Total
18547 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3872 | 1 Centreon | 1 Centreon Web | 2025-10-22 | N/A | 7.2 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon centreon-web (User configuration form modules) allows SQL Injection. A user with high privileges is able to become administrator by intercepting the contact form request and altering its payload. This issue affects Centreon: from 22.10.0 before 22.10.28, from 23.04.0 before 23.04.25, from 23.10.0 before 23.10.20, from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4. | |||||
| CVE-2025-6791 | 1 Centreon | 1 Centreon Web | 2025-10-22 | N/A | 8.8 HIGH |
| In the monitoring event logs page, it is possible to alter the http request to insert a reflect payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection.This issue affects web: 24.10.0, 24.04.0, 23.10.0. | |||||
| CVE-2025-4650 | 1 Centreon | 1 Centreon Web | 2025-10-22 | N/A | 7.2 HIGH |
| User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26. | |||||
| CVE-2025-40657 | 1 Acc | 1 Dm Corporative Cms | 2025-10-22 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to retrieve, create, update and delete databases through the codform parameter in /modules/forms/collectform.asp. | |||||
| CVE-2016-2386 | 1 Sap | 1 Netweaver Application Server Java | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079. | |||||
| CVE-2025-56450 | 2025-10-21 | N/A | 6.5 MEDIUM | ||
| Log2Space Subscriber Management Software 1.1 is vulnerable to unauthenticated SQL injection via the `lead_id` parameter in the `/l2s/api/selfcareLeadHistory` endpoint. A remote attacker can exploit this by sending a specially crafted POST request, resulting in the execution of arbitrary SQL queries. The backend fails to sanitize the user input, allowing enumeration of database schemas, table names, and potentially leading to full database compromise. | |||||
| CVE-2025-60514 | 2025-10-21 | N/A | 6.5 MEDIUM | ||
| Tillywork v0.1.3 and below is vulnerable to SQL Injection in app/common/helpers/query.builder.helper.ts. | |||||
| CVE-2025-62655 | 2025-10-21 | N/A | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki Cargo extension allows SQL Injection.This issue affects MediaWiki Cargo extension: 1.39, 1.43, 1.44. | |||||
| CVE-2025-56700 | 2025-10-21 | N/A | 5.4 MEDIUM | ||
| Boolean SQL injection vulnerability in the web app of Base Digitale Group spa product Centrax Open PSIM version 6.1 allows a low level priviliged user that has access to the platform, to execute arbitrary SQL commands via the datafine parameter. | |||||
| CVE-2025-56699 | 2025-10-21 | N/A | 5.4 MEDIUM | ||
| SQL injection vulnerability in the cmd component of Base Digitale Group spa product Centrax Open PSIM version 6.1 allows an unauthenticated user to execute arbitrary SQL commands via the sender parameter. | |||||
| CVE-2025-60641 | 2025-10-21 | N/A | 6.5 MEDIUM | ||
| The file mexcel.php in the Vfront 0.99.52 codebase contains a vulnerable call to unserialize(base64_decode($_POST['mexcel'])), where $_POST['mexcel'] is user-controlled input. This input is decoded from base64 and deserialized without validation or use of the allowed_classes option, allowing an attacker to inject arbitrary PHP objects. This can lead to malicious behavior, such as Remote Code Execution (RCE), SQL Injection, Path Traversal, or Denial of Service, depending on the availability of exploitable classes in the Vfront codebase or its dependencies. | |||||
| CVE-2025-41028 | 2025-10-21 | N/A | N/A | ||
| A SQL Injection vulnerability has been found in Epsilon RH by Grupo Castilla. This vulnerability allows an attacker to retrieve, create, update and delete database via sending a POST request using the parameter ‘sEstadoUsr’ in ‘/epsilonnetws/WSAvisos.asmx’. | |||||
| CVE-2025-61455 | 2025-10-21 | N/A | 9.8 CRITICAL | ||
| SQL Injection vulnerability exists in Bhabishya-123 E-commerce 1.0, specifically within the signup.inc.php endpoint. The application directly incorporates unsanitized user inputs into SQL queries, allowing unauthenticated attackers to bypass authentication and gain full access. | |||||
| CVE-2025-62658 | 2025-10-21 | N/A | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki WatchAnalytics extension allows SQL Injection.This issue affects MediaWiki WatchAnalytics extension: 1.43, 1.44. | |||||
| CVE-2025-10187 | 2025-10-21 | N/A | 4.9 MEDIUM | ||
| The GSpeech TTS – WordPress Text To Speech Plugin plugin for WordPress is vulnerable to SQL Injection via the 'field' parameter in all versions up to, and including, 3.17.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-11691 | 2025-10-21 | N/A | 7.5 HIGH | ||
| The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the PPOM_Meta::get_fields_by_id() function in all versions up to, and including, 33.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the Enable Legacy Price Calculations setting is enabled. | |||||
| CVE-2025-60307 | 1 Carmelo | 1 Computer Laboratory System | 2025-10-21 | N/A | 9.8 CRITICAL |
| code-projects Computer Laboratory System 1.0 has a SQL injection vulnerability, where entering a universal password in the Password field on the login page can bypass login attempts. | |||||
| CVE-2025-40755 | 1 Siemens | 1 Sinec Nms | 2025-10-21 | N/A | 8.8 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP1). Affected applications are vulnerable to SQL injection through getTotalAndFilterCounts endpoint. An authenticated low privileged attacker could exploit to insert data and achieve privilege escalation. (ZDI-CAN-26570) | |||||
| CVE-2025-41018 | 1 Sergestec | 1 Exito | 2025-10-21 | N/A | 9.8 CRITICAL |
| SQL injection in Sergestec's Exito v8.0. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'cat' parameter in '/public.php'. | |||||
| CVE-2025-61540 | 1 Myupb | 1 Ultimate Php Board | 2025-10-21 | N/A | 6.5 MEDIUM |
| SQL injection vulnerability in Ultimate PHP Board 2.2.7 via the username field in lostpassword.php. | |||||