Vulnerabilities (CVE)

Filtered by CWE-89
Total 19556 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-57529 1 Youdatasum 1 Cpas Audit Management System 2026-06-17 N/A 9.8 CRITICAL
YouDataSum CPAS Audit Management System <=v4.9 is vulnerable to SQL Injection in /cpasList/findArchiveReportByDah due to insufficient input validation. This allows remote unauthenticated attackers to execute arbitrary SQL commands via crafted input to the parameter. Successful exploitation could lead to unauthorized data access
CVE-2025-57515 2026-06-17 N/A 9.8 CRITICAL
A SQL injection vulnerability has been identified in Uniclare Student Portal v2. This flaw allows remote attackers to inject arbitrary SQL commands via vulnerable input fields, enabling the execution of time-delay functions to infer database responses.
CVE-2025-57423 2026-06-17 N/A 6.5 MEDIUM
A SQL injection vulnerability was discovered in the /articles endpoint of MyClub 0.5, affecting the query parameters Content, GroupName, PersonName, lastUpdate, pool, and title. Due to insufficient input sanitisation, an unauthenticated remote attacker could inject arbitrary SQL commands via a crafted GET request, potentially leading to information disclosure or manipulation of the database.
CVE-2025-57263 1 Phpversion 1 Vx Guestbook 2026-06-17 N/A 7.2 HIGH
An authenticated SQL injection vulnerability in VX Guestbook 1.07 allows attackers with admin access to inject malicious SQL payloads via the "word" POST parameter in the words.php admin panel.
CVE-2025-57254 2026-06-17 N/A 6.5 MEDIUM
An SQL injection vulnerability in user-login.php and index.php of Karthikg1908 Hospital Management System (HMS) 1.0 allows remote attackers to execute arbitrary SQL queries via the username and password POST parameters. The application fails to properly sanitize input before embedding it into SQL queries, leading to unauthorized access or potential data breaches. This can result in privilege escalation, account takeover, or exposure of sensitive medical data.
CVE-2025-57149 1 Phpgurukul 1 Complaint Management System 2026-06-17 N/A 6.5 MEDIUM
phpgurukul Complaint Management System 2.0 is vulnerable to SQL Injection in /complaint-details.php via the cid parameter.
CVE-2025-57147 1 Phpgurukul 1 Complaint Management System 2026-06-17 N/A 7.5 HIGH
A SQL Injection vulnerability was found in phpgurukul Complaint Management System 2.0. The vulnerability is due to lack of input validation of multiple parameters including fullname, email, and contactno in user/registration.php.
CVE-2025-57146 1 Phpgurukul 1 Complaint Management System 2026-06-17 N/A 8.1 HIGH
phpgurukul Complaint Management System in PHP 2.0 is vulnerable to SQL Injection in user/reset-password.php via the mobileno parameter.
CVE-2025-57140 1 Ruisitech 1 Ruisibi 2026-06-17 N/A 9.8 CRITICAL
rsbi-pom 4.7 is vulnerable to SQL Injection in the /bi/service/model/DatasetService path.
CVE-2025-57104 1 Zeon 1 Teampel 2026-06-17 N/A 5.4 MEDIUM
Teampel 5.1.6 is vulnerable to SQL Injection in /Common/login.aspx.
CVE-2025-56700 2026-06-17 N/A 5.4 MEDIUM
Boolean SQL injection vulnerability in the web app of Base Digitale Group spa product Centrax Open PSIM version 6.1 allows a low level priviliged user that has access to the platform, to execute arbitrary SQL commands via the datafine parameter.
CVE-2025-56699 2026-06-17 N/A 5.4 MEDIUM
SQL injection vulnerability in the cmd component of Base Digitale Group spa product Centrax Open PSIM version 6.1 allows an unauthenticated user to execute arbitrary SQL commands via the sender parameter.
CVE-2025-56630 1 Foxcms 1 Foxcms 2026-06-17 N/A 7.3 HIGH
FoxCMS v1.2.5 and before is vulnerable to SQL Injection via the column_model parameter in the app/admin/controller/Column.php file.
CVE-2025-56450 2026-06-17 N/A 6.5 MEDIUM
Log2Space Subscriber Management Software 1.1 is vulnerable to unauthenticated SQL injection via the `lead_id` parameter in the `/l2s/api/selfcareLeadHistory` endpoint. A remote attacker can exploit this by sending a specially crafted POST request, resulting in the execution of arbitrary SQL queries. The backend fails to sanitize the user input, allowing enumeration of database schemas, table names, and potentially leading to full database compromise.
CVE-2025-56435 1 Foxcms 1 Foxcms 2026-06-17 N/A 5.3 MEDIUM
SQL Injection vulnerability in FoxCMS v1.2.6 and before allows a remote attacker to execute arbitrary code via the. file /DataBackup.php and the operation on the parameter id.
CVE-2025-56421 1 Limesurvey 1 Limesurvey 2026-06-17 N/A 7.5 HIGH
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.
CVE-2025-56407 1 Utcms Project 1 Utcms 2026-06-17 N/A 8.8 HIGH
A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. This vulnerability affects the function RunSql of the file app/modules/ut-data/admin/mysql.php. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-56401 1 Ziragroup 1 Wbrm 2026-06-17 N/A 7.6 HIGH
ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName.
CVE-2025-56385 1 Wellsky 1 Harmony 2026-06-17 N/A 9.8 CRITICAL
A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents.
CVE-2025-56381 1 Frappe 2 Erpnext, Frappe 2026-06-17 N/A 6.5 MEDIUM
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.