Total
18287 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1590 | 1 Angeljudesuarez | 1 School Management System | 2026-02-02 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was identified in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/faculty/index.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | |||||
| CVE-2021-47811 | 1 Grocerycrud | 1 Grocery Crud | 2026-02-02 | N/A | 9.1 CRITICAL |
| Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list endpoint to potentially extract or modify database information. | |||||
| CVE-2025-41375 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint. | |||||
| CVE-2024-6933 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler. This manipulation of the argument Language causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 6.6.2+240827 can resolve this issue. Patch name: d656d2c7980b7642560977f4780e64533a68e13d. You should upgrade the affected component. | |||||
| CVE-2025-13001 | 1 Kieranoshea | 1 Donations | 2026-01-30 | N/A | 4.1 MEDIUM |
| The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks | |||||
| CVE-2025-13000 | 1 Jimbob1953 | 1 Db-access | 2026-01-30 | N/A | 7.7 HIGH |
| The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks | |||||
| CVE-2022-3689 | 1 Linksoftwarellc | 1 Html Forms | 2026-01-30 | N/A | 7.2 HIGH |
| The HTML Forms WordPress plugin before 1.3.25 does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users | |||||
| CVE-2025-67261 | 1 Abacre | 1 Retail Point Of Sale | 2026-01-30 | N/A | 6.5 MEDIUM |
| Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. | |||||
| CVE-2026-23723 | 1 Wegia | 1 Wegia | 2026-01-30 | N/A | 7.2 HIGH |
| WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2. | |||||
| CVE-2023-26813 | 1 Wang.market | 1 Wangmarket | 2026-01-30 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in com.xnx3.wangmarket.plugin.dataDictionary.controller.DataDictionaryPluginController.java in wangmarket CMS 4.10 allows remote attackers to run arbitrary SQL commands via the TableName parameter to /plugin/dataDictionary/tableView.do. | |||||
| CVE-2025-54946 | 1 Sun.net | 1 Ehrd Ctms | 2026-01-30 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to execute arbitrary SQL commands. | |||||
| CVE-2020-36945 | 2026-01-29 | N/A | 8.2 HIGH | ||
| WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inject the payload '<email>' OR '1'='1' in both username and password fields to gain unauthorized access to the user panel. | |||||
| CVE-2025-65091 | 1 Xwiki | 1 Full Calendar Macro | 2026-01-29 | N/A | 10.0 CRITICAL |
| XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5. | |||||
| CVE-2025-1708 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-01-29 | N/A | 8.6 HIGH |
| The application is vulnerable to SQL injection attacks. An attacker is able to dump the PostgreSQL database and read its content. | |||||
| CVE-2021-47902 | 2026-01-29 | N/A | 8.2 HIGH | ||
| Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. Attackers can inject malicious SQL code in the search field to extract database information, potentially accessing sensitive user or system data. | |||||
| CVE-2026-0702 | 2026-01-29 | N/A | 7.5 HIGH | ||
| The VidShop – Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2020-36951 | 2026-01-29 | N/A | 8.2 HIGH | ||
| Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays, enabling them to extract sensitive database information through conditional sleep techniques. | |||||
| CVE-2020-36999 | 2026-01-29 | N/A | 8.2 HIGH | ||
| Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by sending crafted email and password parameters with '=''or' payload to login.php, granting unauthorized access to the system. | |||||
| CVE-2020-37005 | 2026-01-29 | N/A | 7.1 HIGH | ||
| TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. Attackers can inject conditional time delays in the add_entry.php endpoint to determine user existence by measuring response time differences. | |||||
| CVE-2020-37006 | 2026-01-29 | N/A | 8.2 HIGH | ||
| berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information. | |||||