CVE-2026-9082

CVE-2026-9082 – Drupal Core PostgreSQL SQL Injection is a highly critical, unauthenticated SQLi in Drupal’s core database abstraction API. The flaw exists in the PostgreSQL-specific Entity Query Condition handling: the translateCondition() uses attacker-controlled JSON:API filter array keys to bu...

CVE-2026-9082 Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0...

EUVD-2026-31153

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0...

CVE-2026-9082

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0...

DRUPAL-CORE-2026-004

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL...

CVE-2026-44923

SQL injection in InfoScale VIOM before v9.1.3 allows remote attackers to escalate privileges...

SQL Injection

Overview symfony/cache is a cache component provides an extended PSR-6 implementation for adding cache to your applications. Affected versions of this package are vulnerable to SQL Injection via PdoAdapter::doClear method. An attacker can influence SQL query to expand deletion scope or perform...

SQL Injection

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to SQL Injection via PdoAdapter::doClear method. An attacker can influence SQL query to expand deletion scope or perform arbitrary actions by...

CVE-2026-42383

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in YITH YITH WooCommerce Product Add-Ons allows Blind SQL Injection. This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.29.0...

WordPress PowerPress Podcasting plugin <= 11.15.10 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Phat RiO in WordPress Plugin PowerPress Podcasting versions = 11.15.10...

CVE-2026-9059

NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function 'cleancolumn' in the data mapper layer that uses a...

CVE-2026-9065

SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters 'modelname', 'modelid', 'integrationid', 'provider' on the REST API endpoint '/surecart/v1/integrations/id'. The root cause is a flawed escaping bypass in the query builder 'wp-query-builder'...

CVE-2026-9065 Surecart - SQL Injection

SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters 'modelname', 'modelid', 'integrationid', 'provider' on the REST API endpoint '/surecart/v1/integrations/id'. The root cause is a flawed escaping bypass in the query builder 'wp-query-builder'...

CVE-2026-9065

SureCart

CVE-2026-9059

NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function 'cleancolumn' in the data mapper layer that uses a...

CVE-2026-9059 NextGEN Gallery - SQL Injection

NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function 'cleancolumn' in the data mapper layer that uses a...

Astra Linux - уязвимость в pgbouncer

When PgBouncer is configured to use “cert” authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1...

Astra Linux - уязвимость в libpgjava

pgjdbc, the PostgreSQL JDBC Driver, allows attackers to inject SQL statements if the PreferQueryMode=SIMPLE setting is used. Note that this is not the default setting. In the default mode, there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus sign...

Astra Linux – Vulnerability in Python-Django

A issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. Methods like QuerySet.annotate, QuerySet.alias, QuerySet.aggregate, and QuerySet.extra are vulnerable to SQL injection when column aliases are used, especially when a properly crafted dictionary is passed...

Astra Linux - уязвимость в php7.3, php8.1

In PHP versions 8.0. before 8.0.27, 8.1. before 8.1.15, and 8.2. before 8.2.2, when using the PDO::quote function to quote user-supplied data for SQLite, providing an overly long string may cause the driver to incorrectly quote the data. This can further lead to SQL injection vulnerabilities...