Vulnerabilities (CVE)

Filtered by CWE-89
Total 19555 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-41033 1 Apprain 1 Apprain 2026-06-17 N/A 9.8 CRITICAL
An SQL injection vulnerability has been found in appRain CMF 4.0.5. This vulnerability allows an attacker to retrieve, create, update, and delete the database, through the 'data%5BPage%5D%5Bname%5D' parameter in /apprain/page/manage-dynamic-pages/create.
CVE-2025-41032 1 Apprain 1 Apprain 2026-06-17 N/A 9.8 CRITICAL
An SQL injection vulnerability has been found in appRain CMF 4.0.5. This vulnerability allows an attacker to retrieve, create, update, and delete the database, through the 'data%5BAdmin%5D%5Busername%5D' parameter in /apprain/admin/manage/add/.
CVE-2025-41029 2026-06-17 N/A N/A
SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'.
CVE-2025-41028 2026-06-17 N/A N/A
A SQL Injection vulnerability has been found in Epsilon RH by Grupo Castilla. This vulnerability allows an attacker to retrieve, create, update and delete database via sending a POST request using the parameter ‘sEstadoUsr’ in ‘/epsilonnetws/WSAvisos.asmx’.
CVE-2025-41019 2026-06-17 N/A N/A
SQL injection in Sergestec's SISTICK v7.2. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'id' parameter in '/index.php?view=ticket_detail'.
CVE-2025-41018 1 Sergestec 1 Exito 2026-06-17 N/A 9.8 CRITICAL
SQL injection in Sergestec's Exito v8.0. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'cat' parameter in '/public.php'.
CVE-2025-41013 1 Tcman 1 Gim 2026-06-17 N/A 9.8 CRITICAL
SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a GET request using the 'idmant' parameter in '/PC/frmEPIS.aspx'.
CVE-2025-41009 2026-06-17 N/A N/A
SQL injection vulnerability in the DRED virtual campus platform. This vulnerability allows an attacker to retrieve, create, update, and delete data from the database by sending a POST request using the ‘buscame’ parameter in ‘/catalogo_c/catalogo.php’.
CVE-2025-41008 2026-06-17 N/A N/A
SQL injection vulnerability in Sinturno. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'client' parameter in the '/_adm/scripts/modalReport_data.php' endpoint.
CVE-2025-41007 2026-06-17 N/A N/A
SQL Injection in Cuantis. This vulnerability allows an attacker to retrieve, create, update and delete databases through the 'search' parameter in the '/search.php' endpoint.
CVE-2025-41006 2026-06-17 N/A N/A
Imaster's MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’.
CVE-2025-41005 2026-06-17 N/A N/A
Imaster's MEMS Events CRM contains an SQL injection vulnerability in‘keyword’ parameter in ‘/memsdemo/exchange_offers.php’.
CVE-2025-41004 2026-06-17 N/A N/A
Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter.
CVE-2025-41002 2026-06-17 N/A N/A
SQL injection vulnerability in Infoticketing. This vulnerability allows an unauthenticated attacker to retrieve, create, update, and delete the database by sending a POST request using the 'code' parameter in '/components/cart/cartApplyDiscount.php'.
CVE-2025-40985 2026-06-17 N/A N/A
SQL injection vulnerability in SCATI Vision Web of SCATI Labs from version 4.8 to 7.2. This vulnerability allows an attacker to exfiltrate some data from the database via the ‘login’ parameter in the endpoint ‘/scatevision_web/index.php/loginForm’.
CVE-2025-40888 1 Nozominetworks 2 Cmc, Guardian 2026-06-17 N/A 5.3 MEDIUM
A SQL Injection vulnerability was discovered in the CLI functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing unauthorized data.
CVE-2025-40887 1 Nozominetworks 2 Cmc, Guardian 2026-06-17 N/A 5.3 MEDIUM
A SQL Injection vulnerability was discovered in the Alert functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing unauthorized data.
CVE-2025-40886 1 Nozominetworks 2 Cmc, Guardian 2026-06-17 N/A 7.5 HIGH
A SQL Injection vulnerability was discovered in the Alert functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SQL statements on the DBMS used by the web application, potentially exposing unauthorized data, altering their structure and content, and/or affecting their availability.
CVE-2025-40885 1 Nozominetworks 2 Cmc, Guardian 2026-06-17 N/A 5.3 MEDIUM
A SQL Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the DBMS used by the web application, potentially exposing unauthorized data.
CVE-2025-40755 1 Siemens 1 Sinec Nms 2026-06-17 N/A 8.8 HIGH
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP1). Affected applications are vulnerable to SQL injection through getTotalAndFilterCounts endpoint. An authenticated low privileged attacker could exploit to insert data and achieve privilege escalation. (ZDI-CAN-26570)