CVE-2018-25176

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to th...

CVE-2018-25163

BitZoom 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rollno and username parameters in forgot.php and login.php. Attackers can submit crafted POST requests with SQL UNION statements to...

CVE-2018-25194

Nominas 0.27 contains an unauthenticated SQL injection in the username parameter via POST to login/checklogin.php, enabling arbitrary SQL queries to extract database information (usernames, database names, version details) using UNION-based payloads. No remediation details are provided in the doc...

CVE-2018-25191

Facturation System 1.0 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'modid' parameter. Attackers can send POST requests to the editarproducto.php endpoint with crafted SQL payloads in the modid...

CVE-2018-25176 Alive Parish 2.0.4 SQL Injection and Arbitrary File Upload

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to th...

PT-2026-23688

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to th...

CVE-2019-25500 Simple Job Script SQL Injection via register-recruiters endpoint

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the employerid parameter. Attackers can send POST requests to the register-recruiters endpoint with time-based SQL injection payloads to...

PT-2026-22857

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflow ids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

PT-2026-22786

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage stock.php...

CVE-2025-48650

In multiple locations, there is a possible information disclosure due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

PT-2026-22576

In the "CheckUnitCodeAndKey.pl" service, the "validateOrgUnit" function is vulnerable to SQL injection...

CVE-2026-26711

code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket.php...

CVE-2026-26702

CVE-2026-26702 affects sourcecodester Personnel Property Equipment System v1.0. The vulnerability is an SQL Injection in /ppes/admin/myitem_reuse.php (as reported across multiple sources). The root cause is insufficient input sanitization in the affected file, enabling a attacker to inject SQL st...

CVE-2026-27832

Group-Office (enterprise CRM/groupware) is affected by an authenticated SQL Injection in the advancedQueryData parameter (comparator) on index.php?r=email/template/emailSelection. Pre-fix versions 26.0.8, 25.0.87, and 6.8.153 process advancedQueryData with a weak allowlist, enabling blind boolean...

CVE-2019-25497 osCommerce 2.3.4.1 SQL Injection via currency Parameter

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shoppingcart.php with malicious currency values using boolean-based SQL injection...

CVE-2019-25494 Homey BNB V4 SQL Injection Authentication Bypass via Admin Panel

Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. Attackers can submit SQL operators like '=' 'or' in both credentials to manipulate the...

CVE-2019-25495 osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviewsid parameter. Attackers can send GET requests to productreviewswrite.php with malicious reviewsid values using boolean-based SQL...

CVE-2026-22206

SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote cod...

EUVD-2026-8548

Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting...

CVE-2026-25746 OpenEMR has SQL Injection Vulnerability

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in...