Total
19306 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-9342 | 2026-05-26 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. Impacted is an unknown function of the file /admin/patients/view_history.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2026-26980 | 1 Ghost | 1 Ghost | 2026-05-26 | N/A | 9.4 CRITICAL |
| Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1. | |||||
| CVE-2025-34162 | 2026-05-26 | N/A | N/A | ||
| An unauthenticated SQL injection vulnerability exists in the GetLyfsByParams endpoint of Bian Que Feijiu Intelligent Emergency and Quality Control System, accessible via the /AppService/BQMedical/WebServiceForFirstaidApp.asmx interface. The backend fails to properly sanitize user-supplied input in the strOpid parameter, allowing attackers to inject arbitrary SQL statements. This can lead to data exfiltration, authentication bypass, and potentially remote code execution, depending on backend configuration. The vulnerability is presumed to affect builds released prior to June 2025 and is remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC. | |||||
| CVE-2020-37004 | 2026-05-26 | N/A | 8.2 HIGH | ||
| The Ultimate Project Manager CRM PRO version 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to progressively guess and retrieve user credentials through boolean-based inference techniques. | |||||
| CVE-2012-10047 | 2026-05-26 | N/A | N/A | ||
| Cyclope Employee Surveillance Solution versions 6.x are vulnerable to a SQL injection flaw in its login mechanism. The username parameter in the auth-login POST request is not properly sanitized, allowing attackers to inject arbitrary SQL statements. This can be leveraged to write and execute a malicious PHP file on disk, resulting in remote code execution under the SYSTEM user context. | |||||
| CVE-2026-7815 | 1 Pgadmin | 1 Pgadmin 4 | 2026-05-26 | N/A | 8.8 HIGH |
| SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host. Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects pgAdmin 4: before 9.15. | |||||
| CVE-2026-9082 | 1 Drupal | 1 Drupal | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10. | |||||
| CVE-2026-25606 | 2026-05-22 | N/A | N/A | ||
| A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated attacker to view sensitive data such as data belonging to other users, or any other data that the application itself is able to access This issue was fixed in version 9.5. | |||||
| CVE-2026-4834 | 2026-05-22 | N/A | 7.5 HIGH | ||
| The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via the 'search_key' parameter in all versions up to, and including, 1.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2023-1765 | 1 Akbim | 1 Panon | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Akbim Computer Panon allows SQL Injection. This issue affects Panon: before 1.0.2. | |||||
| CVE-2023-1723 | 1 Vegayazilim | 1 Mobile Assistant | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Veragroup Mobile Assistant allows SQL Injection. This issue affects Mobile Assistant: before 21.S.2343. | |||||
| CVE-2023-2852 | 1 Softmedyazilim | 1 Selfpatron | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Softmed SelfPatron allows SQL Injection. This issue affects SelfPatron : before 2.0. | |||||
| CVE-2023-2851 | 1 Agtteknik | 1 Ceppatron | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AGT Tech Ceppatron allows Command Line Execution through SQL Injection, SQL Injection. This issue affects all versions of the sofware also EOS when CVE-ID assigned. | |||||
| CVE-2023-2750 | 1 Cityboss | 1 E-municipality | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cityboss E-municipality allows SQL Injection. This issue affects E-municipality: before 6.05. | |||||
| CVE-2023-2064 | 1 Minovateknoloji | 1 Etrace | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Minova Technology eTrace allows SQL Injection. This issue affects eTrace: before 23.05.20. | |||||
| CVE-2023-2046 | 1 Yontemizleme | 1 Vehicle Tracking System | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yontem Informatics Vehicle Tracking System allows SQL Injection. This issue affects Vehicle Tracking System: before 8. | |||||
| CVE-2023-2045 | 1 Ipekyolunet | 1 Software Auto Damage Tracking Software | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ipekyolu Software Auto Damage Tracking Software allows SQL Injection. This issue affects Auto Damage Tracking Software: before 4. | |||||
| CVE-2023-1873 | 1 Faturamatik | 1 Bircard | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Faturamatik Bircard allows SQL Injection. This issue affects Bircard: before 23.04.05. | |||||
| CVE-2023-1863 | 1 Eskom | 1 El Terminali \(su Okuma\) Uygulamalarimiz | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eskom Water Metering Software allows Command Line Execution through SQL Injection. This issue affects Water Metering Software: before 23.04.06. | |||||
| CVE-2023-2957 | 1 Lisayazilim | 1 Florist Site | 2026-05-22 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Lisa Software Florist Site allows SQL Injection. This issue affects Florist Site: before 3.0. | |||||