Total
18185 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-62192 | 1 Groupsession | 1 Groupsession | 2026-02-17 | N/A | 5.4 MEDIUM |
| SQL Injection vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If exploited, information stored in the database may be obtained or altered by an authenticated user. | |||||
| CVE-2026-24854 | 1 Churchcrm | 1 Churchcrm | 2026-02-17 | N/A | 8.8 HIGH |
| ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue. | |||||
| CVE-2023-1211 | 1 Phpipam | 1 Phpipam | 2026-02-16 | N/A | 7.2 HIGH |
| SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2. | |||||
| CVE-2025-59213 | 1 Microsoft | 3 Configuration Manager 2403, Configuration Manager 2409, Configuration Manager 2503 | 2026-02-13 | N/A | 8.8 HIGH |
| Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an unauthorized attacker to elevate privileges over an adjacent network. | |||||
| CVE-2024-51962 | 1 Esri | 1 Arcgis Server | 2026-02-13 | N/A | 8.7 HIGH |
| A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability. | |||||
| CVE-2026-1688 | 1 Clive 21 | 1 Directory Management System | 2026-02-13 | 7.5 HIGH | 7.3 HIGH |
| A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2020-37053 | 1 Naviwebs | 1 Navigate Cms | 2026-02-13 | N/A | 7.1 HIGH |
| Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts. | |||||
| CVE-2019-25335 | 2026-02-13 | N/A | 7.5 HIGH | ||
| PRO-7070 Hazır Profesyonel Web Sitesi version 1.0 contains an authentication bypass vulnerability in the administration panel login page. Attackers can bypass authentication by using '=' 'or' as both username and password to gain unauthorized access to the administrative interface. | |||||
| CVE-2019-25325 | 2026-02-13 | N/A | 8.2 HIGH | ||
| Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code like ' or 1=1# to manipulate login queries and gain unauthorized access to the application. | |||||
| CVE-2019-25320 | 2026-02-13 | N/A | 6.5 MEDIUM | ||
| E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. Attackers can exploit the /login.php file by sending a specific payload '=''or' to bypass authentication and gain unauthorized access to the system. | |||||
| CVE-2025-59473 | 1 Expressionengine | 1 Expressionengine | 2026-02-13 | N/A | 7.2 HIGH |
| SQL Injection vulnerability in the Structure for Admin authenticated user | |||||
| CVE-2024-43468 | 1 Microsoft | 3 Configuration Manager 2403, Configuration Manager 2409, Configuration Manager 2503 | 2026-02-13 | N/A | 9.8 CRITICAL |
| Microsoft Configuration Manager Remote Code Execution Vulnerability | |||||
| CVE-2025-13379 | 1 Ibm | 1 Aspera Console | 2026-02-12 | N/A | 8.6 HIGH |
| IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | |||||
| CVE-2020-37112 | 1 Gunet | 1 Open Eclass Platform | 2026-02-12 | N/A | 7.1 HIGH |
| GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. Attackers can exploit the 'month' parameter in the agenda module and other endpoints to extract sensitive database information using error-based or time-based injection techniques. | |||||
| CVE-2025-64092 | 1 Zenitel | 4 Icx500, Icx500 Firmware, Icx510 and 1 more | 2026-02-12 | N/A | 7.5 HIGH |
| This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database. | |||||
| CVE-2025-10878 | 1 Omran | 1 Fikir Odalari Adminpando | 2026-02-12 | N/A | 10.0 CRITICAL |
| A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation). | |||||
| CVE-2026-2073 | 1 Itsourcecode | 1 School Management System | 2026-02-12 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-2083 | 1 Code-projects | 1 Social Networking Site | 2026-02-12 | 7.5 HIGH | 7.3 HIGH |
| A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file /delete_post.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2026-2059 | 1 Bontrofftech | 1 Medical Center Portal Management System | 2026-02-12 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in SourceCodester Medical Center Portal Management System 1.0. Affected is an unknown function of the file /emp_edit1.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-1602 | 1 Ivanti | 1 Endpoint Manager | 2026-02-12 | N/A | 6.5 MEDIUM |
| SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||||