Total
18150 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2912 | 1 Fabian | 1 Online Reviewer System | 2026-02-23 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in code-projects Online Reviewer System 1.0. Impacted is an unknown function of the file /system/system/students/assessments/results/studentresult-view.php. The manipulation of the argument test_id results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | |||||
| CVE-2019-25431 | 2026-02-23 | N/A | 8.2 HIGH | ||
| delpino73 Blue-Smiley-Organizer 1.32 contains an SQL injection vulnerability in the datetime parameter that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL code through POST requests to extract sensitive data using boolean-based blind and time-based blind techniques, or write files to the server using INTO OUTFILE statements. | |||||
| CVE-2019-25432 | 2026-02-23 | N/A | 7.5 HIGH | ||
| Part-DB 0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to login by injecting SQL syntax into authentication parameters. Attackers can submit a single quote followed by 'or' in the login form to bypass credential validation and gain unauthorized access to the application. | |||||
| CVE-2019-25443 | 2026-02-23 | N/A | 8.2 HIGH | ||
| Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, description, quantity, or cat_id parameters to add-item.php to execute arbitrary database commands. | |||||
| CVE-2026-1367 | 2026-02-23 | N/A | 8.3 HIGH | ||
| Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option. | |||||
| CVE-2019-25391 | 2026-02-23 | N/A | 8.2 HIGH | ||
| Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. Attackers can send POST requests to the admin/bannedcustomers.php endpoint with crafted SQL payloads using SLEEP functions to extract sensitive database information. | |||||
| CVE-2026-24494 | 2026-02-23 | N/A | 9.8 CRITICAL | ||
| SQL Injection vulnerability in the /api/integrations/getintegrations endpoint of Order Up Online Ordering System 1.0 allows an unauthenticated attacker to access sensitive backend database data via a crafted store_id parameter in a POST request. | |||||
| CVE-2019-25439 | 2026-02-23 | N/A | 8.2 HIGH | ||
| NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injection payloads in the Referer header to extract sensitive database information or cause denial of service. | |||||
| CVE-2019-25440 | 2026-02-23 | N/A | 8.2 HIGH | ||
| WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. Attackers can send GET requests to product_detail.php with malicious prod_id values to extract sensitive database information. | |||||
| CVE-2019-25433 | 2026-02-23 | N/A | 8.2 HIGH | ||
| XOOPS CMS 2.5.9 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. Attackers can send GET requests to the gerar_pdf.php endpoint with malicious cid values to extract sensitive database information. | |||||
| CVE-2019-25446 | 2026-02-23 | N/A | 8.2 HIGH | ||
| DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /korisnikinfo.php with malicious SQL syntax in these parameters to extract or modify sensitive database information. | |||||
| CVE-2026-2963 | 2026-02-23 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was determined in Jinher OA C6 up to 20260210. This issue affects some unknown processing of the file /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx. This manipulation of the argument id/offsnum causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to install a patch to address this issue. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-41002 | 2026-02-23 | N/A | N/A | ||
| SQL injection vulnerability in Infoticketing. This vulnerability allows an unauthenticated attacker to retrieve, create, update, and delete the database by sending a POST request using the 'code' parameter in '/components/cart/cartApplyDiscount.php'. | |||||
| CVE-2019-25366 | 2026-02-23 | N/A | 8.2 HIGH | ||
| microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.phtml with SQL injection payloads using extractvalue and concat functions to extract sensitive database information like the current database name. | |||||
| CVE-2019-25462 | 2026-02-23 | N/A | 8.2 HIGH | ||
| Web Ofisi Rent a Car v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'klima' parameter. Attackers can send GET requests to with malicious 'klima' values to extract sensitive database information or cause denial of service. | |||||
| CVE-2026-25993 | 1 Evershop | 1 Evershop | 2026-02-23 | N/A | 9.8 CRITICAL |
| EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1. | |||||
| CVE-2026-25947 | 1 Worklenz | 1 Worklenz | 2026-02-23 | N/A | 8.8 HIGH |
| Worklenz is a project management tool. Prior to 2.1.7, there are multiple SQL injection vulnerabilities were discovered in backend SQL query construction affecting project and task management controllers, reporting and financial data endpoints, real-time socket.io handlers, and resource allocation and scheduling features. The vulnerability has been patched in version v2.1.7. | |||||
| CVE-2025-70152 | 1 Fabian | 1 Scholars Tracking System | 2026-02-23 | N/A | 9.8 CRITICAL |
| code-projects Community Project Scholars Tracking System 1.0 is vulnerable to SQL Injection in the admin user management endpoints /admin/save_user.php and /admin/update_user.php. These endpoints lack authentication checks and directly concatenate user-supplied POST parameters (firstname, lastname, username, password, user_id) into SQL queries without validation or parameterization. | |||||
| CVE-2024-55270 | 1 Phpgurukul | 1 Student Management System | 2026-02-23 | N/A | 8.8 HIGH |
| phpgurukul Student Management System 1.0 is vulnerable to SQL Injection in studentms/admin/search.php via the searchdata parameter. | |||||
| CVE-2025-70149 | 1 Codeastro | 1 Membership Management System | 2026-02-23 | N/A | 9.8 CRITICAL |
| CodeAstro Membership Management System 1.0 is vulnerable to SQL Injection in print_membership_card.php via the ID parameter. | |||||