Total
17197 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5007 | 1 Kashipara | 1 Student Information System | 2025-12-05 | N/A | 8.8 HIGH |
| Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'id' parameter of the marks.php resource does not validate the characters received and they are sent unfiltered to the database. | |||||
| CVE-2025-13811 | 1 Jsnjfz | 1 Webstack-guns | 2025-12-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was determined in jsnjfz WebStack-Guns 1.0. This vulnerability affects unknown code of the file src/main/java/com/jsnjfz/manage/core/common/constant/factory/PageFactory.java. Executing manipulation of the argument sort can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-65379 | 1 Phpgurukul | 1 Billing System | 2025-12-04 | N/A | 6.5 MEDIUM |
| PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the /admin/password-recovery.php endpoint. Specifically, the username and mobileno parameters accepts unvalidated user input, which is then concatenated directly into a backend SQL query. | |||||
| CVE-2025-65380 | 1 Phpgurukul | 1 Billing System | 2025-12-04 | N/A | 6.5 MEDIUM |
| PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the admin/index.php endpoint. Specifically, the username parameter accepts unvalidated user input, which is then concatenated directly into a backend SQL query. | |||||
| CVE-2025-66205 | 1 Frappe | 1 Frappe | 2025-12-04 | N/A | 7.1 HIGH |
| Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2. | |||||
| CVE-2025-51683 | 1 Mjobtime | 1 Mjobtime | 2025-12-04 | N/A | 9.8 CRITICAL |
| A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint . | |||||
| CVE-2025-63532 | 1 Shridharshukl | 1 Blood Bank Management System | 2025-12-04 | N/A | 9.6 CRITICAL |
| A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the cancel.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system. | |||||
| CVE-2025-65896 | 2025-12-04 | N/A | 9.8 CRITICAL | ||
| SQL injection vulnerability in long2ice assyncmy thru 0.2.10 allows attackers to execute arbitrary SQL commands via crafted dict keys. | |||||
| CVE-2025-13495 | 2025-12-04 | N/A | 4.9 MEDIUM | ||
| The FluentCart plugin for WordPress is vulnerable to SQL Injection via the 'groupKey' parameter in all versions up to, and including, 1.3.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-62173 | 2025-12-04 | N/A | N/A | ||
| ## Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API | |||||
| CVE-2025-62728 | 1 Apache | 1 Hive | 2025-12-04 | N/A | 5.4 MEDIUM |
| SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public. | |||||
| CVE-2025-13788 | 1 Chanjet | 1 Chanjet Crm | 2025-12-04 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in Chanjet CRM up to 20251106. The impacted element is an unknown function of the file /tools/upgradeattribute.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-13545 | 1 Ashraf-kabir | 1 Travel-agency | 2025-12-04 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security vulnerability has been detected in ashraf-kabir travel-agency up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. Affected by this vulnerability is an unknown functionality of the file /admin_area/index.php. The manipulation of the argument edit_pack leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-13546 | 1 Ashraf-kabir | 1 Travel-agency | 2025-12-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in ashraf-kabir travel-agency up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. Affected by this issue is some unknown functionality of the file /results.php of the component Search. The manipulation of the argument user_query results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | |||||
| CVE-2025-63535 | 1 Shridharshukl | 1 Blood Bank Management System | 2025-12-03 | N/A | 9.6 CRITICAL |
| A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the abs.php component. The application fails to properly sanitize usersupplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system. | |||||
| CVE-2025-62228 | 1 Apache | 1 Flink Cdc | 2025-12-03 | N/A | 8.8 HIGH |
| Apache Flink CDC version 3.4.0 was vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or crafted table name. Even through only the logged-in database user can trigger the attack, we recommend users update Flink CDC version to 3.5.0 which address this issue. | |||||
| CVE-2025-6132 | 1 Chanjet | 1 Chanjet Crm | 2025-12-03 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in Chanjet CRM 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /sysconfig/departmentsetting.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-65358 | 1 Hashenudara | 1 Edoc-doctor-appointment-system | 2025-12-03 | N/A | 9.8 CRITICAL |
| Edoc-doctor-appointment-system v1.0.1 was discovered to contain SQl injection vulnerability via the 'docid' parameter at /admin/appointment.php. | |||||
| CVE-2025-41013 | 1 Tcman | 1 Gim | 2025-12-03 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a GET request using the 'idmant' parameter in '/PC/frmEPIS.aspx'. | |||||
| CVE-2025-66313 | 1 Churchcrm | 1 Churchcrm | 2025-12-03 | N/A | 7.2 HIGH |
| ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and modification via blind techniques. | |||||