Export limit exceeded: 18782 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (18782 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1317 | 2 Smackcoders, Wordpress | 2 Wp Import – Ultimate Csv Xml Importer For Wordpress, Wordpress | 2026-04-15 | 6.5 Medium |
| The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0. | ||||
| CVE-2026-39356 | 2 Drizzle, Drizzle-team | 2 Drizzle, Drizzle-orm | 2026-04-15 | 7.5 High |
| Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20. | ||||
| CVE-2026-2232 | 2 Wcproducttable, Wordpress | 2 Product Table And List Builder For Woocommerce Lite, Wordpress | 2026-04-15 | 7.5 High |
| The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 4.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2019-25575 | 2 Simplepresscms, Sourceforge | 2 Simplepress Cms, Simplepress Cms | 2026-04-15 | 8.2 High |
| SimplePress CMS 1.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'p' and 's' parameters. Attackers can send GET requests with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details. | ||||
| CVE-2019-25576 | 1 Keplerwallpapers | 1 Kepler Wallpaper Script | 2026-04-15 | 8.2 High |
| Kepler Wallpaper Script 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the category parameter. Attackers can send GET requests to the category endpoint with URL-encoded SQL UNION statements to extract database information including usernames, database names, and MySQL version details. | ||||
| CVE-2026-34934 | 2 Mervinpraison, Praison | 2 Praisonai, Praisonai | 2026-04-15 | 9.8 Critical |
| PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via update_thread. When the application loads the thread list, the injected payload executes and grants full database access. This issue has been patched in version 4.5.90. | ||||
| CVE-2019-25662 | 1 Montala | 1 Resourcespace | 2026-04-15 | 8.2 High |
| ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Attackers can send GET requests to the watched_searches.php endpoint with crafted SQL payloads to extract sensitive database information including usernames and credentials. | ||||
| CVE-2026-35470 | 1 Devcode | 1 Openstamanager | 2026-04-15 | 8.8 High |
| OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2. | ||||
| CVE-2019-25636 | 1 Zeeways | 2 Jobsite Cms, Zeejobsite | 2026-04-15 | 8.2 High |
| Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter. Attackers can send crafted requests to news_details.php, jobs_details.php, or job_cmp_details.php with malicious 'id' values using GROUP BY and CASE statements to extract sensitive database information. | ||||
| CVE-2026-23780 | 1 Bmc | 1 Control-m | 2026-04-15 | 8.8 High |
| An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution. | ||||
| CVE-2026-36234 | 1 Itsourcecode | 1 Online Student Enrollment System | 2026-04-15 | 9.8 Critical |
| itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter. | ||||
| CVE-2026-36235 | 1 Itsourcecode | 1 Online Student Enrollment System | 2026-04-15 | 9.8 Critical |
| A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or validation. | ||||
| CVE-2026-36232 | 1 Itsourcecode | 1 Online Student Enrollment System | 2026-04-15 | 9.8 Critical |
| A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly concatenated into the SQL query without any sanitization or validation. | ||||
| CVE-2026-36233 | 1 Itsourcecode | 1 Online Student Enrollment System | 2026-04-15 | 9.8 Critical |
| A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries without the need for appropriate cleaning or validation. | ||||
| CVE-2026-36236 | 2 Janobe, Sourcecodester | 2 Engineers Online Portal, Engineers Online Portal | 2026-04-15 | 9.8 Critical |
| SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter. | ||||
| CVE-2026-36872 | 2 Razormist, Sourcecodester | 2 Basic Library System, Basic Library System | 2026-04-15 | 2.7 Low |
| Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_book.php. | ||||
| CVE-2026-36873 | 2 Razormist, Sourcecodester | 2 Basic Library System, Basic Library System | 2026-04-15 | 2.7 Low |
| Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_admin.php. | ||||
| CVE-2026-36874 | 2 Razormist, Sourcecodester | 2 Basic Library System, Basic Library System | 2026-04-15 | 2.7 Low |
| Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php. | ||||
| CVE-2026-36946 | 2 Oretnom23, Sourcecodester | 2 Computer And Mobile Repair Shop Management System, Computer And Mobile Repair Shop Management System | 2026-04-15 | 2.7 Low |
| Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/inquiries/view_details.php. | ||||
| CVE-2026-36947 | 2 Oretnom23, Sourcecodester | 2 Computer And Mobile Repair Shop Management System, Computer And Mobile Repair Shop Management System | 2026-04-15 | 2.7 Low |
| Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL Injection in the file /rsms/admin/services/view_service.php. | ||||