Vulnerabilities (CVE)

Filtered by CWE-89
Total 19557 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-53529 1 Wegia 1 Wegia 2026-06-17 N/A 9.8 CRITICAL
WeGIA is a web manager for charitable institutions. An SQL Injection vulnerability was identified in the /html/funcionario/profile_funcionario.php endpoint. The id_funcionario parameter is not properly sanitized or validated before being used in a SQL query, allowing an unauthenticated attacker to inject arbitrary SQL commands. The vulnerability is fixed in 3.4.3.
CVE-2025-53527 1 Wegia 1 Wegia 2026-06-17 N/A 9.8 CRITICAL
WeGIA is a web manager for charitable institutions. A Time-Based Blind SQL Injection vulnerability was discovered in the almox parameter of the /controle/relatorio_geracao.php endpoint. This issue allows attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration. This vulnerability is fixed in 3.4.1.
CVE-2025-53515 1 Advantech 1 Iview 2026-06-17 N/A 8.8 HIGH
A vulnerability exists in Advantech iView that allows for SQL injection and remote code execution through NetworkServlet.archiveTrap(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account.
CVE-2025-53475 1 Advantech 1 Iview 2026-06-17 N/A 8.8 HIGH
A vulnerability exists in Advantech iView that could allow for SQL injection and remote code execution through NetworkServlet.getNextTrapPage(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters in this function are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account.
CVE-2025-53468 2026-06-17 N/A 8.5 HIGH
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus@hotmail.com Wp tabber widget wp-tabber-widget allows SQL Injection.This issue affects Wp tabber widget: from n/a through <= 4.0.
CVE-2025-53306 2026-06-17 N/A 7.6 HIGH
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in lucidcrew WP Forum Server forum-server allows SQL Injection.This issue affects WP Forum Server: from n/a through <= 1.8.2.
CVE-2025-53258 2026-06-17 N/A 7.6 HIGH
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wow-Company Hover Effects hover-effects allows SQL Injection.This issue affects Hover Effects: from n/a through <= 2.1.2.
CVE-2025-53256 2026-06-17 N/A 7.6 HIGH
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP yaysmtp allows SQL Injection.This issue affects YaySMTP: from n/a through <= 2.6.6.
CVE-2025-53122 2026-06-17 N/A N/A
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenNMS Horizon and Meridian applications allows SQL Injection.  Users should upgrade to Meridian 2024.2.6 or newer, or Horizon 33.16 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
CVE-2025-53091 1 Wegia 1 Wegia 2026-06-17 N/A 9.8 CRITICAL
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Time-Based Blind SQL Injection vulnerability was discovered in version 3.3.3 the almox parameter of the `/controle/getProdutosPorAlmox.php` endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration. Version 3.4.0 fixes the issue.
CVE-2025-52924 2026-06-17 N/A 4.0 MEDIUM
In One Identity OneLogin before 2025.2.0, the SQL connection "application name" is set based on the value of an untrusted X-RequestId HTTP request header.
CVE-2025-52914 1 Mitel 1 Micollab 2026-06-17 N/A 8.8 HIGH
A vulnerability in the Suite Applications Services component of Mitel MiCollab 10.0 through SP1 FP1 (10.0.1.101) could allow an authenticated attacker to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary SQL database commands.
CVE-2025-52895 1 Frappe 1 Frappe 2026-06-17 N/A 7.5 HIGH
Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading.
CVE-2025-52834 2026-06-17 N/A 9.3 CRITICAL
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in favethemes Homey homey allows SQL Injection.This issue affects Homey: from n/a through <= 2.4.7.
CVE-2025-52833 2026-06-17 N/A 9.3 CRITICAL
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS lms allows SQL Injection.This issue affects LMS: from n/a through <= 9.2.
CVE-2025-52832 2026-06-17 N/A 9.3 CRITICAL
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows SQL Injection.This issue affects NGG Smart Image Search: from n/a through <= 3.4.1.
CVE-2025-52831 2026-06-17 N/A 9.3 CRITICAL
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in thanhtungtnt Video List Manager video-list-manager allows SQL Injection.This issue affects Video List Manager: from n/a through <= 1.7.
CVE-2025-52830 2026-06-17 N/A 9.3 CRITICAL
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bSecure – Your Universal Checkout bSecure – Your Universal Checkout bsecure allows Blind SQL Injection.This issue affects bSecure – Your Universal Checkout: from n/a through <= 1.7.9.
CVE-2025-52829 2026-06-17 N/A 9.3 CRITICAL
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in DirectIQ DirectIQ Email Marketing directiq-wp allows SQL Injection.This issue affects DirectIQ Email Marketing: from n/a through <= 2.0.
CVE-2025-52823 2026-06-17 N/A 8.5 HIGH
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ovatheme Cube Portfolio cubeportfolio allows SQL Injection.This issue affects Cube Portfolio: from n/a through <= 1.16.8.