9896 matches found
CVE-2026-57772
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WP Inventory WP Inventory Manager wp-inventory-manager allows Blind SQL Injection.This issue affects WP Inventory Manager: from n/a through = 2.4.0...
CVE-2026-57739
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Blind SQL Injection.This issue affects AcyMailing SMTP Newsletter: from n/a through = 10.11.0...
EUVD-2026-43293
The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes...
CVE-2026-57773
The CVE-2026-57773 entry covers a SQL Injection vulnerability in the WordPress plugin “WooCommerce Advanced Shipment Tracking” (woo-advanced-shipment-tracking) up to version 4.0. The issue is described as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) that l...
CVE-2026-57714 WordPress LatePoint plugin <= 5.6.3 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in LatePoint LatePoint latepoint allows Blind SQL Injection.This issue affects LatePoint: from n/a through = 5.6.3...
CVE-2026-57385
Vulnerable software: WordPress Vitepos plugin (vitepos-lite) up to version 3.4.2. Root cause: improper neutralization of special elements in SQL commands enabling blind SQL injection. Impact: high (CVSS v3.1 base 8.5) with network-based attack, low complexity, low privileges, no user interaction;...
CVE-2026-12582
The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes...
Mitel MiCollab <= 9.8.0.33 - SQL Injection
A vulnerability in NuPoint Messenger NPM of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary...
WCAPF WooCommerce Ajax Product Filter - SQL Injection
WCAPF WooCommerce Ajax Product Filter = 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely. id: CVE-2026-3396 info: name: WCAPF WooCommerce Ajax Product Filter ...
ChanCMS <= 3.3.0 - SQL Injection
yanyutao0402 ChanCMS = 3.3.0 contains a SQL injection caused by manipulation of the "key" argument in app/modules/api/service/Api.js Search function, letting remote attackers execute arbitrary SQL commands, exploit requires crafted request. id: CVE-2025-10210 info: name: ChanCMS = 3.3.0 - SQL...
EUVD-2026-43265
A weakness has been identified in CodeAstro Simple Online Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /SimpleOnlineLeave/admin/dashboard.php. This manipulation of the argument Name causes sql injection. The attack can be initiated remotely. The...
CVE-2026-15517
CVE-2026-15517 affects Jinher OA 1.0. The vulnerability resides in an unknown function within the file /C6/JHSoft.Web.PlanSummarize/PlanGiveOut.aspx, where manipulation of the httpOID argument enables a SQL injection. Remote exploitation is possible, and an exploit has been published. The vendor ...
CVE-2026-15490
CVE-2026-15490 concerns RafyMrX TOKO-ONLINE-ROTI: SQL injection in the unknown functionality of the file pros es/add.php, via manipulation of the arguments kode_produk/kd_cs. The issue is exploitable remotely with no authentication (attack vector: NETWORK; complexity: LOW). Evidence indicates imp...
CVE-2026-15489
The CVE-2026-15489 entry describes a SQL injection in RafyMrX TOKO-ONLINE-ROTI (up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) via an input in the file proses/login.php where the Username argument is manipulated. The vulnerability is exploitable remotely, with a publicly available exploit...
CVE-2026-15477
A vulnerability was detected in Bahmni bahmnicore up to 0.93. This affects the function additionalParams of the file /openmrs/ws/rest/v1/bahmnicore/sql of the component Search Endpoint. Performing a manipulation of the argument test results in sql injection. The attack can be initiated remotely...
CVE-2026-15478
IceHRM
EUVD-2026-43200
A flaw has been found in IceHRM up to 35.0.1. This impacts an unknown function of the file core/src/Reports/User/Reports/EmployeeAttendanceReport.php of the component UserReport Endpoint. Executing a manipulation of the argument employeeList can lead to sql injection. The attack can be launched...
CVE-2026-15478 IceHRM UserReport Endpoint EmployeeAttendanceReport.php sql injection
A flaw has been found in IceHRM up to 35.0.1. This impacts an unknown function of the file core/src/Reports/User/Reports/EmployeeAttendanceReport.php of the component UserReport Endpoint. Executing a manipulation of the argument employeeList can lead to sql injection. The attack can be launched...
EUVD-2026-43157
The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck method...
CVE-2026-15335
The Booking Package WordPress plugin is vulnerable up to version 1.7.20 due to insufficient escaping on the email parameter in the REST endpoint /wp-json/booking-package/v1/request, allowing unauthenticated SQL injection. Root cause: user-supplied email input reaches the SQL sink without proper e...