Export limit exceeded: 80791 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (80791 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-25194 | 1 Arixolab | 1 Nominas | 2026-04-15 | 8.2 High |
| Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. Attackers can send POST requests to the login/checklogin.php endpoint with crafted UNION-based SQL injection payloads to extract database information including usernames, database names, and version details. | ||||
| CVE-2018-25172 | 1 Obedalvarado | 1 Pedidos | 2026-04-15 | 8.2 High |
| Pedidos 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to the ajax/load_proveedores.php endpoint with crafted SQL payloads to extract sensitive database information including schema names and table structures. | ||||
| CVE-2018-25193 | 1 Cesanta | 1 Mongoose Web Server | 2026-04-15 | 7.5 High |
| Mongoose Web Server 6.9 contains a denial of service vulnerability that allows remote attackers to crash the service by establishing multiple socket connections. Attackers can repeatedly create connections to the default port and send malformed data to exhaust server resources and cause service unavailability. | ||||
| CVE-2018-25188 | 3 Github, Webiness Inventory Project, Webiness Project | 3 Webiness Inventory, Webiness Inventory, Webiness Inventory | 2026-04-15 | 8.2 High |
| Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. Attackers can send POST requests to the WsModelGrid.php endpoint with crafted SQL payloads to extract sensitive database information including usernames, databases, and version details. | ||||
| CVE-2018-25180 | 1 Salzertechnologies | 1 Maitra | 2026-04-15 | 7.1 High |
| Maitra 1.7.2 contains an sql injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the mailid parameter in outmail and inmail modules. Attackers can also download the SQLite database file directly from the application directory to extract sensitive mail tracking data and credentials. | ||||
| CVE-2018-25164 | 1 Phpmassmail | 1 Eversync | 2026-04-15 | 7.5 High |
| EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials. | ||||
| CVE-2018-25163 | 1 Bitzoom | 1 Bitzoom | 2026-04-15 | 8.2 High |
| BitZoom 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rollno and username parameters in forgot.php and login.php. Attackers can submit crafted POST requests with SQL UNION statements to extract database schema information and table contents from the application database. | ||||
| CVE-2018-25176 | 1 Demo | 1 Alive Parish | 2026-04-15 | 8.2 High |
| Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to the images/uploaded directory for remote code execution. | ||||
| CVE-2018-25166 | 1 Sourceforge | 1 Meneame English Pligg | 2026-04-15 | 8.2 High |
| Meneame English Pligg 5.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Attackers can send GET requests to index.php with crafted SQL payloads in the search parameter to extract sensitive database information including usernames, database names, and version details. | ||||
| CVE-2018-25165 | 1 Galaxy | 1 Galaxy Forces Mmorpg | 2026-04-15 | 7.1 High |
| Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'type' parameter. Attackers can send POST requests to ads.php with crafted SQL payloads in the type parameter to extract sensitive database information including usernames, databases, and version details. | ||||
| CVE-2018-25197 | 1 Playjoom | 1 Playjoom | 2026-04-15 | 8.2 High |
| PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with option=com_playjoom&view=genre&catid=[SQL] to extract sensitive database information including usernames, databases, and version details. | ||||
| CVE-2019-25504 | 1 Ncrypted | 1 Ncrypted Jobgator | 2026-04-15 | 8.2 High |
| NCrypted Jobgator contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the experience parameter. Attackers can send POST requests to the agents Find-Jobs endpoint with malicious experience values to extract sensitive database information. | ||||
| CVE-2018-25181 | 1 Musicco | 1 Musicco | 2026-04-15 | 7.5 High |
| Musicco 2.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary directories by manipulating the parent parameter. Attackers can supply directory traversal sequences in the parent parameter of the getAlbum endpoint to access sensitive system directories and download them as ZIP files. | ||||
| CVE-2018-25192 | 1 Sourceforge | 1 Gps Tracking System | 2026-04-15 | 8.2 High |
| GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit crafted POST requests to the login.php endpoint with SQL injection payloads in the username field to gain unauthorized access without valid credentials. | ||||
| CVE-2018-25175 | 1 Alienor | 1 Alienor Web Libre | 2026-04-15 | 8.2 High |
| Alienor Web Libre 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the identifiant parameter. Attackers can submit crafted POST requests to index.php with SQL injection payloads in the identifiant field to extract sensitive database information including usernames, databases, and version details. | ||||
| CVE-2018-25182 | 1 Snowhall | 1 Silurus Classifieds Script | 2026-04-15 | 8.2 High |
| Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. Attackers can send GET requests to wcategory.php with crafted SQL payloads in the ID parameter to extract database table names and sensitive information from the database. | ||||
| CVE-2025-11157 | 2026-04-15 | 7.8 High | ||
| A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage. | ||||
| CVE-2023-7263 | 2026-04-15 | 7.3 High | ||
| Some Huawei home music system products have a path traversal vulnerability. Successful exploitation of this vulnerability may cause unauthorized file deletion or file permission change.(Vulnerability ID:HWPSIRT-2023-53450) This vulnerability has been assigned a (CVE)ID:CVE-2023-7263 | ||||
| CVE-2023-7300 | 2026-04-15 | 8 High | ||
| Huawei Home Music System has a path traversal vulnerability. Successful exploitation of this vulnerability may cause the music host file to be deleted or the file permission to be changed.(Vulnerability ID:HWPSIRT-2023-60613) | ||||
| CVE-2026-34455 | 2 Hi.events, Hieventsdev | 2 Hi.events, Hi.events | 2026-04-15 | 8.8 High |
| Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta. | ||||