15 matches found
CVE-2026-46624
Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution RCE vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the...
Astra Linux – Vulnerability in Zabbix
A low-privilege regular Zabbix user with API access can exploit the SQL injection vulnerability in the include/classes/api/CApiService.php file to execute arbitrary SQL commands using the groupBy parameter...
ERPNEXT group_by parameter SQL Injection Vulnerability
ERPNext is an open source enterprise resource planning solution from ERPNext India. ERPNext suffers from a SQL injection vulnerability that stems from the lack of validation of the orderby and groupby parameters against externally entered SQL statements. An attacker can exploit this vulnerability...
CVE-2025-56381
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the orderby and groupby parameters...
CVE-2025-56381
ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the orderby and groupby parameters...
PT-2025-40354
Name of the Vulnerable Software and Affected Versions ERPNEXT version 15.67.0 Description The software contains multiple SQL injection flaws in the /api/method/frappe.desk.reportview.get API endpoint. The order by and group by parameters are susceptible to exploitation. Recommendations Apply...
Linux Distros Unpatched Vulnerability : CVE-2024-36465
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A low privilege regular Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands...
The vulnerability of the API component of the Zabbix monitoring system allows a attacker to execute arbitrary commands.
The vulnerability of the API component of the Zabbix monitoring system is related to the lack of measures taken to protect the SQL query structure. Exploiting this vulnerability allows an attacker who operates remotely to execute arbitrary commands by processing the groupBy parameter...
DEBIAN-CVE-2024-36465
A low privilege regular Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter...
OESA-2021-1274 python-sqlalchemy security update
SQLAlchemy is an Object Relational Mapper ORM that provides a flexible, high-level interface to SQL databases. It contains a powerful mapping layer that users can choose to work as automatically or as manually, determining relationships based on foreign keys or to bridge the gap between database...
python-sqlalchemy: SQL Injection when the group_by parameter can be controlled
SQLAlchemy 1.2.17 has SQL Injection when the groupby parameter can be controlled...
GHSA-38FC-9XQV-7F7Q SQLAlchemy is vulnerable to SQL Injection via group_by parameter
SQLAlchemy 1.2.17 has SQL Injection when the groupby parameter can be controlled...
DEBIAN-CVE-2019-7548
SQLAlchemy 1.2.17 has SQL Injection when the groupby parameter can be controlled...
UBUNTU-CVE-2019-7548
SQLAlchemy 1.2.17 has SQL Injection when the groupby parameter can be controlled...
PYSEC-2019-124
SQLAlchemy 1.2.17 has SQL Injection when the groupby parameter can be controlled...