Total
19556 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-56380 | 1 Frappe | 2 Erpnext, Frappe | 2026-06-17 | N/A | 6.5 MEDIUM |
| Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter | |||||
| CVE-2025-56316 | 1 Mingsoft | 1 Mcms | 2026-06-17 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MCMS 5.5.0 allows remote attackers to execute arbitrary SQL queries via unsanitized input in the FreeMarker template rendering. | |||||
| CVE-2025-56216 | 1 Phpgurukul | 1 Hospital Management System | 2026-06-17 | N/A | 8.5 HIGH |
| phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in about-us.php via the pagetitle parameter. | |||||
| CVE-2025-56215 | 1 Phpgurukul | 1 Hospital Management System | 2026-06-17 | N/A | 6.5 MEDIUM |
| phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in contact.php via the pagetitle parameter. | |||||
| CVE-2025-56214 | 1 Phpgurukul | 1 Hospital Management System | 2026-06-17 | N/A | 9.8 CRITICAL |
| phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter. | |||||
| CVE-2025-56212 | 1 Phpgurukul | 1 Hospital Management System | 2026-06-17 | N/A | 9.8 CRITICAL |
| phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in add-doctor.php via the docname parameter. | |||||
| CVE-2025-56162 | 1 Yiovo | 1 Firefly Mall | 2026-06-17 | N/A | 6.5 MEDIUM |
| YOSHOP 2.0 suffers from an unauthenticated SQL injection in the goodsIds parameter of the /api/goods/listByIds endpoint. The getListByIds function concatenates user input into orderRaw('field(goods_id, ...)'), allowing attackers to: (a) enumerate or modify database data, including dumping admin password hashes; (b) write web-shell files or invoke xp_cmdshell, leading to remote code execution on servers configured with sufficient DB privileges. | |||||
| CVE-2025-56075 | 1 Phpgurukul | 1 Park Ticketing Management System | 2026-06-17 | N/A | 5.4 MEDIUM |
| A SQL Injection vulnerability was discovered in the normal-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary SQL code via the fromdate parameter in a POST request. | |||||
| CVE-2025-56074 | 1 Phpgurukul | 1 Park Ticketing Management System | 2026-06-17 | N/A | 9.8 CRITICAL |
| A SQL Injection vulnerability was discovered in the foreigner-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary SQL code via the fromdate parameter in a POST request. | |||||
| CVE-2025-55885 | 1 Ard | 1 Gec En Ligne | 2026-06-17 | N/A | 6.3 MEDIUM |
| SQL Injection vulnerability in Alpes Recherche et Developpement ARD GEC en Lign before v.2025-04-23 allows a remote attacker to escalate privileges via the GET parameters in index.php | |||||
| CVE-2025-55849 | 1 Weiphp | 1 Weiphp | 2026-06-17 | N/A | 8.4 HIGH |
| WeiPHP v5.0 and before is vulnerable to SQL Injection via the SucaiController.class.php file and the cancelTemplatee | |||||
| CVE-2025-55732 | 1 Frappe | 1 Frappe | 2026-06-17 | N/A | 7.5 HIGH |
| Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15. | |||||
| CVE-2025-55731 | 1 Frappe | 1 Frappe | 2026-06-17 | N/A | 8.8 HIGH |
| Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15. | |||||
| CVE-2025-55708 | 2026-06-17 | N/A | 8.5 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.2.4. | |||||
| CVE-2025-55703 | 1 Sunbirddcim | 1 Power Iq | 2026-06-17 | N/A | 2.5 LOW |
| An error-based SQL injection vulnerability exists in the Sunbird Power IQ 9.2.0 API. The vulnerability is due to an outdated API endpoint that applied arrays without proper input validation. This can allow attackers to manipulate SQL queries. This has been addressed in Power IQ version 9.2.1, where the API call code was updated to ensure safe handling of input values. | |||||
| CVE-2025-55674 | 1 Apache | 1 Superset | 2026-06-17 | N/A | 6.5 MEDIUM |
| A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue. | |||||
| CVE-2025-55575 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| SQL Injection vulnerability in SMM Panel 3.1 allowing remote attackers to gain sensitive information via a crafted HTTP request with action=service_detail. | |||||
| CVE-2025-55476 | 1 Shaneisrael | 1 Fireshare | 2026-06-17 | N/A | 6.5 MEDIUM |
| FireShare FileShare 1.2.25 contains a time-based blind SQL injection vulnerability in the sort parameter of the endpoint: GET /api/videos/public?sort= This parameter is unsafely evaluated in a SQL ORDER BY clause without proper sanitization, allowing an attacker to inject arbitrary SQL subqueries. | |||||
| CVE-2025-55472 | 1 Tirreno | 1 Tirreno | 2026-06-17 | N/A | 6.5 MEDIUM |
| SQL Injection vulnerability exists in Tirreno v0.9.5, specifically in the /admin/loadUsers API endpoint. The vulnerability arises due to unsafe handling of user-supplied input in the columns[0][data] parameter, which is directly used in SQL queries without proper validation or parameterization. | |||||
| CVE-2025-55444 | 1 Vishalmathur | 1 Online Artwork And Fine Arts Project | 2026-06-17 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in the id2 parameter of the cancel_booking.php page in Online Artwork and Fine Arts MCA Project 1.0. A remote attacker can inject arbitrary SQL queries, leading to database enumeration and potential remote code execution. | |||||
