.3.2 contains a SQL injection vulnerability that allows remote attackers to manipulate database queries through the '_located' parameter in the find_matches endpoint. Attackers can inject UNION-based SQL statements to extract database information including user credentials, database name, and system version.
CVE-2024-33269 1 Communitydeveloper 1 Prestaddons Flashsales 2026-04-15 9.8 Critical
SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method.
CVE-2024-12015 1 Wedevs 1 Wp Project Manager 2026-04-15 7.7 High
The 'Project Manager' WordPress Plugin is affected by an authenticated SQL injection vulnerability in the 'orderby' parameter in the '/pm/v2/activites' route.
CVE-2025-42889 1 Sap 1 Starter Solution 2026-04-15 5.4 Medium
SAP Starter Solution allows an authenticated attacker to execute crafted database queries, thereby exposing the back-end database. As a result, this vulnerability has a low impact on the application's confidentiality and integrity but no impact on its availability.
CVE-2023-3419 1 Tagdiv 1 Opt In Builder 2026-04-15 7.2 High
The tagDiv Opt-In Builder plugin is vulnerable to Blind SQL Injection via the 'couponId' parameter of the 'recreate_stripe_subscription' REST API endpoint in versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-44349 1 Anteeowms 1 Anteeowms 2026-04-15 9.8 Critical
A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.
CVE-2025-10973 2026-04-15 7.3 High
A flaw has been found in JackieDYH Resume-management-system up to fb6b857d852dd796e748ce30c606fe5e61c18273. Affected by this issue is some unknown functionality of the file /admin/show.php. This manipulation of the argument userid causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-22856 1 Axefinance 1 Axe Credit Portal 2026-04-15 5.4 Medium
A SQL injection vulnerability via the Save Favorite Search function in Axefinance Axe Credit Portal >= v.3.0 allows authenticated attackers to execute unintended queries and disclose sensitive information from DB tables via crafted requests.
CVE-2021-47909 1 Techraft 1 Mult-e-cart Ultimate 2026-04-15 8.1 High
Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system.
CVE-2013-10033 2 Kimai, Kimai Project 2 Kimai, Kimai 2026-04-15 N/A
An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST parameter, enabling file write via INTO OUTFILE under specific environmental conditions. This can lead to remote code execution by writing a PHP payload to the web-accessible temporary directory. The vulnerability has been confirmed in versions including 0.9.2.beta, 0.9.2.1294.beta, and 0.9.2.1306-3.
CVE-2024-37564 2026-04-15 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PayPlus LTD PayPlus Payment Gateway.This issue affects PayPlus Payment Gateway: from n/a through 7.0.7.
CVE-2020-37108 1 Allhandsmarketing 1 Phpix 2012 Professional 2026-04-15 7.1 High
PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information.