Security Bulletin: CockroachDB PostgreSQL for IBM VPC is vulnerable to SQL injection when executing special statements (CVE-2026-9837)

Summary CockroachDB PostgreSQL for IBM VPC is vulnerable to SQL injection when executing special statements CVE-2026-9837 Vulnerability Details CVEID:CVE-2026-9837 DESCRIPTION: CockroachDB PostgreSQL for IBM VPC is vulnerable to SQL injection when executing special statements. CWE:CWE-89: Imprope...

WordPress MasterStudy LMS Pro plugin <= 4.8.20 - Authenticated (Instructor+) SQL Injection vulnerability

Authenticated Instructor+ SQL Injection vulnerability discovered by Rafie Muhammad - Awesome Motive, Inc. in WordPress Plugin MasterStudy LMS Pro versions = 4.8.20...

Security Bulletin: IBM Verify Antenna is affected by multiple vulnerabilities (CVE-2026-33815, CVE-2026-33816, CVE-2026-41889)

Summary IBM Verify Antenna has addressed these vulnerabilities in an update. Vulnerability Details CVEID:CVE-2026-41889 DESCRIPTION: pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string...

CVE-2025-15655

The CVE-2025-15655 entry pertains to a SQL Injection in the WordPress School Management plugin (

CVE-2025-15655

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Mojoomla School Management allows SQL Injection. This issue affects School Management: from n/a through 93.2.0...

WordPress Geo Mashup plugin <= 1.13.19 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Baikuya in WordPress Plugin Geo Mashup versions = 1.13.19...

E-Learning System 1.0 - SQL Injection

E-Learning System 1.0 contains an unauthenticated SQL injection caused by unsanitized input, letting remote attackers execute arbitrary code on the server and gain a reverse shell, exploit requires no authentication. id: CVE-2021-3239 info: name: E-Learning System 1.0 - SQL Injection author:...

Ghost CMS Content API - SQL Injection

Ghost CMS before 6.19.1 is vulnerable to a blind SQL injection in the /ghost/api/content/tags/ endpoint via the filter parameter. This template checks for the vulnerability by sending a boolean-based payload. id: CVE-2026-26980 info: name: Ghost CMS Content API - SQL Injection author:...

Jeecg-boot 3.5.0 qurestSql - SQL Injection

A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely. id: CVE-2023-1454 info: name: Jeecg-boot 3.5...

PrestaShop SmartBlog <4.0.6 - SQL Injection

PrestaShop SmartBlog by SmartDataSoft 4.0.6 is vulnerable to a SQL injection vulnerability in the blog archive functionality. id: CVE-2021-37538 info: name: PrestaShop SmartBlog 4.0.6 - SQL Injection author: whoever severity: critical description: PrestaShop SmartBlog by SmartDataSoft 4.0.6 is...

MOVEit Transfer - SQL Injection

In Progress MOVEit Transfer before 2020.1.11 12.1.11, 2021.0.9 13.0.9, 2021.1.7 13.1.7, 2022.0.7 14.0.7, 2022.1.8 14.1.8, and 2023.0.4 15.0.4, a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized...

WordPress Master Elements <=8.0 - SQL Injection

WordPress Master Elements plugin through 8.0 contains a SQL injection vulnerability. The plugin does not validate and escape the metaids parameter of its removepostmetacondition AJAX action, available to both unauthenticated and authenticated users, before using it in a SQL statement. An attacker...

Web Directory Free < 1.7.0 - SQL Injection

The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based. id: CVE-2024-3552 info: name: Web Directory Free 1.7.0 - SQL...

Wordpress Country State City Dropdown <=2.7.2 - SQL Injection

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes i...

JeecgBoot v3.7.1 - SQL Injection

The JeecgBoot application is vulnerable to SQL Injection via the getTotalData endpoint. An attacker can exploit this vulnerability to extract sensitive information from the database by injecting SQL commands. id: CVE-2024-48307 info: name: JeecgBoot v3.7.1 - SQL Injection author: lbb,s4e-io...

CVE-2026-10704 SourceCodester Pizzafy E-Commerce System Administrative Control Panel admin_class_novo.php login sql injection

A vulnerability was detected in SourceCodester Pizzafy E-Commerce System 1.0. Affected by this vulnerability is the function Login of the file /admin/adminclassnovo.php of the component Administrative Control Panel. The manipulation of the argument Username results in sql injection. The attack ca...

CVE-2026-10704

CVE-2026-10704 affects SourceCodester Pizzafy E-Commerce System 1.0. The vulnerability is in the Login function of /admin/admin_class_novo.php, where manipulating the Username parameter yields a SQL injection. The issue can be exploited remotely and the exploit is public. CVSS details indicate a ...

PT-2026-45898

Name of the Vulnerable Software and Affected Versions SourceCodester Pizzafy E-Commerce System version 1.0 Description An SQL injection issue exists in the Administrative Control Panel component. The Login function within the /admin/admin class novo.php file is susceptible to remote attacks throu...

CVE-2026-10286

A vulnerability was found in CodeAstro Payroll System 1.0. This affects an unknown part of the file /homeemployee.php. The manipulation of the argument empid results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used...

CVE-2026-8726

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin ...