Total
19306 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3792 | 1 Gullseye | 1 Gullseye Terminal Operating System | 2026-05-20 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GullsEye GullsEye terminal operating system allows SQL Injection. This issue affects GullsEye terminal operating system: from unspecified before 5.0.13. | |||||
| CVE-2022-3760 | 1 Miateknoloji | 1 Mia-med | 2026-05-20 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mia Technology Mia-Med. This issue affects Mia-Med: before 1.0.0.58. | |||||
| CVE-2022-2807 | 1 Algan | 1 Prens Student Information System | 2026-05-20 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Algan Software Prens Student Information System allows SQL Injection. This issue affects Prens Student Information System: before 2.1.11. | |||||
| CVE-2022-2504 | 1 Sdd-baro Project | 1 Sdd-baro | 2026-05-20 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SDD Computer Software SDD-Baro allows SQL Injection. This issue affects SDD-Baro: before 2.8.432. | |||||
| CVE-2022-2315 | 1 Databank | 1 Accreditation Tracking\/presentation Module | 2026-05-20 | N/A | 9.4 CRITICAL |
| Database Software Accreditation Tracking/Presentation Module product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2. | |||||
| CVE-2022-2177 | 1 Kayrasoft | 1 Kayrasoft | 2026-05-20 | N/A | 9.4 CRITICAL |
| Kayrasoft product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2. | |||||
| CVE-2022-1277 | 1 Inavitas | 1 Solar Log | 2026-05-20 | N/A | 9.4 CRITICAL |
| Inavitas Solar Log product has an unauthenticated SQL Injection vulnerability. | |||||
| CVE-2022-0495 | 1 Parantezteknoloji | 1 Koha Library Automation | 2026-05-20 | N/A | 9.4 CRITICAL |
| The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01. | |||||
| CVE-2026-8724 | 1 Dataease | 1 Dataease | 2026-05-19 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security flaw has been discovered in Dataease 2.10.20. Impacted is the function SqlparserUtils.transFilter of the file SqlparserUtils.java of the component Data Dashboard. The manipulation results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure. | |||||
| CVE-2026-6887 | 2026-05-19 | N/A | 9.8 CRITICAL | ||
| Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | |||||
| CVE-2026-3325 | 2026-05-19 | N/A | N/A | ||
| SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries. | |||||
| CVE-2025-41008 | 2026-05-19 | N/A | N/A | ||
| SQL injection vulnerability in Sinturno. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'client' parameter in the '/_adm/scripts/modalReport_data.php' endpoint. | |||||
| CVE-2025-41029 | 2026-05-19 | N/A | N/A | ||
| SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'. | |||||
| CVE-2026-4317 | 2026-05-19 | N/A | N/A | ||
| SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions. | |||||
| CVE-2025-41007 | 2026-05-19 | N/A | N/A | ||
| SQL Injection in Cuantis. This vulnerability allows an attacker to retrieve, create, update and delete databases through the 'search' parameter in the '/search.php' endpoint. | |||||
| CVE-2026-2584 | 2026-05-19 | N/A | N/A | ||
| A critical SQL Injection (SQLi) vulnerability has been identified in the authentication module of the system. An unauthenticated, remote attacker (AV:N/PR:N) can exploit this flaw by sending specially crafted SQL queries through the login interface. Due to low attack complexity (AC:L) and the absence of specific requirements (AT:N), the vulnerability allows for a total compromise of the system's configuration data (VC:H/VI:H). While the availability of the service remains unaffected (VA:N), the breach may lead to a limited exposure of sensitive information regarding subsequent or interconnected systems (SC:L). | |||||
| CVE-2026-8851 | 2026-05-19 | N/A | 8.1 HIGH | ||
| SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel. | |||||
| CVE-2026-8726 | 2026-05-19 | N/A | N/A | ||
| The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled. | |||||
| CVE-2026-8827 | 2026-05-19 | N/A | N/A | ||
| The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection. | |||||
| CVE-2026-8912 | 2026-05-19 | N/A | 7.5 HIGH | ||
| The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'form_input' parameter in versions up to, and including, 28.1.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query inside the unauthenticated 'post_cg_gallery_form_upload' AJAX action (specifically the 'cb' branch of the included users-upload-check.php, where $f_input_id is concatenated unquoted into 'SELECT Field_Content FROM ... WHERE id = $f_input_id'). The endpoint is gated only by a public frontend nonce ('cg1l_action' / 'cg_nonce') that is exposed in the page source of any public gallery page. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||