Total
18330 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1176 | 1 Itsourcecode | 1 School Management System | 2026-02-02 | 7.5 HIGH | 7.3 HIGH |
| A security flaw has been discovered in itsourcecode School Management System 1.0. Affected is an unknown function of the file /subject/index.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2020-36947 | 1 Librenms | 1 Librenms | 2026-02-02 | N/A | 7.1 HIGH |
| LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection. | |||||
| CVE-2026-1545 | 1 Angeljudesuarez | 1 School Management System | 2026-02-02 | 7.5 HIGH | 7.3 HIGH |
| A weakness has been identified in itsourcecode School Management System 1.0. The affected element is an unknown function of the file /course/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-1551 | 1 Angeljudesuarez | 1 School Management System | 2026-02-02 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/course/controller.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-1589 | 1 Angeljudesuarez | 1 School Management System | 2026-02-02 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/inquiry/index.php. This manipulation of the argument txtsearch causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-1590 | 1 Angeljudesuarez | 1 School Management System | 2026-02-02 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was identified in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/faculty/index.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | |||||
| CVE-2021-47811 | 1 Grocerycrud | 1 Grocery Crud | 2026-02-02 | N/A | 9.1 CRITICAL |
| Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list endpoint to potentially extract or modify database information. | |||||
| CVE-2025-41375 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint. | |||||
| CVE-2024-6933 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler. This manipulation of the argument Language causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 6.6.2+240827 can resolve this issue. Patch name: d656d2c7980b7642560977f4780e64533a68e13d. You should upgrade the affected component. | |||||
| CVE-2025-13001 | 1 Kieranoshea | 1 Donations | 2026-01-30 | N/A | 4.1 MEDIUM |
| The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks | |||||
| CVE-2025-13000 | 1 Jimbob1953 | 1 Db-access | 2026-01-30 | N/A | 7.7 HIGH |
| The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks | |||||
| CVE-2022-3689 | 1 Linksoftwarellc | 1 Html Forms | 2026-01-30 | N/A | 7.2 HIGH |
| The HTML Forms WordPress plugin before 1.3.25 does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users | |||||
| CVE-2025-67261 | 1 Abacre | 1 Retail Point Of Sale | 2026-01-30 | N/A | 6.5 MEDIUM |
| Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. | |||||
| CVE-2026-23723 | 1 Wegia | 1 Wegia | 2026-01-30 | N/A | 7.2 HIGH |
| WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2. | |||||
| CVE-2023-26813 | 1 Wang.market | 1 Wangmarket | 2026-01-30 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in com.xnx3.wangmarket.plugin.dataDictionary.controller.DataDictionaryPluginController.java in wangmarket CMS 4.10 allows remote attackers to run arbitrary SQL commands via the TableName parameter to /plugin/dataDictionary/tableView.do. | |||||
| CVE-2025-54946 | 1 Sun.net | 1 Ehrd Ctms | 2026-01-30 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to execute arbitrary SQL commands. | |||||
| CVE-2020-36945 | 2026-01-29 | N/A | 8.2 HIGH | ||
| WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inject the payload '<email>' OR '1'='1' in both username and password fields to gain unauthorized access to the user panel. | |||||
| CVE-2025-65091 | 1 Xwiki | 1 Full Calendar Macro | 2026-01-29 | N/A | 10.0 CRITICAL |
| XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5. | |||||
| CVE-2025-1708 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-01-29 | N/A | 8.6 HIGH |
| The application is vulnerable to SQL injection attacks. An attacker is able to dump the PostgreSQL database and read its content. | |||||
| CVE-2021-47902 | 2026-01-29 | N/A | 8.2 HIGH | ||
| Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. Attackers can inject malicious SQL code in the search field to extract database information, potentially accessing sensitive user or system data. | |||||