PT-2026-28714

Name of the Vulnerable Software and Affected Versions Sinaptik AI PandasAI versions up to 0.1.4 Description A SQL injection issue exists in the pandasai-lancedb Extension within Sinaptik AI PandasAI. The issue is located in the file extensions/ee/vectorstores/lancedb/pandasai lancedb/lancedb.py a...

PT-2026-28732

Name of the Vulnerable Software and Affected Versions Simple Food Order System version 1.0 Description A flaw exists in Simple Food Order System 1.0 related to the handling of parameters. Specifically, manipulating the Name argument can lead to SQL injection. This issue affects an unknown functio...

CVE-2026-33991

WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file html/socio/sistema/deletartag.php uses extract$REQUEST on line 14 and directly concatenates the $idtag variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches t...

CVE-2026-33504

Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens ar...

CVE-2026-33503

Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configur...

penetration-testing-reports

penetration-testing-reports A collection of penetration testin...

CVE-2026-33991 WeGIA has SQL Injection in deletar_tag.php

WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file html/socio/sistema/deletartag.php uses extract$REQUEST on line 14 and directly concatenates the $idtag variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches t...

CVE-2026-33991

WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file html/socio/sistema/deletartag.php uses extract$REQUEST on line 14 and directly concatenates the $idtag variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches t...

CVE-2026-33991 WeGIA has SQL Injection in deletar_tag.php

WeGIA is a web manager for charitable institutions. Prior to version 3.6.7, the file html/socio/sistema/deletartag.php uses extract$REQUEST on line 14 and directly concatenates the $idtag variable into SQL queries on lines 16-17 without prepared statements or sanitization. Version 3.6.7 patches t...

EUVD-2026-16762

A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file deletephotos.php of the component Endpoint. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been release...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the MDM bootstrap package configuration. An attacker can modify arbitrary team configurations, exfiltrate sensitive data from the database, and inject arbitrary content into team configurations by sending crafted API...

CVE-2026-34385

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user...

CVE-2026-34374

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...

EUVD-2026-16738

A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. Impacted is an unknown function of the file /admin/modroom/index.php?view=edit. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and m...

EUVD-2026-16678

A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file specifically the savecategory action. The application fails to properly sanitize user input supplied to the "name" parameter. This allows an authenticated attacker to inject malicious S...

EUVD-2026-16680

A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/viewproduct.php file via the "id" parameter...

CVE-2026-34386

Fleet is open source device management software. Before 4.81.0, a SQL injection vulnerability in Fleet’s MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet da...

CVE-2026-34386 Fleet vulnerable to SQL injection in MDM bootstrap package by authenticated team or global admin

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet...

CVE-2026-34386

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet...

CVE-2026-34386 Fleet vulnerable to SQL injection in MDM bootstrap package by authenticated team or global admin

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet...