Total
19521 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-63532 | 1 Shridharshukl | 1 Blood Bank Management System | 2026-06-17 | N/A | 9.6 CRITICAL |
| A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the cancel.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system. | |||||
| CVE-2025-63531 | 1 Shridharshukl | 1 Blood Bank Management System | 2026-06-17 | N/A | 10.0 CRITICAL |
| A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the receiverLogin.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the remail and rpassword fields, an attacker can bypass authentication and gain unauthorized access to the system. | |||||
| CVE-2025-63512 | 1 Kishan0725 | 1 Hospital Management System | 2026-06-17 | N/A | 6.5 MEDIUM |
| kishan0725 Hospital Management System/ v4 is vulnerable to SQL Injection in admin-panel1.php, specifically in the deleting doctor logic. The application fails to properly sanitize or parameterize user-supplied input from the demail parameter before incorporating it directly into a dynamic SQL query. | |||||
| CVE-2025-63497 | 1 Rickxy | 1 Hospital Management System | 2026-06-17 | N/A | 7.1 HIGH |
| The patient prescription viewing functionality in his_doc_view_single_patient.php of rickxy Hospital Management System version 1.0 contains an SQL injection vulnerability. The pat_number GET parameter is directly concatenated into SQL queries without proper sanitization, allowing authenticated attackers (doctor role) to execute arbitrary SQL queries. | |||||
| CVE-2025-63453 | 1 Car-booking-system-php Project | 1 Car-booking-system-php | 2026-06-17 | N/A | 9.8 CRITICAL |
| Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/contact.php. | |||||
| CVE-2025-63452 | 1 Car-booking-system-php Project | 1 Car-booking-system-php | 2026-06-17 | N/A | 9.4 CRITICAL |
| Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/forgot-pass.php. | |||||
| CVE-2025-63451 | 1 Car-booking-system-php Project | 1 Car-booking-system-php | 2026-06-17 | N/A | 9.8 CRITICAL |
| Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/sign-in.php. | |||||
| CVE-2025-63029 | 2026-06-17 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through <= 3.7.1. | |||||
| CVE-2025-62849 | 1 Qnap | 2 Qts, Quts Hero | 2026-06-17 | N/A | 9.8 CRITICAL |
| An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later | |||||
| CVE-2025-62846 | 1 Qnap | 1 Qurouter | 2026-06-17 | N/A | 6.7 MEDIUM |
| An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later | |||||
| CVE-2025-62728 | 1 Apache | 1 Hive | 2026-06-17 | N/A | 5.4 MEDIUM |
| SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public. | |||||
| CVE-2025-62658 | 2026-06-17 | N/A | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki WatchAnalytics extension allows SQL Injection.This issue affects MediaWiki WatchAnalytics extension: 1.43, 1.44. | |||||
| CVE-2025-62655 | 2026-06-17 | N/A | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki Cargo extension allows SQL Injection.This issue affects MediaWiki Cargo extension: 1.39, 1.43, 1.44. | |||||
| CVE-2025-62617 | 1 Admidio | 1 Admidio | 2026-06-17 | N/A | 7.2 HIGH |
| Admidio is an open-source user management solution. Prior to version 4.3.17, an authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role (such as an administrator) can exploit this vulnerability to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. This issue has been patched in version 4.3.17. | |||||
| CVE-2025-62606 | 2026-06-17 | N/A | 8.8 HIGH | ||
| my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to version 2.5.12, an authenticated SQL injection vulnerability in the bookmark reordering feature allows any logged-in user to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. This issue has been patched in version 2.5.12. | |||||
| CVE-2025-62519 | 1 Phpmyfaq | 1 Phpmyfaq | 2026-06-17 | N/A | 7.2 HIGH |
| phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14. | |||||
| CVE-2025-62423 | 1 Oxygenz | 1 Clipbucket | 2026-06-17 | N/A | 6.7 MEDIUM |
| ClipBucket V5 provides open source video hosting with PHP. In version5.5.2 - #140 and earlier, a Blind SQL injection vulnerability exists in the Admin Area’s “/admin_area/login_as_user.php” file. Exploiting this vulnerability requires access privileges to the Admin Area. | |||||
| CVE-2025-62422 | 1 Dataease | 1 Dataease | 2026-06-17 | N/A | 8.8 HIGH |
| DataEase is an open source data visualization and analytics platform. In versions 2.10.13 and earlier, the /de2api/datasetData/tableField interface is vulnerable to SQL injection. An attacker can construct a malicious tableName parameter to execute arbitrary SQL commands. This issue is fixed in version 2.10.14. No known workarounds exist. | |||||
| CVE-2025-62392 | 1 Ivanti | 1 Endpoint Manager | 2026-06-17 | N/A | 6.5 MEDIUM |
| SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||||
| CVE-2025-62391 | 1 Ivanti | 1 Endpoint Manager | 2026-06-17 | N/A | 6.5 MEDIUM |
| SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||||