Total
18159 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-59920 | 2026-02-18 | N/A | N/A | ||
| When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request is made with the TWAdmin user with the sysadmin role enabled, exploiting the vulnerability will allow commands to be executed on the system; if the user does not belong to the sysadmin role, they will still be able to query data from the database. | |||||
| CVE-2025-70311 | 1 Huayi-tec | 1 Jeewms | 2026-02-18 | N/A | 6.5 MEDIUM |
| JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack. | |||||
| CVE-2024-6308 | 1 Clive 21 | 1 Simple Online Hotel Reservation System | 2026-02-18 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in itsourcecode Simple Online Hotel Reservation System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file index.php. The manipulation of the argument username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269620. | |||||
| CVE-2025-69213 | 1 Devcode | 1 Openstamanager | 2026-02-18 | N/A | 8.8 HIGH |
| OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists. | |||||
| CVE-2025-69215 | 1 Devcode | 1 Openstamanager | 2026-02-18 | N/A | 8.8 HIGH |
| OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publication, no known patch exists. | |||||
| CVE-2020-36645 | 1 Squareup | 1 Squalor | 2026-02-18 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability, which was classified as critical, was found in square squalor. This affects an unknown part. The manipulation leads to sql injection. Upgrading to version v0.0.0 is able to address this issue. The patch is named f6f0a47cc344711042eb0970cb423e6950ba3f93. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217623. | |||||
| CVE-2026-1701 | 1 Itsourcecode | 1 School Management System | 2026-02-18 | 7.5 HIGH | 7.3 HIGH |
| A security vulnerability has been detected in itsourcecode School Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Due to contradicting product definitions in the original disclosure, this CVE was initially incorrectly assigned to the Student Management System. | |||||
| CVE-2026-21643 | 1 Fortinet | 1 Forticlientems | 2026-02-17 | N/A | 9.8 CRITICAL |
| An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | |||||
| CVE-2026-2058 | 1 Vishalmathur | 1 Cloudclassroom-php-project | 2026-02-17 | 7.5 HIGH | 7.3 HIGH |
| A flaw has been found in mathurvishal CloudClassroom-PHP-Project up to 5dadec098bfbbf3300d60c3494db3fb95b66e7be. This impacts an unknown function of the file /postquerypublic.php of the component Post Query Details Page. This manipulation of the argument gnamex causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-62192 | 1 Groupsession | 1 Groupsession | 2026-02-17 | N/A | 5.4 MEDIUM |
| SQL Injection vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If exploited, information stored in the database may be obtained or altered by an authenticated user. | |||||
| CVE-2026-24854 | 1 Churchcrm | 1 Churchcrm | 2026-02-17 | N/A | 8.8 HIGH |
| ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue. | |||||
| CVE-2023-1211 | 1 Phpipam | 1 Phpipam | 2026-02-16 | N/A | 7.2 HIGH |
| SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2. | |||||
| CVE-2025-59213 | 1 Microsoft | 3 Configuration Manager 2403, Configuration Manager 2409, Configuration Manager 2503 | 2026-02-13 | N/A | 8.8 HIGH |
| Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an unauthorized attacker to elevate privileges over an adjacent network. | |||||
| CVE-2024-51962 | 1 Esri | 1 Arcgis Server | 2026-02-13 | N/A | 8.7 HIGH |
| A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability. | |||||
| CVE-2026-1688 | 1 Clive 21 | 1 Directory Management System | 2026-02-13 | 7.5 HIGH | 7.3 HIGH |
| A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2020-37053 | 1 Naviwebs | 1 Navigate Cms | 2026-02-13 | N/A | 7.1 HIGH |
| Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts. | |||||
| CVE-2019-25335 | 2026-02-13 | N/A | 7.5 HIGH | ||
| PRO-7070 Hazır Profesyonel Web Sitesi version 1.0 contains an authentication bypass vulnerability in the administration panel login page. Attackers can bypass authentication by using '=' 'or' as both username and password to gain unauthorized access to the administrative interface. | |||||
| CVE-2019-25325 | 2026-02-13 | N/A | 8.2 HIGH | ||
| Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code like ' or 1=1# to manipulate login queries and gain unauthorized access to the application. | |||||
| CVE-2019-25320 | 2026-02-13 | N/A | 6.5 MEDIUM | ||
| E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. Attackers can exploit the /login.php file by sending a specific payload '=''or' to bypass authentication and gain unauthorized access to the system. | |||||
| CVE-2025-59473 | 1 Expressionengine | 1 Expressionengine | 2026-02-13 | N/A | 7.2 HIGH |
| SQL Injection vulnerability in the Structure for Admin authenticated user | |||||