Total
19309 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-37337 | 2026-04-17 | N/A | 7.3 HIGH | ||
| SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php. | |||||
| CVE-2026-37345 | 2026-04-17 | N/A | 9.8 CRITICAL | ||
| SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php. | |||||
| CVE-2026-37346 | 2026-04-17 | N/A | 4.7 MEDIUM | ||
| SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=. | |||||
| CVE-2026-37336 | 2026-04-17 | N/A | 7.3 HIGH | ||
| SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php. | |||||
| CVE-2026-37338 | 2026-04-17 | N/A | 9.4 CRITICAL | ||
| SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php. | |||||
| CVE-2026-37347 | 2026-04-17 | N/A | 9.1 CRITICAL | ||
| SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_employee.php. | |||||
| CVE-2019-25710 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2026-04-17 | N/A | 8.2 HIGH |
| Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques. | |||||
| CVE-2019-25713 | 1 Myt Project | 1 Myt | 2026-04-17 | N/A | 7.1 HIGH |
| MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data. | |||||
| CVE-2026-22743 | 1 Vmware | 1 Spring Ai | 2026-04-16 | N/A | 7.5 HIGH |
| Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey() embeds the key into a backtick-delimited Cypher property accessor (node.`metadata.`) after stripping only double quotes, without escaping embedded backticks.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4. | |||||
| CVE-2026-33614 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2026-04-16 | N/A | 7.5 HIGH |
| An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | |||||
| CVE-2026-33615 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2026-04-16 | N/A | 9.1 CRITICAL |
| An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the setinfo endpoint due to improper neutralization of special elements in a SQL UPDATE command. This can result in a total loss of integrity and availability. | |||||
| CVE-2026-33616 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2026-04-16 | N/A | 7.5 HIGH |
| An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | |||||
| CVE-2026-35184 | 1 Ecclesiacrm | 1 Ecclesiacrm | 2026-04-16 | N/A | 9.8 CRITICAL |
| EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0. | |||||
| CVE-2026-39318 | 1 Churchcrm | 1 Churchcrm | 2026-04-15 | N/A | 8.8 HIGH |
| ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For `ManageGroups` privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the `Field` parameter and thus modify tables from the database. This vulnerability is fixed in 7.1.0. | |||||
| CVE-2026-39341 | 1 Churchcrm | 1 Churchcrm | 2026-04-15 | N/A | 8.1 HIGH |
| ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not used to create the SQL query. This vulnerability is fixed in 7.1.0. | |||||
| CVE-2026-39356 | 1 Drizzle | 1 Drizzle | 2026-04-15 | N/A | 7.5 HIGH |
| Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20. | |||||
| CVE-2019-25575 | 1 Simplepresscms | 1 Simplepress Cms | 2026-04-15 | N/A | 8.2 HIGH |
| SimplePress CMS 1.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'p' and 's' parameters. Attackers can send GET requests with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details. | |||||
| CVE-2019-25576 | 1 Keplerwallpapers | 1 Kepler Wallpaper Script | 2026-04-15 | N/A | 8.2 HIGH |
| Kepler Wallpaper Script 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the category parameter. Attackers can send GET requests to the category endpoint with URL-encoded SQL UNION statements to extract database information including usernames, database names, and MySQL version details. | |||||
| CVE-2019-25636 | 1 Zeeways | 1 Jobsite Cms | 2026-04-15 | N/A | 8.2 HIGH |
| Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter. Attackers can send crafted requests to news_details.php, jobs_details.php, or job_cmp_details.php with malicious 'id' values using GROUP BY and CASE statements to extract sensitive database information. | |||||
| CVE-2019-25635 | 1 Zeeways | 1 Matrimony Cms | 2026-04-15 | N/A | 8.2 HIGH |
| Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint. Attackers can inject SQL code via the up_cast, s_mother, and s_religion parameters to extract sensitive database information using time-based or error-based techniques. | |||||