PT-2026-30504

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the filter user mail parameter. Attackers can send crafted requests with malicious SQL statements to extract sensitive database information or modify data...

PT-2026-30496

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the menu lev1 parameter. Attackers can send crafted requests with malicious SQL payloads in the menu lev1 parameter to extract sensitive...

JLSEC-2026-30

A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption...

CVE-2026-34455

Hi.Events is affected by an SQL injection in which multiple repository classes pass the user-supplied sort_by parameter directly to Eloquent's orderBy() without validation (affecting versions 0.8.0-beta.1 up to before 1.7.1-beta). The underlying issue is the lack of input validation for sort_by, ...

CVE-2026-30273

CVE-2026-30273 affects pandas-ai v3.0.0 via the pandasai.agent.base._execute_sql_query component, introducing a SQL injection vulnerability. Root cause: improper handling of SQL query execution within the agent. Impact per CVSS: HIGH (7.3), with network attack vector, no user interaction required...

CVE-2026-4668

CVE-2026-4668 concerns the Amelia Booking for WordPress plugin. In all versions up to 2.1.2, the payments listing endpoint is vulnerable to SQL Injection via the sort parameter. The root cause is insufficient escaping and direct interpolation of the user-supplied sort field into an ORDER BY claus...

Umami SQL注入漏洞

Umami is a lightweight analysis platform provided by Umami Inc., which offers features for website access statistics and user behavior analysis. Umami has a SQL injection vulnerability, which stems from improper cleaning of the timezone request parameters. This vulnerability may lead to SQL...

UBUNTU-CVE-2026-27860

If authusernamechars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out authusernamechars, or install fixed version. No publicly available exploits are...

VMware Spring AI 安全漏洞

VMware Spring AI is a development framework by the American company VMware, which integrates artificial intelligence and large language model capabilities within the Spring ecosystem. Versions of VMware Spring AI prior to 1.0.5 and 1.1.4 contained security vulnerabilities. These vulnerabilities...

PT-2026-28585

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.7 Description WeGIA is a web manager for charitable institutions. Versions prior to 3.6.7 contain a flaw in the html/socio/sistema/deletar tag.php file. This file utilizes the extract$ REQUEST function on line 14, a...

EUVD-2018-21675

qdPM 9.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through filterby parameters. Attackers can submit malicious POST requests to the timeReport endpoint with crafted filterbyCommentCreatedFrom and...

e-SIC Livre 安全漏洞

e-SIC Livre is an open-source citizen information request system developed by esiclivre. Versions of e-SIC Livre prior to 0.2.2 contained security vulnerabilities. These vulnerabilities stemmed from improper handling of the cpfcnpj parameter in the Solicitante::resetaSenha function, which could...

Cuantis SQL注入漏洞

Cuantis is a platform for data analysis and visualization developed by the Colombian company Cuantis. Cuantis has a SQL injection vulnerability, which stems from improper handling of the search parameter in the /search.php endpoint. This vulnerability may lead to SQL injection attacks...

GHSA-FWJ4-6WGP-MPXM Katello: Denial of Service and potential information disclosure via SQL injection

A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sortby parameter of the /api/hosts/bootcimages API endpoint. This can lead to a Denial of...

GHSA-3X67-4C2C-W45M Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)

Summary The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the admlistcolumns table via prepared statements safe storage, but are later read back and...

PT-2026-25639

Name of the Vulnerable Software and Affected Versions vanna-ai vanna versions up to 2.0.2 Description A flaw exists in the remove training data function within the src/vanna/legacy/google/bigquery vector.py file. Manipulation of the ID argument can lead to SQL injection. This issue can be exploit...

HCL AION 安全漏洞

HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from a SQL injection vulnerability that stems from the application's lack of validation of externally entered SQL statements, which can be exploited by an attacker to steal sensitive database data by injecting a...

EUVD-2025-208665

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.72, 6.2.0.0 through 6.2.0.51, and 6.2.1.0 through 6.2.1.11 are vulnerable to SQL injection. An administrative user could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or...

CVE-2026-32399

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Blind SQL Injection.This issue affects Media LIbrary Assistant: from n/a through = 3.32...

CVE-2019-25509

XooDigital Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to extract sensitive database information...