Total
18675 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-32786 | 2026-04-15 | N/A | 7.5 HIGH | ||
| The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1. | |||||
| CVE-2024-4658 | 2026-04-15 | N/A | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TE Informatics Nova CMS allows SQL Injection.This issue affects Nova CMS: before 5.0. | |||||
| CVE-2024-12097 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Boceksoft Informatics E-Travel allows SQL Injection.This issue affects E-Travel: before 15.12.2024. | |||||
| CVE-2023-53935 | 2026-04-15 | N/A | 5.4 MEDIUM | ||
| WBiz Desk 1.2 contains a SQL injection vulnerability that allows non-admin users to manipulate database queries through the 'tk' parameter in ticket.php. Attackers can inject crafted SQL statements using UNION-based techniques to extract sensitive database information by sending malformed requests to the ticket endpoint. | |||||
| CVE-2025-10115 | 2026-04-15 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was determined in SiempreCMS up to 1.3.6. This affects an unknown part of the file user_search_ajax.php. This manipulation of the argument name/userName causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-37104 | 2026-04-15 | N/A | 7.1 HIGH | ||
| A security vulnerability has been identified in HPE Telco Service Orchestrator software. The vulnerability could allow authenticated clients to to perform a SQL Injection attack when sending a service request, and potentially exfiltrate the database's vendor name to unauthorized authenticated clients. | |||||
| CVE-2025-10587 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| The Community Events plugin for WordPress is vulnerable to SQL Injection via the event_category parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-10610 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting Information Processing Industry and Foreign Trade Inc. Winsure allows Blind SQL Injection.This issue affects Winsure: through Version dated 21.08.2025. | |||||
| CVE-2025-50567 | 2026-04-15 | N/A | 10.0 CRITICAL | ||
| Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution. | |||||
| CVE-2025-11177 | 2026-04-15 | N/A | 7.5 HIGH | ||
| The External Login plugin for WordPress is vulnerable to SQL Injection via the 'log' parameter in all versions up to, and including, 1.11.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database when a PostgreSQL or MSSQL database is configured as the external authentication database. | |||||
| CVE-2023-49440 | 2026-04-15 | N/A | 8.8 HIGH | ||
| AhnLab EPP 1.0.15 is vulnerable to SQL Injection via the "preview parameter." | |||||
| CVE-2024-12025 | 2026-04-15 | N/A | 7.5 HIGH | ||
| The Collapsing Categories plugin for WordPress is vulnerable to SQL Injection via the 'taxonomy' parameter of the /wp-json/collapsing-categories/v1/get REST API in all versions up to, and including, 3.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-33009 | 2026-04-15 | N/A | 4.2 MEDIUM | ||
| SAP Global Label Management is vulnerable to SQL injection. On exploitation the attacker can use specially crafted inputs to modify database commands resulting in the retrieval of additional information persisted by the system. This could lead to low impact on Confidentiality and Integrity of the application. | |||||
| CVE-2025-2106 | 2026-04-15 | N/A | 7.5 HIGH | ||
| The ArielBrailovsky-ViralAd plugin for WordPress is vulnerable to SQL Injection via the 'text' and 'id' parameters of the limpia() function in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This only appears to be exploitable on very old versions of WordPress. | |||||
| CVE-2025-48701 | 2026-04-15 | N/A | 5.4 MEDIUM | ||
| openDCIM through 23.04 allows SQL injection in people_depts.php because prepared statements are not used. | |||||
| CVE-2025-1311 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-69366 | 2026-04-15 | N/A | 9.3 CRITICAL | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Emerce Core emerce-core allows Blind SQL Injection.This issue affects Emerce Core: from n/a through <= 1.8. | |||||
| CVE-2026-2232 | 2026-04-15 | N/A | 7.5 HIGH | ||
| The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 4.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-32466 | 2026-04-15 | N/A | N/A | ||
| A SQL injection vulnerability in RSMediaGallery! component 1.7.4 - 2.1.7 for Joomla was discovered. The issue occurs within the dashboard component, where user-supplied input is not properly sanitized before being stored and rendered. An attacker can inject malicious JavaScript code into text fields or other input points, which is subsequently executed in the browser of any user who clicks on the crafted text in the dashboard. | |||||
| CVE-2026-1317 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0. | |||||