Total
19475 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-26606 | 1 Wegia | 1 Wegia | 2026-06-17 | N/A | 9.8 CRITICAL |
| WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A SQL Injection vulnerability was discovered in the WeGIA application, `informacao_adicional.php` endpoint. This vulnerability could allow an attacker to execute arbitrary SQL queries, allowing unauthorized access to sensitive information. This issue has been addressed in version 3.2.13 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-26605 | 1 Wegia | 1 Wegia | 2026-06-17 | N/A | 8.8 HIGH |
| WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A SQL Injection vulnerability was discovered in the WeGIA application, `deletar_cargo.php` endpoint. This vulnerability could allow an authorized attacker to execute arbitrary SQL queries, allowing access to sensitive information. This issue has been addressed in version 3.2.13 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-26590 | 2026-06-17 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nir Complete Google Seo Scan complete-google-seo-scan allows SQL Injection.This issue affects Complete Google Seo Scan: from n/a through <= 3.5.1. | |||||
| CVE-2025-26535 | 2026-06-17 | N/A | 9.3 CRITICAL | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodeSolz Bitcoin / AltCoin Payment Gateway for WooCommerce woo-altcoin-payment-gateway allows Blind SQL Injection.This issue affects Bitcoin / AltCoin Payment Gateway for WooCommerce: from n/a through <= 1.7.6. | |||||
| CVE-2025-26533 | 1 Moodle | 1 Moodle | 2026-06-17 | N/A | 8.1 HIGH |
| An SQL injection risk was identified in the module list filter within course search. | |||||
| CVE-2025-26520 | 1 Cacti | 1 Cacti | 2026-06-17 | N/A | 7.6 HIGH |
| Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. NOTE: this issue exists because of an incomplete fix for CVE-2024-54146. | |||||
| CVE-2025-26392 | 1 Solarwinds | 1 Observability Self-hosted | 2026-06-17 | N/A | 5.4 MEDIUM |
| SolarWinds Observability Self-Hosted is susceptible to SQL injection vulnerability that may display sensitive data using a low-level account. This vulnerability requires authentication from a low-privilege account. | |||||
| CVE-2025-26390 | 1 Siemens | 4 Ozw672, Ozw672 Firmware, Ozw772 and 1 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| A vulnerability has been identified in OZW672 (All versions < V6.0), OZW772 (All versions < V6.0). The web service of affected devices is vulnerable to SQL injection when checking authentication data. This could allow an unauthenticated remote attacker to bypass the check and authenticate as Administrator user. | |||||
| CVE-2025-26348 | 1 Q-free | 1 Maxtime | 2026-06-17 | N/A | 5.5 MEDIUM |
| A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP requests. | |||||
| CVE-2025-26346 | 1 Q-free | 1 Maxtime | 2026-06-17 | N/A | 5.5 MEDIUM |
| A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserGroupMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to execute arbitrary SQL commands via crafted HTTP requests. | |||||
| CVE-2025-26241 | 1 Osticket | 1 Osticket | 2026-06-17 | N/A | 6.5 MEDIUM |
| A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination. | |||||
| CVE-2025-26200 | 1 Slims | 1 Senayan Library Management System | 2026-06-17 | N/A | 7.2 HIGH |
| SQL injection in SLIMS v.9.6.1 allows a remote attacker to escalate privileges via the month parameter in the visitor_report_day.php component. | |||||
| CVE-2025-26198 | 1 Vishalmathur | 1 Cloudclassroom-php Project | 2026-06-17 | N/A | 9.8 CRITICAL |
| CloudClassroom-PHP-Project v1.0 contains a critical SQL Injection vulnerability in the loginlinkadmin.php component. The application fails to sanitize user-supplied input in the admin login form before directly including it in SQL queries. This allows unauthenticated attackers to inject arbitrary SQL payloads and bypass authentication, gaining unauthorized administrative access. The vulnerability is triggered when an attacker supplies specially crafted input in the username field, such as ' OR '1'='1, leading to complete compromise of the login mechanism and potential exposure of sensitive backend data. | |||||
| CVE-2025-26186 | 1 Os4ed | 1 Opensis | 2026-06-17 | N/A | 8.1 HIGH |
| SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php | |||||
| CVE-2025-26163 | 1 Cmsol | 1 Auto Atendimento | 2026-06-17 | N/A | 9.8 CRITICAL |
| CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the CPF parameter. | |||||
| CVE-2025-26157 | 1 Darkseid | 1 Beauty Parlour Management System | 2026-06-17 | N/A | 5.9 MEDIUM |
| A SQL Injection vulnerability was found in /bpms/index.php in Source Code and Project Beauty Parlour Management System V1.1, which allows remote attackers to execute arbitrary code via the name POST request parameter. | |||||
| CVE-2025-26156 | 1 Phpgurukul | 1 Online Shopping Portal Project | 2026-06-17 | N/A | 8.8 HIGH |
| A SQL Injection vulnerability was found in /shopping/track-orders.php in PHPGurukul Online Shopping Portal v2.1, which allows remote attackers to execute arbitrary code via orderid POST request parameter. | |||||
| CVE-2025-26136 | 1 Wangl1989 | 1 Mysiteforme | 2026-06-17 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in mysiteforme versions prior to 2025.01.1. | |||||
| CVE-2025-26086 | 1 Rsiqueue | 1 Management System | 2026-06-17 | N/A | 7.5 HIGH |
| An unauthenticated blind SQL injection vulnerability exists in RSI Queue Management System v3.0 within the TaskID parameter of the get request handler. Attackers can remotely inject time-delayed SQL payloads to induce server response delays, enabling time-based inference and iterative extraction of sensitive database contents without authentication. | |||||
| CVE-2025-26047 | 1 Olajowon | 1 Loggrove | 2026-06-17 | N/A | 5.1 MEDIUM |
| Loggrove v1.0 is vulnerable to SQL Injection in the read.py file. | |||||