Export limit exceeded: 18730 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (18730 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-2421 | 1 Socket | 1 Socket.io-parser | 2026-02-06 | 10 Critical |
| Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object. | ||||
| CVE-2026-25234 | 1 Pear | 1 Pearweb | 2026-02-05 | 9.8 Critical |
| PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0. | ||||
| CVE-2026-25236 | 1 Pear | 1 Pearweb | 2026-02-05 | 9.8 Critical |
| PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0. | ||||
| CVE-2026-25238 | 1 Pear | 1 Pearweb | 2026-02-05 | 9.8 Critical |
| PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0. | ||||
| CVE-2026-25239 | 1 Pear | 1 Pearweb | 2026-02-05 | 7.5 High |
| PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0. | ||||
| CVE-2026-25240 | 1 Pear | 1 Pearweb | 2026-02-05 | 9.8 Critical |
| PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0. | ||||
| CVE-2026-25241 | 1 Pear | 1 Pearweb | 2026-02-05 | 9.8 Critical |
| PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0. | ||||
| CVE-2025-57792 | 1 Explorance | 1 Blue | 2026-02-05 | 10 Critical |
| Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker can supply crafted input that is executed as part of backend database queries. The issue is exploitable without authentication, significantly raising the risk. | ||||
| CVE-2025-57793 | 1 Explorance | 1 Blue | 2026-02-05 | 8.6 High |
| Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user-supplied input in a web application component. Crafted input can be executed as part of backend database queries. The issue is exploitable without authentication, significantly elevating the risk. | ||||
| CVE-2025-63689 | 2 Money-pos, Ycf1998 | 2 Money-pos, Money-pos | 2026-02-05 | 10 Critical |
| Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter | ||||
| CVE-2026-1287 | 1 Djangoproject | 1 Django | 2026-02-04 | 5.4 Medium |
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. | ||||
| CVE-2026-1312 | 1 Djangoproject | 1 Django | 2026-02-04 | 5.4 Medium |
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. | ||||
| CVE-2026-1207 | 1 Djangoproject | 1 Django | 2026-02-04 | 5.4 Medium |
| An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. | ||||
| CVE-2023-42178 | 1 Lenosp Project | 1 Lenosp | 2026-02-03 | 6.5 Medium |
| Lenosp 1.0.0-1.2.0 is vulnerable to SQL Injection via the log query module. | ||||
| CVE-2020-36077 | 1 Tailor Management System Project | 1 Tailor Management System | 2026-02-03 | 8.8 High |
| SQL injection vulnerability found in Tailor Mangement System v.1 allows a remote attacker to execute arbitrary code via the customer parameter of the orderadd.php file | ||||
| CVE-2020-36074 | 1 Tailor Management System Project | 1 Tailor Management System | 2026-02-03 | 8.8 High |
| SQL injection vulnerability found in Tailor Mangement System v.1 allows a remote attacker to execute arbitrary code via the title parameter. | ||||
| CVE-2026-21856 | 1 Tarkov | 1 Tarkov Data Manager | 2026-02-03 | 7.2 High |
| The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch. | ||||
| CVE-2025-69562 | 2 Code-projects, Fabian | 2 Mobile Shop Management System, Mobile Shop Management System | 2026-02-03 | 9.8 Critical |
| code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /insertmessage.php via the userid parameter. | ||||
| CVE-2025-69563 | 2 Code-projects, Fabian | 2 Mobile Shop Management System, Mobile Shop Management System | 2026-02-03 | 9.8 Critical |
| code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExLogin.php via the Password parameter. | ||||
| CVE-2025-41375 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | 9.8 Critical |
| SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint. | ||||