CVE-2026-39318

CVE-2026-39318 affects ChurchCRM prior to 7.1.0, where the GroupPropsFormRowOps.php file renders user-provided Field input directly into SQL queries. The underlying issue is improper sanitization, and specifically that mysqli_real_escape_string() does not escape backtick characters, enabling an a...

CVE-2026-39318 ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php

ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is directly inserted into SQL queries without proper sanitization. The mysqlirealescapestring function does not escape...

ALSA-2026:6391 Moderate: mysql:8.4 security update

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon mysqld and many client programs and libraries. Security Fixes: mysql: Optimizer unspecified vulnerability CPU Jan 2026 CVE-2026-21941 mysql: Optimizer unspecified vulnerability CPU Jan 2026...

MiracleLinux 9 : mysql-8.0.45-1.el9_7.ML.1 (AXSA:2026-353:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-353:01 advisory. mysql: Optimizer unspecified vulnerability CPU Jan 2026 CVE-2026-21941 mysql: Optimizer unspecified vulnerability CPU Jan 2026 CVE-2026-21948 mysql:...

CVE-2026-32611 Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements

Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix commit 39161f0 addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and psycopg.sql composable objects. However, the DuckDB export module...

CVE-2026-4234

A security flaw has been discovered in SSCMS 7.4.0. This vulnerability affects unknown code of the file SitesAddController.Submit.cs of the component DDL Handler. The manipulation of the argument tableHandWrite results in sql injection. The attack can be executed remotely. The exploit has been...

CVE-2026-4234 SSCMS DDL SitesAddController.Submit.cs sql injection

A security flaw has been discovered in SSCMS 7.4.0. This vulnerability affects unknown code of the file SitesAddController.Submit.cs of the component DDL Handler. The manipulation of the argument tableHandWrite results in sql injection. The attack can be executed remotely. The exploit has been...

PT-2026-25681

A security flaw has been discovered in SSCMS 7.4.0. This vulnerability affects unknown code of the file SitesAddController.Submit.cs of the component DDL Handler. The manipulation of the argument tableHandWrite results in sql injection. The attack can be executed remotely. The exploit has been...

BIT-MYSQL-CLIENT-2026-3494 MariaDB Server Audit Plugin Comment Handling Bypass

In MariaDB server version through 11.8.5, when server audit plugin is enabled with serverauditevents variable configured with QUERYDCL, QUERYDDL, or QUERYDML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen — or hash style comments, the statement is...

mysql: DDL unspecified vulnerability (CPU Jan 2026)

Oracle CPU describes the issue as following: Vulnerability in the MySQL Server product of Oracle MySQL component: Server: DDL. Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access v...

PT-2026-24610

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server audit events variable configured with QUERY DCL, QUERY DDL, or QUERY DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen — or hash style comments, the stateme...

PT-2026-24609

In MariaDB server version through 11.8.5, when server audit plugin is enabled with server audit events variable configured with QUERY DCL, QUERY DDL, or QUERY DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen — or hash style comments, the stateme...

SUSE CVE-2026-3494

In MariaDB server version through 11.8.5, when server audit plugin is enabled with serverauditevents variable configured with QUERYDCL, QUERYDDL, or QUERYDML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen - or hash style comments, the statement is...

ALPINE-CVE-2026-3494

In MariaDB server version through 11.8.5, when server audit plugin is enabled with serverauditevents variable configured with QUERYDCL, QUERYDDL, or QUERYDML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen — or hash style comments, the statement is...

CVE-2026-3494

In MariaDB server version through 11.8.5, when server audit plugin is enabled with serverauditevents variable configured with QUERYDCL, QUERYDDL, or QUERYDML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen — or hash style comments, the statement is...

CVE-2026-3494

In MariaDB server version through 11.8.5, when server audit plugin is enabled with serverauditevents variable configured with QUERYDCL, QUERYDDL, or QUERYDML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen — or hash style comments, the statement is...

PT-2026-22790

Name of the Vulnerable Software and Affected Versions MariaDB versions through 11.8.5 Description When the server audit plugin is enabled with the server audit events variable configured with QUERY DCL, QUERY DDL, or QUERY DML filtering, SQL statements prefixed with double-hyphen — or hash style...

CVE-2026-21937

Oracle CPU describes the issue as following: Vulnerability in the MySQL Server product of Oracle MySQL component: Server: DDL. Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access v...

MiracleLinux 9 : mysql-8.0.41-2.el9_5.ML.1 (AXSA:2025-9701:03)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-9701:03 advisory. openssl: SSLselectnextproto buffer overread CVE-2024-5535 krb5: GSS message token handling CVE-2024-37371 curl: libcurl: ASN.1 date parser overread...

MiracleLinux 9 : mysql-8.0.36-1.el9_3.ML.1 (AXSA:2024-7606:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7606:01 advisory. mysql: InnoDB unspecified vulnerability CPU Apr 2023 CVE-2023-21911 mysql: Server: DDL unspecified vulnerability CPU Apr 2023 CVE-2023-21919,...