Export limit exceeded: 19502 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (19502 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-55159 | 2026-04-15 | 4.2 Medium | ||
| GFast between v2 to v3.2 was discovered to contain a SQL injection vulnerability via the SortName parameter at /system/loginLog/list. | ||||
| CVE-2025-60514 | 1 Tillywork | 1 Tillywork | 2026-04-15 | 6.5 Medium |
| Tillywork v0.1.3 and below is vulnerable to SQL Injection in app/common/helpers/query.builder.helper.ts. | ||||
| CVE-2025-30060 | 1 Cgm | 1 Clininet | 2026-04-15 | N/A |
| In the ReturnUserUnitsXML.pl service, the "getUserInfo" function is vulnerable to SQL injection through the "UserID" parameter. | ||||
| CVE-2024-2831 | 2 Kieranoshea, Wordpress | 2 Calendar, Wordpress | 2026-04-15 | 8.8 High |
| The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-55065 | 2026-04-15 | 7.5 High | ||
| CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||||
| CVE-2025-30061 | 1 Cgm | 1 Clininet | 2026-04-15 | N/A |
| In the "utils/Reporter/OpenReportWindow.pl" service, there is an SQL injection vulnerability through the "UserID" parameter. | ||||
| CVE-2024-48733 | 1 Sas | 1 Studio | 2026-04-15 | 8.8 High |
| SQL injection vulnerability in /SASStudio/sasexec/sessions/{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute arbitrary SQL commands via the POST body request. NOTE: this is disputed by the vendor because SQL statement execution is allowed for authorized users. | ||||
| CVE-2024-3495 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-13208 | 1 Hotels Server Project | 1 Hotels Server | 2026-04-15 | 6.3 Medium |
| A security flaw has been discovered in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. The impacted element is an unknown function of the file controller/api/hotelList.php. The manipulation of the argument subjectId/cityName results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-4826 | 2026-04-15 | 9.8 Critical | ||
| SQL injection vulnerability in Simple PHP Shopping Cart affecting version 0.9. This vulnerability could allow an attacker to retrieve all the information stored in the database by sending a specially crafted SQL query, due to the lack of proper sanitisation of the category_id parameter in the category.php file. | ||||
| CVE-2024-9678 | 2026-04-15 | 4.9 Medium | ||
| An SQL Injection vulnerability existed in DLP Extension 11.11.1.3. The vulnerability allowed an attacker to perform arbitrary SQL queries potentially leading to command execution. | ||||
| CVE-2024-47926 | 1 Tecnick | 1 Tcexam | 2026-04-15 | 9.8 Critical |
| Tecnick TCExam – CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||||
| CVE-2024-54446 | 2026-04-15 | N/A | ||
| Document history functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. | ||||
| CVE-2025-11319 | 1 Nahiduddinahammed | 1 Hospital Management System | 2026-04-15 | 6.3 Medium |
| A weakness has been identified in nahiduddinahammed Hospital-Management-System-Website up to e6562429e14b2f88bd2139cae16e87b965024097. This issue affects some unknown processing of the file /delete.php. This manipulation of the argument ai causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-14207 | 1 Tushar-2223 | 1 Hotel-management-system | 2026-04-15 | 7.3 High |
| A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. The impacted element is an unknown function of the file /admin/invoiceprint.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | ||||
| CVE-2025-12197 | 2 Stellarwp, Wordpress | 2 The Events Calendar, Wordpress | 2026-04-15 | 7.5 High |
| The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-12503 | 1 Digiwin | 1 Easyflow .net | 2026-04-15 | 6.5 Medium |
| EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | ||||
| CVE-2014-125115 | 3 Artica, Pandora Fms, Pandorafms | 3 Pandora Fms, Pandora Fms, Pandora Fms | 2026-04-15 | N/A |
| An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution. | ||||
| CVE-2024-28297 | 1 Azursoft | 1 Myhorus | 2026-04-15 | 7.5 High |
| SQL injection vulnerability in AzureSoft MyHorus 4.3.5 allows authenticated users to execute arbitrary SQL commands via unspecified vectors. | ||||
| CVE-2024-28303 | 1 Sourcecodester | 1 Open Source Medicine Ordering System | 2026-04-15 | 9.8 Critical |
| Open Source Medicine Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the date parameter at /admin/reports/index.php. | ||||