Export limit exceeded: 19235 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (19235 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-4984 | 2 Easycorp, Zentao | 6 Zentao Biz, Zentao Max, Zentao Open Source Edition and 3 more | 2026-05-14 | N/A |
| ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC. | ||||
| CVE-2026-29198 | 1 Rocket.chat | 1 Rocket.chat | 2026-05-13 | 9.8 Critical |
| In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured. | ||||
| CVE-2026-0242 | 1 Palo Alto Networks | 1 Trust Protection Foundation | 2026-05-13 | N/A |
| A SQL injection vulnerability in Trust Protection Foundation allows an authenticated attacker to execute arbitrary SQL commands against the product database. Successful exploitation could allow an attacker to read sensitive data, modify database contents, and escalate privileges to gain full administrative control of the platform. | ||||
| CVE-2026-4608 | 2 Metagauss, Wordpress | 2 Profilegrid – User Profiles, Groups And Communities, Wordpress | 2026-05-13 | 6.5 Medium |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind SQL Injection via the 'rid' parameter in all versions up to, and including, 5.9.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-70420 | 1 Genesys | 1 Latitude | 2026-05-13 | 8.8 High |
| A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements. | ||||
| CVE-2026-40906 | 2 Electric, Electric-sql | 2 Sync-service, Electric | 2026-05-13 | 10 Critical |
| Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0. | ||||
| CVE-2026-6888 | 1 Advantech | 8 Ecowatch Saas-composer, Iot Edge Linux Docker, Iot Edge Windows and 5 more | 2026-05-13 | 7.2 High |
| Successful exploitation of the SQL injection vulnerability could allow a remote authenticated attacker to execute arbitrary commands via a specific interface, potentially enabling the attacker to access, modify, or delete sensitive information within the database. | ||||
| CVE-2023-46453 | 1 Gl-inet | 1 Glinet Devices | 2026-05-13 | 9.8 Critical |
| Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200. | ||||
| CVE-2026-2993 | 2 Wordpress, Wupsales | 2 Wordpress, Ai Chatbot & Workflow Automation By Aiwu | 2026-05-13 | 7.5 High |
| The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query in the getListForTbl() function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This issue is partially mitigated by a patch in version 1.4.11 that adds a nonce check for a nonce that is only available to administrators. | ||||
| CVE-2026-5028 | 2 10up, Wordpress | 2 Eight Day Week Print Workflow, Wordpress | 2026-05-13 | 6.5 Medium |
| The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the `pp-get-articles` AJAX action in all versions up to, and including, 1.2.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-6577 | 1 Akilli Commerce Software Technologies Ltd. Co. | 1 E-commerce Website | 2026-05-13 | 9.8 Critical |
| Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows SQL Injection. This issue affects E-Commerce Website: before 4.5.001. | ||||
| CVE-2026-42741 | 2 Aman, Wordpress | 2 Ninja Forms Views – Display & Edit Ninja Forms Submissions On Your Site Frontend, Wordpress | 2026-05-13 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend views-for-ninja-forms allows Blind SQL Injection.This issue affects Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend: from n/a through <= 3.3.2. | ||||
| CVE-2026-42742 | 2 Aman, Wordpress | 2 Views For Wpforms, Wordpress | 2026-05-13 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Views for WPForms views-for-wpforms-lite allows Blind SQL Injection.This issue affects Views for WPForms: from n/a through <= 3.4.6. | ||||
| CVE-2026-45211 | 2 Saad Iqbal, Wordpress | 2 Apiexperts Square For Woocommerce, Wordpress | 2026-05-13 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: from n/a through <= 4.7.1. | ||||
| CVE-2026-45213 | 2 Realmag777, Wordpress | 2 Bear, Wordpress | 2026-05-13 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 BEAR woo-bulk-editor allows Blind SQL Injection.This issue affects BEAR: from n/a through <= 1.1.7.1. | ||||
| CVE-2026-45218 | 2 Wordpress, Wp Travel | 2 Wordpress, Wp Travel | 2026-05-13 | 7.7 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through <= 11.4.0. | ||||
| CVE-2026-43937 | 1 Yafnet | 1 Yafnet | 2026-05-13 | 8.8 High |
| YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and passes it straight to IDbAccess.RunSql with no caller check, yielding arbitrary SQL execution for any low-privileged user. This vulnerability is fixed in 4.0.5. | ||||
| CVE-2026-1250 | 2 Webmuehle, Wordpress | 2 Court Reservation – Manage Your Court Bookings Online, Wordpress | 2026-05-13 | 7.5 High |
| The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-6929 | 2 Beardev, Wordpress | 2 Joomsport – For Sports: Team & League, Football, Hockey & More, Wordpress | 2026-05-13 | 7.5 High |
| The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'sortf' parameter in all versions up to, and including, 5.7.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-7619 | 2 Smub, Wordpress | 2 Charitable – Donation Plugin For Wordpress – Fundraising With Recurring Donations & More, Wordpress | 2026-05-13 | 6.5 Medium |
| The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||