216351 matches found
SQL Injection
Overview @saltcorn/mobile-app is a Saltcorn mobile app for Android and iOS Affected versions of this package are vulnerable to SQL Injection via the getSyncRows and getDelRows functions. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify or delete database contents,...
GHSA-JP74-MFRX-3QVH Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)
Summary A critical SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and...
SQL Injection
Overview @saltcorn/server is a Server app for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to SQL Injection via the getSyncRows and getDelRows functions. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify or delete database...
CVE-2026-40901
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializ...
CVE-2026-40900
DataEase prior to 2.10.21 contains an SQL injection in the /de2api/datasetData/previewSql endpoint. User-supplied SQL is wrapped in a subquery without validating that the input is a single SELECT. Coupled with a JDBC blocklist bypass enabling allowMultiQueries=true, an attacker can break out of t...
CVE-2026-40900 DataEase has SQL Injection via Stacked Queries
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement...
CVE-2026-33207
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query string...
CVE-2026-33122
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from th...
EUVD-2026-23291
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query string...
CVE-2026-33122 DataEase has SQL Injection via Datasource Management
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from th...
CVE-2026-33122
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from th...
CVE-2026-33122 DataEase has SQL Injection via Datasource Management
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from th...
CVE-2026-33122
CVE-2026-33122 concerns DataEase, an open‑source data visualization/analytics platform. Versions 2.10.20 and below are affected by a SQL injection in the API datasource update flow: during a datasource update, the deTableName field is passed to DatasourceSyncManage.createEngineTable and concatena...
CVE-2026-6148
A vulnerability was detected in code-projects Vehicle Showroom Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /util/MonthTotalReportUpdateFunction.php. Performing a manipulation of the argument BRANCHID results in sql injection. The attack is possibl...
CVE-2026-33121
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple strin...
Exploit for CVE-2026-37749
CVE-2026-37749 CVE-2026-37749 — CodeAstro Simple Attendance...
CVE-2026-33083
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLOb...
EUVD-2026-23286
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple strin...
CVE-2026-33121 DataEase has SQL Injection via Datasource Save Flow
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple strin...
CVE-2026-33121 DataEase has SQL Injection via Datasource Save Flow
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple strin...