Lucene search
+L

5 matches found

cve
cve
added 2026/05/25 7:6 p.m.270 views

CVE-2026-48842

The CVE affects Roundcube Webmail 1.6.x ≤1.6.15 and 1.7.x ≤1.7.0, via the virtuser_query plugin, where a pre-authentication SQL injection is triggered by a backslash-escaped preg_replace() bypass. Root cause: input crafted to bypass escapes leads to SQL injection before authentication. Impact is ...

8.1CVSS5.8AI score0.00764EPSS
Exploits0References6
vulnrichment
vulnrichment
added 2026/03/26 5:1 p.m.2 views

CVE-2026-33442 Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.

Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the sanitizeStringLiteral method in Kysely's query compiler escapes single quotes ' → '' but does not escape backslashes. On MySQL with the default BACKSLASHESCAPES SQL mode, an attacker can inject a backslash...

8.1CVSS5.9AI score0.00442EPSS
Exploits1References1
cve
cve
added 2026/03/26 5:1 p.m.18 views

CVE-2026-33442

CVE-2026-33442 affects Kysely (TypeScript SQL query builder). In versions 0.28.12 and 0.28.13, the sanitizer for string literals only escapes single quotes, not backslashes, which under MySQL with BACKSLASH_ESCAPES can allow bypassing escaping in JSON path keys. This enables SQL injection via the...

8.1CVSS5.9AI score0.00442EPSS
Exploits1References1Affected Software1
cvelist
cvelist
added 2026/03/23 1:53 p.m.26 views

CVE-2026-33352 AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)

WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in objects/category.php in the getAllCategories method. The doNotShowCats request parameter is sanitized only by stripping single-quote characters strreplace"'", '', ..., but...

9.8CVSS0.00431EPSS
Exploits1References2
osv
osv
added 2026/03/23 1:53 p.m.6 views

CVE-2026-33352 AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)

WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in objects/category.php in the getAllCategories method. The doNotShowCats request parameter is sanitized only by stripping single-quote characters strreplace"'", '', ..., but...

9.8CVSS5.9AI score0.00431EPSS
Exploits1References4
Rows per page
Query Builder