Total
18135 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-3105 | 1 Acquia | 1 Mautic | 2026-02-27 | N/A | 7.6 HIGH |
| SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at security@mautic.org | |||||
| CVE-2025-10258 | 1 Nokia | 1 Infinera Dna | 2026-02-26 | N/A | 6.3 MEDIUM |
| Infinera DNA is vulnerable to a time-based SQL injection vulnerability due to insufficient input validation, which may result in leaking of sensitive information. | |||||
| CVE-2025-27378 | 1 Altium | 1 On-prem Enterprise Server | 2026-02-26 | N/A | 8.6 HIGH |
| AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries. | |||||
| CVE-2026-23969 | 1 Apache | 1 Superset | 2026-02-26 | N/A | 6.5 MEDIUM |
| Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete. This issue affects Apache Superset: before 4.1.2. Users are recommended to upgrade to version 4.1.2, which fixes the issue. | |||||
| CVE-2025-36588 | 1 Dell | 2 Unisphere For Powermax, Unisphere For Powermax Virtual Appliance | 2026-02-26 | N/A | 8.8 HIGH |
| Dell Unisphere for PowerMax, version(s) 10.2.0.x, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. | |||||
| CVE-2025-15560 | 1 Nestersoft | 1 Worktime | 2026-02-26 | N/A | 8.8 HIGH |
| An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data. | |||||
| CVE-2026-2865 | 1 Adonesevangelista | 1 Agri-trading Online Shopping System | 2026-02-26 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in itsourcecode Agri-Trading Online Shopping System 1.0. This impacts an unknown function of the file admin/productcontroller.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Product results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used. | |||||
| CVE-2026-3133 | 1 Admerc | 1 Document Management System | 2026-02-25 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in itsourcecode Document Management System 1.0. This issue affects some unknown processing of the file /loging.php of the component Login. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-3134 | 1 Clive 21 | 1 News Portal Project | 2026-02-25 | 7.5 HIGH | 7.3 HIGH |
| A security flaw has been discovered in itsourcecode News Portal Project 1.0. The affected element is an unknown function of the file /newsportal/admin/edit-category.php. The manipulation of the argument Category results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2026-3135 | 1 Clive 21 | 1 News Portal Project | 2026-02-25 | 7.5 HIGH | 7.3 HIGH |
| A weakness has been identified in itsourcecode News Portal Project 1.0. The impacted element is an unknown function of the file /admin/add-category.php. This manipulation of the argument Category causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-3046 | 1 Emiloi | 1 E-logbook With Health Monitoring System For Covid-19 | 2026-02-25 | 7.5 HIGH | 7.3 HIGH |
| A security vulnerability has been detected in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0. This vulnerability affects unknown code of the file /check_profile_old.php. The manipulation of the argument profile_id leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-26198 | 1 Collerek | 1 Ormar | 2026-02-25 | N/A | 9.8 CRITICAL |
| Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch. | |||||
| CVE-2026-27461 | 1 Pimcore | 1 Pimcore | 2026-02-25 | N/A | 4.9 MEDIUM |
| Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch. | |||||
| CVE-2026-3149 | 1 Angeljudesuarez | 1 College Management System | 2026-02-25 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in itsourcecode College Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/asign-single-student-subjects.php. Executing a manipulation of the argument course_code can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-3150 | 1 Angeljudesuarez | 1 College Management System | 2026-02-25 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in itsourcecode College Management System 1.0. This affects an unknown part of the file /admin/display-teacher.php. The manipulation of the argument teacher_id leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-3151 | 1 Angeljudesuarez | 1 College Management System | 2026-02-25 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was detected in itsourcecode College Management System 1.0. This vulnerability affects unknown code of the file /login/login.php. The manipulation of the argument email results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | |||||
| CVE-2026-3152 | 1 Angeljudesuarez | 1 College Management System | 2026-02-25 | 7.5 HIGH | 7.3 HIGH |
| A flaw has been found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/teacher-salary.php. This manipulation of the argument teacher_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | |||||
| CVE-2026-3153 | 1 Admerc | 1 Document Management System | 2026-02-25 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in itsourcecode Document Management System 1.0. Impacted is an unknown function of the file /register.php. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-3164 | 1 Clive 21 | 1 News Portal Project | 2026-02-25 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in itsourcecode News Portal Project 1.0. This issue affects some unknown processing of the file /admin/contactus.php. The manipulation of the argument pagetitle results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | |||||
| CVE-2026-3148 | 1 Haben-cs9 | 1 Simple And Nice Shopping Cart Script | 2026-02-25 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was determined in SourceCodester Simple and Nice Shopping Cart Script 1.0. This impacts an unknown function of the file /signup.php. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | |||||