Total
16228 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10098 | 1 Phpgurukul | 1 User Management System | 2025-09-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in PHPGurukul User Management System 1.0. Affected is an unknown function of the file /admin/edit-user-profile.php. The manipulation of the argument uid results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-10100 | 1 Oretnom23 | 1 Simple Forum\/discussion System | 2025-09-12 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was detected in SourceCodester Simple Forum Discussion System 1.0. This impacts an unknown function of the file /admin_class.php?action=login. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | |||||
| CVE-2025-52085 | 1 Yoosee | 1 Yoosee | 2025-09-12 | N/A | 8.8 HIGH |
| An SQL injection vulnerability in Yoosee application v6.32.4 allows authenticated users to inject arbitrary SQL queries via a request to a backend API endpoint. Successful exploitation enables extraction of sensitive database information, including but not limited to, the database server banner and version, current database user and schema, the current DBMS user privileges, and arbitrary data from any table. | |||||
| CVE-2025-9391 | 1 Zhiyou-group | 1 Zhiyou Erp | 2025-09-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this issue is the function getFieldValue of the component com.artery.workflow.ServiceImpl. This manipulation of the argument sql causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-8347 | 1 Kehua | 1 Charging Pile Cloud Platform | 2025-09-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in Kehua Charging Pile Cloud Platform 1.0. This affects an unknown part of the file /sys/task/findAllTask. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-54790 | 1 Humhub | 1 Files | 2025-09-12 | N/A | 6.5 MEDIUM |
| Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10. | |||||
| CVE-2025-40687 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | N/A | 9.8 CRITICAL |
| SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'mobilenumber', 'teamleadname' and 'teammember' parameters in the endpoint '/ofrs/admin/add-team.php'. | |||||
| CVE-2025-40689 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | N/A | 9.8 CRITICAL |
| SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'remark', 'status' and 'requestid' parameters in the endpoint '/ofrs/admin/request-details.php'. | |||||
| CVE-2025-40690 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | N/A | 9.8 CRITICAL |
| SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'teamid' parameter in the endpoint '/ofrs/admin/edit-team.php'. | |||||
| CVE-2025-40691 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | N/A | 9.8 CRITICAL |
| SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'todate' parameter in the endpoint '/ofrs/admin/bwdates-report-result.php'. | |||||
| CVE-2025-40692 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | N/A | 9.8 CRITICAL |
| SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'requestid' parameter in the endpoint '/ofrs/details.php'. | |||||
| CVE-2025-57819 | 1 Sangoma | 1 Freepbx | 2025-09-12 | N/A | 9.8 CRITICAL |
| FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3. | |||||
| CVE-2025-27240 | 2025-09-12 | N/A | N/A | ||
| A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field. | |||||
| CVE-2025-10266 | 2025-09-12 | N/A | 9.8 CRITICAL | ||
| NUP Pro developed by NewType Infortech has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | |||||
| CVE-2023-6436 | 1 Ekolbilisim | 1 Web Sablonu Yazilimi | 2025-09-12 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection.This issue affects Website Template: through 20231215. | |||||
| CVE-2025-9807 | 2025-09-12 | N/A | 7.5 HIGH | ||
| The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-55472 | 1 Tirreno | 1 Tirreno | 2025-09-11 | N/A | 6.5 MEDIUM |
| SQL Injection vulnerability exists in Tirreno v0.9.5, specifically in the /admin/loadUsers API endpoint. The vulnerability arises due to unsafe handling of user-supplied input in the columns[0][data] parameter, which is directly used in SQL queries without proper validation or parameterization. | |||||
| CVE-2025-9758 | 1 Deepakmisal24 | 1 Chemical Inventory Management System | 2025-09-11 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was identified in deepakmisal24 Chemical Inventory Management System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /inventory_form.php. Such manipulation of the argument chem_name leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | |||||
| CVE-2024-11251 | 1 Huayi-tec | 1 Jeewms | 2025-09-11 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in erzhongxmu Jeewms up to 20241108. It has been rated as critical. This issue affects some unknown processing of the file cgReportController.do of the component AuthInterceptor. The manipulation of the argument begin_date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. Other parameters might be affected as well. | |||||
| CVE-2025-0391 | 1 Huayi-tec | 1 Jeewms | 2025-09-11 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in Guangzhou Huayi Intelligent Technology Jeewms up to 20241229. This issue affects the function saveOrUpdate of the file org/jeecgframework/web/cgform/controller/build/CgFormBuildController. java. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 20250101 is able to address this issue. It is recommended to upgrade the affected component. | |||||