Total
19572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52049 | 1 Frappe | 1 Erpnext | 2026-06-17 | N/A | 6.5 MEDIUM |
| In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter. | |||||
| CVE-2025-52048 | 1 Frappe | 1 Frappe | 2026-06-17 | N/A | 6.5 MEDIUM |
| In Frappe 15.x.x before 15.72.0 and 14.x.x before 14.96.10, in the function add_tag() at `frappe/desk/doctype/tag/tag.py` is vulnerable to SQL Injection, which allows an attacker to extract information from databases by injecting a SQL query into the `dt` parameter. | |||||
| CVE-2025-52047 | 1 Frappe | 1 Erpnext | 2026-06-17 | N/A | 6.5 MEDIUM |
| In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter. | |||||
| CVE-2025-52044 | 1 Frappe | 1 Erpnext | 2026-06-17 | N/A | 7.5 HIGH |
| In Frappe ERPNext v15.57.5, the function get_stock_balance() at erpnext/stock/utils.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into inventory_dimensions_dict parameter. | |||||
| CVE-2025-52043 | 1 Frappe | 1 Erpnext | 2026-06-17 | N/A | 6.5 MEDIUM |
| In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company parameter. | |||||
| CVE-2025-52042 | 1 Frappe | 1 Erpnext | 2026-06-17 | N/A | 8.2 HIGH |
| In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter. | |||||
| CVE-2025-52041 | 1 Frappe | 1 Erpnext | 2026-06-17 | N/A | 8.2 HIGH |
| In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter. | |||||
| CVE-2025-52040 | 1 Frappe | 1 Erpnext | 2026-06-17 | N/A | 8.2 HIGH |
| In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter. | |||||
| CVE-2025-52039 | 1 Frappe | 1 Erpnext | 2026-06-17 | N/A | 8.2 HIGH |
| In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter. | |||||
| CVE-2025-52025 | 1 Aptsys | 1 Gemscms Backend | 2026-06-17 | N/A | 9.4 CRITICAL |
| An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backend thru 2025-05-28. The vulnerability arises because user input is directly inserted into a dynamic SQL query syntax without proper sanitization or parameterization. This allows an attacker to inject and execute arbitrary SQL code by submitting crafted input in the id parameter, leading to unauthorized data access or modification. | |||||
| CVE-2025-52021 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| A SQL Injection vulnerability exists in the edit_product.php file of PuneethReddyHC Online Shopping System Advanced 1.0. The product_id GET parameter is unsafely passed to a SQL query without proper validation or parameterization. | |||||
| CVE-2025-51972 | 1 Puneethreddyhc | 1 Online Shopping System Advanced | 2026-06-17 | N/A | 6.5 MEDIUM |
| A SQL Injection vulnerability exists in the login.php of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter. | |||||
| CVE-2025-51971 | 1 Puneethreddyhc | 1 Online Shopping System Advanced | 2026-06-17 | N/A | 5.4 MEDIUM |
| A reflected Cross-Site Scripting (XSS) vulnerability exists in register.php of PuneethReddyHC Online Shopping System Advanced 1.0. Unsanitized user input in the f_name parameter is reflected in the server response without proper HTML encoding or output escaping. This allows remote attackers to inject arbitrary JavaScript code. | |||||
| CVE-2025-51970 | 1 Puneethreddyhc | 1 Online Shopping System Advanced | 2026-06-17 | N/A | 7.7 HIGH |
| A SQL Injection vulnerability exists in the action.php endpoint of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter. | |||||
| CVE-2025-51969 | 1 Puneethreddyhc | 1 Online Shopping System Advanced | 2026-06-17 | N/A | 6.5 MEDIUM |
| A SQL Injection vulnerability exists in the product.php page of PuneethReddyHC Online Shopping System Advanced 1.0. This flaw is present in the product_id GET parameter, which is not properly validated before being included in a SQL statement. | |||||
| CVE-2025-51968 | 1 Puneethreddyhc | 1 Online Shopping System Advanced | 2026-06-17 | N/A | 6.5 MEDIUM |
| A SQL Injection vulnerability exists in the action.php file of PuneethReddyHC Online Shopping System Advanced 1.0. The application fails to properly sanitize user-supplied input in the proId POST parameter, allowing attackers to inject arbitrary SQL expressions. | |||||
| CVE-2025-51825 | 1 Guojusoft | 1 Jeecgboot | 2026-06-17 | N/A | 6.5 MEDIUM |
| JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/cgreport/head/parseSql endpoint, which allows bypassing SQL blacklist restrictions. | |||||
| CVE-2025-51683 | 1 Mjobtime | 1 Mjobtime | 2026-06-17 | N/A | 9.8 CRITICAL |
| A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint . | |||||
| CVE-2025-51672 | 1 Phpgurukul | 1 Dairy Farm Shop Management System | 2026-06-17 | N/A | 8.0 HIGH |
| A time-based blind SQL injection vulnerability was identified in the PHPGurukul Dairy Farm Shop Management System 1.3. The vulnerability exists in the manage-companies.php file and allows remote attackers to execute arbitrary SQL code via the companyname parameter in a POST request. | |||||
| CVE-2025-51671 | 1 Phpgurukul | 1 Dairy Farm Shop Management System | 2026-06-17 | N/A | 5.4 MEDIUM |
| A SQL injection vulnerability was discovered in the PHPGurukul Dairy Farm Shop Management System 1.3. The vulnerability allows remote attackers to execute arbitrary SQL code via the category and categorycode parameters in a POST request to the manage-categories.php file. | |||||
