Total
19309 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-64459 | 1 Djangoproject | 1 Django | 2026-06-17 | N/A | 9.1 CRITICAL |
| An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue. | |||||
| CVE-2025-64371 | 2026-06-17 | N/A | 8.5 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.6. | |||||
| CVE-2025-64366 | 2026-06-17 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through <= 3.6.27. | |||||
| CVE-2025-64293 | 2026-06-17 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Golemiq 0 Day Analytics 0-day-analytics allows SQL Injection.This issue affects 0 Day Analytics: from n/a through <= 4.0.0. | |||||
| CVE-2025-64280 | 1 Centralsquare | 1 Community Development | 2026-06-17 | N/A | 9.8 CRITICAL |
| A SQL Injection Vulnerability in CentralSquare Community Development 19.5.7 allows attackers to inject SQL via the permit_no field. | |||||
| CVE-2025-64156 | 1 Fortinet | 1 Fortivoice | 2026-06-17 | N/A | 7.2 HIGH |
| An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7, FortiVoice 6.4 all versions, FortiVoice 6.0 all versions may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted requests | |||||
| CVE-2025-64114 | 1 Oxygenz | 1 Clipbucket | 2026-06-17 | N/A | 6.5 MEDIUM |
| ClipBucket v5 is an open source video sharing platform. Versions 5.5.2 - #151 and below allow authenticated administrators with plugin management privileges to execute arbitrary SQL commands against the database through its ClipBucket Custom Fields plugin. The vulnerabilities require the Custom Fields plugin to be installed and accessible, and can only be exploited by users with administrative access to the plugin interface. This issue is fixed in version 5.5.2 - #. | |||||
| CVE-2025-64104 | 2026-06-17 | N/A | 7.3 HIGH | ||
| LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Prior to 2.0.11, LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. This vulnerability is fixed in 2.0.11. | |||||
| CVE-2025-64092 | 1 Zenitel | 4 Icx500, Icx500 Firmware, Icx510 and 1 more | 2026-06-17 | N/A | 7.5 HIGH |
| This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database. | |||||
| CVE-2025-64084 | 1 Magicbug | 1 Cloudlog | 2026-06-17 | N/A | 5.4 MEDIUM |
| An authenticated SQL injection vulnerability exists in Cloudlog 2.7.5 and earlier. The vucc_details_ajax function in application/controllers/Awards.php does not properly sanitize the user-supplied Gridsquare POST parameter. This allows a remote, authenticated attacker to execute arbitrary SQL commands by injecting a malicious payload, which is then concatenated directly into a raw SQL query in the vucc_qso_details function. | |||||
| CVE-2025-64081 | 1 Pamzey | 1 Patients Waiting Area Queue Management System | 2026-06-17 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter. | |||||
| CVE-2025-63948 | 1 Craigtaub | 1 Phpmsadmin | 2026-06-17 | N/A | 5.4 MEDIUM |
| A SQL Injection vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary SQL commands via the dbname parameter, potentially leading to information disclosure or database manipulation. | |||||
| CVE-2025-63878 | 1 Hackerwhale | 1 Restaurant Website Restoran | 2026-06-17 | N/A | 6.5 MEDIUM |
| Github Restaurant Website Restoran v1.0 was discovered to contain a SQL injection vulnerability via the Contact Form page. | |||||
| CVE-2025-63742 | 1 Rockoa | 1 Rockoa | 2026-06-17 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in function setwxqyAction in file webmain/task/api/loginAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database structure, and other critical data via the shouji and userid parameters. | |||||
| CVE-2025-63740 | 1 Rockoa | 1 Rockoa | 2026-06-17 | N/A | 4.3 MEDIUM |
| SQL Injection vulnerability in function getselectdataAjax in file inputAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database structure, and other critical data via the actstr parameter. | |||||
| CVE-2025-63724 | 1 Radioinorr | 1 Svx Portal | 2026-06-17 | N/A | 6.0 MEDIUM |
| SQL injection (SQL-i) vulnerability in SVX Portal 2.7A via crafted POST request to admin/update_setings.php. | |||||
| CVE-2025-63719 | 1 Campcodes | 1 Online Hospital Management System | 2026-06-17 | N/A | 7.3 HIGH |
| Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection in /admin/index.php via the parameter username. | |||||
| CVE-2025-63718 | 1 Pamzey | 1 Patients Waiting Area Queue Management System | 2026-06-17 | N/A | 6.5 MEDIUM |
| A SQL injection vulnerability exists in the SourceCodester PQMS (Patient Queue Management System) 1.0 in the api_patient_schedule.php endpoint. The appointmentID parameter is not properly sanitized, allowing attackers to execute arbitrary SQL commands. | |||||
| CVE-2025-63694 | 1 Dzzoffice | 1 Dzzoffice | 2026-06-17 | N/A | 9.8 CRITICAL |
| DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage. | |||||
| CVE-2025-63689 | 1 Ycf1998 | 1 Money-pos | 2026-06-17 | N/A | 10.0 CRITICAL |
| Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter | |||||