Total
19448 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1132 | 1 Churchcrm | 1 Churchcrm | 2026-06-17 | N/A | 8.8 HIGH |
| A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that the vulnerability requires Administrator permissions. This flaw can potentially allow attackers to delay the response, indicating the presence of an SQL injection vulnerability. While it is a time-based blind injection, it can be exploited to gain insights into the underlying database, and with further exploitation, sensitive data could be retrieved. | |||||
| CVE-2025-1117 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability, which was classified as critical, was found in CoinRemitter 0.0.1/0.0.2 on OpenCart. This affects an unknown part. The manipulation of the argument coin leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.0.3 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-1116 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability, which was classified as critical, has been found in Dreamvention Live AJAX Search Free up to 1.0.6 on OpenCart. Affected by this issue is the function searchresults/search of the file /?route=extension/live_search/module/live_search.searchresults. The manipulation of the argument keyword leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-1023 | 1 Churchcrm | 1 Churchcrm | 2026-06-17 | N/A | 9.8 CRITICAL |
| A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. | |||||
| CVE-2025-15655 | 2026-06-17 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla School Management allows SQL Injection. This issue affects School Management: from n/a through 93.2.0. | |||||
| CVE-2025-15625 | 1 Sparxsystems | 1 Pro Cloud Server | 2026-06-17 | N/A | 9.8 CRITICAL |
| Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases. | |||||
| CVE-2025-15585 | 2026-06-17 | N/A | N/A | ||
| Fileflows versions before 25.05.2 are affected by an authenticated SQL injection vulnerability in the library-file search function. Successful exploitation requires the system to use MySQL as the underlying database and could result in privilege escalation or data exfiltration. | |||||
| CVE-2025-15560 | 1 Nestersoft | 1 Worktime | 2026-06-17 | N/A | 8.8 HIGH |
| An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data. | |||||
| CVE-2025-15498 | 2026-06-17 | N/A | N/A | ||
| Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges. This issue was identified in version 1.2.0 of this software. Due to lack of response from the vendor exact version range could not be determined, but the vulnerability should be eliminated in versions released in January 2026 and later. | |||||
| CVE-2025-15496 | 1 Guchengwuyue | 1 Yshopmall | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2025-15494 | 1 Docsys Project | 1 Docsys | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15493 | 1 Docsys Project | 1 Docsys | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in RainyGao DocSys up to 2.02.36. The impacted element is an unknown function of the file src/com/DocSystem/mapping/ReposAuthMapper.xml. Executing a manipulation of the argument searchWord can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15492 | 1 Docsys Project | 1 Docsys | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. Performing a manipulation of the argument searchWord results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15477 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-15450 | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was identified in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. Affected by this vulnerability is the function findOrderHosNum of the file /ssm_pro/orderHos/. Such manipulation of the argument hospitalAddress/hospitalName leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15443 | 1 Crmeb | 1 Crmeb | 2026-06-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15442 | 1 Crmeb | 1 Crmeb | 2026-06-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15441 | 2026-06-17 | N/A | 6.8 MEDIUM | ||
| The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts. | |||||
| CVE-2025-15439 | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15436 | 1 Yonyou | 1 Ksoa | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /worksheet/work_edit.jsp. Such manipulation of the argument Report leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||