PT-2026-29744

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions prior to 2.10.2 Description The OpenSTAManager software contains a flaw in the Aggiornamenti Updates module. This module includes a database conflict resolution feature that accepts a JSON array of SQL statements via PO...

PT-2026-29595

Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.79.1 Description Payload, a headless content management system, had insufficient input validation in certain requests. This allowed attackers to manipulate SQL query execution, potentially leading to data exposure o...

CVE-2026-33681

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginRunDatabaseScript.json.php endpoint accepts a name parameter via POST and passes it to Plugin::getDatabaseFileName without any path traversal sanitization. This allows an authenticated admin or a...

CVE-2019-25581

CVE-2019-25581 affects i-doit CMDB 1.12 and is an SQL injection vulnerability in the objGroupID parameter. An unauthenticated attacker can send crafted GET requests to inject SQL, potentially exfiltrating sensitive database information such as usernames, database names, and version details. The v...

SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API

Summary SiYuan Note v3.6.0 and likely prior versions contains an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database...

GHSA-J7WH-X834-P3R7 SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API

Summary SiYuan Note v3.6.0 and likely prior versions contains an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database...

CVE-2026-32704

SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. Thi...

CVE-2025-52637

The CVE-2025-52637 family concerns HCL AION, an AI lifecycle management platform, where certain offering configurations may allow execution of potentially harmful SQL queries. The root cause described across connected sources is insufficient validation or restrictions on query execution, which co...

CVE-2026-32704 SiYuan renderSprig: missing admin check allows any user to read full workspace DB

SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. Thi...

CVE-2026-32399

The CVE concerns the WordPress plugin Media Library Assistant (versions n/a through

Unparsed Raw Web Content Delivery

Overview hyperterse is an A declarative interface to connect your database to your AI agents Affected versions of this package are vulnerable to Unparsed Raw Web Content Delivery in the search process. An attacker can gain unauthorized access to raw SQL queries by submitting search requests,...

GHSA-92GP-JFGX-9QPV Hyperterse: Raw exposure of database statements in MCP search tool

Hyperterse allows users to specify database queries for tools to execute under the hood. As of v2.0.0, there are only two tools exposed - search and execute. The search tool allows LLMs to search for tools using natural language. While returning results, Hyperterse also returned the raw SQL...

Hyperterse: Raw exposure of database statements in MCP search tool

Hyperterse allows users to specify database queries for tools to execute under the hood. As of v2.0.0, there are only two tools exposed - search and execute. The search tool allows LLMs to search for tools using natural language. While returning results, Hyperterse also returned the raw SQL...

EUVD-2019-19770

iScripts ReserveLogic contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the jqSearchDestination parameter. Attackers can send POST requests to the search endpoint with crafted SQL payloads to extract sensitiv...

CVE-2026-31841 Raw exposure of database statements in Hyperterse MCP search tool

Hyperterse is a tool-first MCP framework for building AI-ready backend surfaces from declarative config. Prior to v2.2.0, the search tool allows LLMs to search for tools using natural language. While returning results, Hyperterse also returned the raw SQL queries, exposing statements which were...

CVE-2019-25533

Netartmedia PHP Business Directory 4.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. Attackers can send POST requests to the loginaction.php endpoint with crafted SQL payloads in the...

CVE-2019-25509 XooDigital Lastest Latest SQL Injection via results.php

XooDigital Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to extract sensitive database information...

CVE-2026-26794

GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a SQL injection vulnerability via the addgroup function. This vulnerability allows attackers to execute arbitrary SQL database operations via a crafted HTTP request...

Nesote Inout RealEstate SQL注入漏洞

Nesote Inout RealEstate is a real estate transaction website system developed by Nesote Corporation. Nesote Inout RealEstate has a SQL injection vulnerability; this vulnerability stems from the city parameter being subject to SQL injection attacks. Unauthorized attackers may exploit this...

Xooscripts XooDigital SQL注入漏洞

Xooscripts XooDigital is a software developed by the Xooscripts company. Xooscripts XooDigital has a SQL injection vulnerability; this vulnerability stems from the p parameter being susceptible to SQL injections, which may allow unauthenticated attackers to manipulate database queries and extract...