Total
19601 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-50984 | 1 Diskoverdata | 1 Diskover | 2026-06-17 | N/A | 5.3 MEDIUM |
| diskover-web v2.3.0 Community Edition is vulnerable to multiple boolean-based blind SQL injection flaws in its Elasticsearch configuration form. Unsanitized user input in POST parameters such as ES_PASS, ES_MAXSIZE, ES_TRANSLOGSIZE, ES_TIMEOUT, ES_USER, ES_HOST, ES_PORT, ES_SCROLLSIZE, ES_CHUNKSIZE and others can be crafted to inject arbitrary SQLite expressions wrapped in JSON functions. By exploiting these injection points, an attacker can infer or extract sensitive information from the underlying database without authentication. This issue stems from improper input validation and parameterization in the application's JSON-based query construction. | |||||
| CVE-2025-50983 | 1 Readarr | 1 Readarr | 2026-06-17 | N/A | 8.3 HIGH |
| SQL Injection vulnerability exists in the sortKey parameter of the GET /api/v1/wanted/cutoff API endpoint in readarr 0.4.15.2787. The endpoint fails to properly sanitize user-supplied input, allowing attackers to inject and execute arbitrary SQL commands against the backend SQLite database. Sqlmap confirmed exploitation via stacked queries, demonstrating that the parameter can be abused to run arbitrary SQL statements. A heavy query was executed using SQLite's RANDOMBLOB() and HEX() functions to simulate a time-based payload, indicating deep control over database interactions. | |||||
| CVE-2025-50979 | 1 Nodebb | 1 Nodebb | 2026-06-17 | N/A | 8.6 HIGH |
| NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind and PostgreSQL error-based payloads. | |||||
| CVE-2025-50972 | 1 Abantecart | 1 Abantecart | 2026-06-17 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmpl_id parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP(), and UNION-based injection to extract arbitrary data. | |||||
| CVE-2025-50928 | 1 Ehcp | 1 Easy Hosting Control Panel | 2026-06-17 | N/A | 4.8 MEDIUM |
| Easy Hosting Control Panel EHCP v20.04.1.b was discovered to contain a SQL injection vulnerability via the id parameter in the Change Settings function. | |||||
| CVE-2025-50926 | 1 Ehcp | 1 Easy Hosting Control Panel | 2026-06-17 | N/A | 6.5 MEDIUM |
| Easy Hosting Control Panel EHCP v20.04.1.b was discovered to contain a SQL injection vulnerability via the id parameter in the List All Email Addresses function. | |||||
| CVE-2025-50868 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| A SQL Injection vulnerability exists in the takeassessment2.php file of CloudClassroom-PHP-Project 1.0. The Q4 POST parameter is not properly sanitized before being used in SQL queries. | |||||
| CVE-2025-50867 | 1 Vishalmathur | 1 Cloudclassroom | 2026-06-17 | N/A | 6.5 MEDIUM |
| A SQL Injection vulnerability exists in the takeassessment2.php endpoint of the CloudClassroom-PHP-Project 1.0, where the Q5 POST parameter is directly embedded in SQL statements without sanitization. | |||||
| CVE-2025-50860 | 1 Ehcp | 1 Easy Hosting Control Panel | 2026-06-17 | N/A | 5.4 MEDIUM |
| SQL Injection in the listdomains function in Easy Hosting Control Panel (EHCP) 20.04.1.b allows authenticated attackers to access or manipulate database contents via the arananalan POST parameter. | |||||
| CVE-2025-50565 | 1 Doubo Erp Project | 1 Doubo Erp | 2026-06-17 | N/A | 6.5 MEDIUM |
| Doubo ERP 1.0 has an SQL injection vulnerability due to a lack of filtering of user input, which can be remotely initiated by an attacker. | |||||
| CVE-2025-50468 | 1 Open-metadata | 1 Openmetadata | 2026-06-17 | N/A | 6.5 MEDIUM |
| OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the DocStoreDAO interface. The entityType parameters can be used to build a SQL query. | |||||
| CVE-2025-50467 | 1 Open-metadata | 1 Openmetadata | 2026-06-17 | N/A | 6.5 MEDIUM |
| OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The supportedDataTypeParam parameter can be used to build a SQL query. | |||||
| CVE-2025-50466 | 1 Open-metadata | 1 Openmetadata | 2026-06-17 | N/A | 7.1 HIGH |
| OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The entityType parameter can be used to build a SQL query. | |||||
| CVE-2025-50465 | 1 Open-metadata | 1 Openmetadata | 2026-06-17 | N/A | 7.1 HIGH |
| OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The testPlatform parameter can be used to build a SQL query. | |||||
| CVE-2025-50240 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| nbcio-boot v1.0.3 was discovered to contain a SQL injection vulnerability via the userIds parameter at /sys/user/deleteRecycleBin. | |||||
| CVE-2025-50229 | 1 Jizhicms | 1 Jizhicms | 2026-06-17 | N/A | 9.8 CRITICAL |
| Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module. | |||||
| CVE-2025-50192 | 1 Chamilo | 1 Chamilo Lms | 2026-06-17 | N/A | 9.8 CRITICAL |
| Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in /main/webservices/registration.soap.php. This issue has been patched in version 1.11.30. | |||||
| CVE-2025-50191 | 1 Chamilo | 1 Chamilo Lms | 2026-06-17 | N/A | 7.2 HIGH |
| Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. This issue has been patched in version 1.11.30. | |||||
| CVE-2025-50190 | 1 Chamilo | 1 Chamilo Lms | 2026-06-17 | N/A | 9.8 CRITICAL |
| Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /index.php script. This issue has been patched in version 1.11.30. | |||||
| CVE-2025-50189 | 1 Chamilo | 1 Chamilo Lms | 2026-06-17 | N/A | 8.8 HIGH |
| Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30. | |||||
