Export limit exceeded: 19695 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (19695 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-55065 2026-04-15 7.5 High
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-14973 1 Wordpress 1 Wordpress 2026-04-15 6.8 Medium
The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks.
CVE-2025-8311 1 Dotcms 1 Dotcms 2026-04-15 N/A
dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys. The vulnerability was triggered via the sites parameter, which was directly concatenated into a SQL query without proper sanitization. Exploitation allowed an authenticated attacker with low privileges to extract data from database, perform privilege escalation, or trigger denial-of-service conditions. The vulnerability was verified using tools such as SQLMap and confirmed to allow full database exfiltration and potential denial-of-service conditions via crafted payloads. The vulnerability is fixed in the following versions of dotCMS stack: 25.08.14 / 25.07.10-1v2 LTS / 24.12.27v10 LTS / 24.04.24v21 LTS
CVE-2024-31025 1 Shopex 1 Ecshop 2026-04-15 7.5 High
SQL Injection vulnerability in ECshop 4.x allows an attacker to obtain sensitive information via the file/article.php component.
CVE-2025-10184 2 Google, Oneplus 2 Android, Oxygenos 2026-04-15 N/A
The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.
CVE-2020-37005 1 Timeclock-software 1 Timeclock Software 2026-04-15 7.1 High
TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. Attackers can inject conditional time delays in the add_entry.php endpoint to determine user existence by measuring response time differences.
CVE-2020-36999 1 Elaniin 1 Cms 2026-04-15 8.2 High
Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by sending crafted email and password parameters with '=''or' payload to login.php, granting unauthorized access to the system.
CVE-2025-32020 2026-04-15 N/A
The crud-query-parser library parses query parameters from HTTP requests and converts them to database queries. Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection. You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter. This vulnerability is fixed in 0.1.0.
CVE-2025-69310 2 Teconcetheme, Wordpress 2 Woodly Core, Wordpress 2026-04-15 9.3 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Woodly Core woodly-core allows Blind SQL Injection.This issue affects Woodly Core: from n/a through <= 1.4.
CVE-2023-37777 2026-04-15 9.8 Critical
A SQL injection vulnerability exists in Synnefo Internet Management Software (IMS) version 2023 and earlier. This vulnerability occurs due to improper input validation in a specific API endpoint parameter allowing an attacker to manipulate SQL queries via crafted input. Successful exploitation could lead to unauthorized access to database records with DB administrator privileges which can be leveraged to escalate privileges further and execute arbitrary OS commands.
CVE-2024-13320 2 Villatheme, Wordpress 2 Curcy - Woocommerce Multi Currency - Currency Switcher, Wordpress 2026-04-15 7.5 High
The CURCY - WooCommerce Multi Currency - Currency Switcher plugin for WordPress is vulnerable to SQL Injection via the 'wc_filter_price_meta[where]' parameter in all versions up to, and including, 2.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-45065 2026-04-15 9.8 Critical
employee record management system in php and mysql v1 was discovered to contain a SQL injection vulnerability via the loginerms.php endpoint.
CVE-2024-50672 1 Adapt Authoring Tool 1 Adapt Authoring Tool 2026-04-15 9.8 Critical
A NoSQL injection vulnerability in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. The vulnerability occurs due to insufficient validation of user input, which is used as a query in Mongoose's find() function. This makes it possible for attackers to perform a full takeover of the administrator account. Attackers can then use the newly gained administrative privileges to upload a custom plugin to perform remote code execution (RCE) on the server hosting the web application.
CVE-2025-26855 2026-04-15 9.8 Critical
A SQL injection in Articles Calendar extension 1.0.0 - 1.0.1.0007 for Joomla allows attackers to execute arbitrary SQL commands.
CVE-2025-15439 1 Daptin 1 Daptin 2026-04-15 6.3 Medium
A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-33770 2026-04-15 5.1 Medium
Real Estate Management System v1.0 was discovered to contain a SQL injection vulnerability via the message parameter at /contact.php.
CVE-2021-47763 1 Aimeos 1 Aimeos Laravel Ecommerce Platform 2026-04-15 8.2 High
Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint.
CVE-2021-47766 1 Levelprograms 1 Kmaleon 2026-04-15 7.1 High
Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information.
CVE-2024-48465 1 Mrbs 1 Mrbs 2026-04-15 9.8 Critical
The MRBS version 1.5.0 has an SQL injection vulnerability in the edit_entry_handler.php file, specifically in the rooms%5B%5D parameter
CVE-2024-13909 2 Accredible, Wordpress 2 Accredible Certificates & Open Badges, Wordpress 2026-04-15 4.9 Medium
The Accredible Certificates & Open Badges plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.