Total
19302 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-25346 | 2026-05-26 | N/A | 7.1 HIGH | ||
| WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database. | |||||
| CVE-2018-25348 | 2026-05-26 | N/A | 8.2 HIGH | ||
| Joomla! Component Ek Rishta 2.10 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. Attackers can send GET requests to the user_detail view with malicious cid values containing SQL commands to extract sensitive database information. | |||||
| CVE-2018-25347 | 2026-05-26 | N/A | 7.1 HIGH | ||
| WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the 'name' and 'search_labels' parameters to extract sensitive database information or escalate privileges. | |||||
| CVE-2026-9364 | 2026-05-26 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in projectworlds Online Art Gallery Shop 1.0. Impacted is an unknown function of the file /admin/adminHome.php. Executing a manipulation of the argument social_linked can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | |||||
| CVE-2026-44706 | 2026-05-26 | N/A | 8.5 HIGH | ||
| Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied values in the values field of the filter payload are interpolated directly into the SQL query without parameterization. Any authenticated user with access to an account can exploit this to execute arbitrary SQL via time-based blind injection. This affects /api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, and /api/v1/accounts/{account_id}/custom_attribute_definitions. This vulnerability is fixed in 4.11.2. | |||||
| CVE-2026-9383 | 2026-05-26 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /intrams/admin/login.php. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-42774 | 2026-05-26 | N/A | 9.3 CRITICAL | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetEngine allows SQL Injection. This issue affects JetEngine: from n/a through 3.8.8.1. | |||||
| CVE-2026-48837 | 2026-05-26 | N/A | 8.5 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Unlimited Elements For Elementor allows Blind SQL Injection. This issue affects Unlimited Elements For Elementor: from n/a through 2.0.8. | |||||
| CVE-2026-42773 | 2026-05-26 | N/A | 9.3 CRITICAL | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in eMagicOne eMagicOne Store Manager allows Blind SQL Injection. This issue affects eMagicOne Store Manager: from n/a through 1.3.2. | |||||
| CVE-2026-9444 | 2026-05-26 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A vulnerability was detected in SourceCodester Simple POS and Inventory System 1.0. This issue affects the function delete of the file /admin/deleteproduct.php of the component GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | |||||
| CVE-2026-9447 | 2026-05-26 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was found in SourceCodester Simple POS and Inventory System 1.0. The impacted element is an unknown function of the file /user/search.php. Performing a manipulation of the argument Name results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | |||||
| CVE-2026-9411 | 2026-05-26 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in SourceCodester Indian Invoicing System 1.0. This issue affects some unknown processing of the file /Invoicing/IGST_Invoice.php of the component Invoice Generation Handler. Performing a manipulation of the argument customer_name/category results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | |||||
| CVE-2026-48136 | 2026-05-26 | N/A | 4.1 MEDIUM | ||
| When Compliance is enabled on Check Point Multi-Domain Management, an authenticated administrator with read-write access to one Management Domain (CMA) can modify stored metadata associated with Compliance Best Practices in another Management Domain, where the administrator has no access permissions, bypassing Role-Based Access Control (RBAC). | |||||
| CVE-2026-48134 | 2026-05-26 | N/A | 5.6 MEDIUM | ||
| When the DLP is active, the UserCheck Web Portal contains an input-handling issue in the UserChoice flow. Under specific conditions, an attacker who can access the UserCheck Ask page could attempt to manipulate the Security Gateway's stored DLP/UserCheck incident information. This could lead to disruptions such as loss of stored incident entries, incorrect handling of pending approvals, or resource impact if the issue is abused repeatedly. Exposure is reduced if the UserCheck Portal is not accessible from untrusted networks. | |||||
| CVE-2026-9355 | 2026-05-26 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in SourceCodester Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /classes/Master.php?f=save_patient_history. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. | |||||
| CVE-2026-9356 | 2026-05-26 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in SourceCodester Hospitals Patient Records Management System 1.0. This affects an unknown function of the file /admin/patients/manage_history.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-9342 | 2026-05-26 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. Impacted is an unknown function of the file /admin/patients/view_history.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2026-26980 | 1 Ghost | 1 Ghost | 2026-05-26 | N/A | 9.4 CRITICAL |
| Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1. | |||||
| CVE-2025-34162 | 2026-05-26 | N/A | N/A | ||
| An unauthenticated SQL injection vulnerability exists in the GetLyfsByParams endpoint of Bian Que Feijiu Intelligent Emergency and Quality Control System, accessible via the /AppService/BQMedical/WebServiceForFirstaidApp.asmx interface. The backend fails to properly sanitize user-supplied input in the strOpid parameter, allowing attackers to inject arbitrary SQL statements. This can lead to data exfiltration, authentication bypass, and potentially remote code execution, depending on backend configuration. The vulnerability is presumed to affect builds released prior to June 2025 and is remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC. | |||||
| CVE-2020-37004 | 2026-05-26 | N/A | 8.2 HIGH | ||
| The Ultimate Project Manager CRM PRO version 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to progressively guess and retrieve user credentials through boolean-based inference techniques. | |||||