CVE-2026-13487

CVE-2026-13487 affects SourceCodester Class and Exam Timetabling System 1.0. The vulnerability is an SQL injection in an unknown function of /archive.php caused by manipulation of the sy argument. It can be exploited remotely, and public exploit code is available. The CVSS-derived metrics indicat...

EUVD-2026-39986

A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/6.php. This impacts an unknown function of the file /preview6.php. Executing a manipulation of the argument courseyearsection can lead to sql injection. The attack can be launched remotely. The exploit has been...

WordPress JobWP Plugin <= 2.3.9 - SQL Injection

The JobWP - Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwpuploadresume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...

Leantime < 2.4 - Authenticated SQL Injection

Leantime is an open source project management system. A 'userId' variable in app/domain/files/repositories/class.files.php is not parameterized. An authenticated attacker can send a carefully crafted POST request to /api/jsonrpc to exploit an SQL injection vulnerability. Confidentiality is impact...

My Calendar WordPress Plugin - Information Disclosure

My Calendar WordPress plugin = 3.7.6 contains an injection vulnerability caused by unvalidated user input passed to parsestr in mcajaxmcjsaction endpoint, letting unauthenticated attackers access or crash sites via switchtoblog, exploit requires WordPress Multisite or Single Site setup. id:...

Academy Learning Management System <5.9.1 - Cross-Site Scripting

Academy Learning Management System before 5.9.1 contains a cross-site scripting vulnerability via the Search parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based...

Online Event Booking and Reservation System 2.3.0 - SQL Injection

Online Event Booking and Reservation System 2.3.0 contains a SQL injection vulnerability in event-management/views. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id:...

CVE-2026-13333

CVE-2026-13333 affects the Groundhogg WordPress plugin up to version 4.5.5. The issue is a generic SQL injection in the query[select] path caused by insufficient escaping and inadequate preparation of the SQL query, allowing an authenticated attacker with Sales Representative-level access or high...

CVE-2026-13331 Groundhogg <= 4.5.5 - Authenticated (Marketer+) SQL Injection via 'search' Parameter

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2026-0685

Server side template inject SSTI in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution RCE via crafted template expressions...

CVE-2026-57663

CVE-2026-57663 describes a SQL Injection vulnerability in the WordPress plugin Zip Recipes (Recipe Maker For Your Food Blog) versions

CVE-2026-57653

CVE-2026-57653 describes a SQL Injection vulnerability in the WordPress plugin WP Job Portal (versions

CVE-2026-57653 WordPress WP Job Portal plugin <= 2.5.2 - SQL Injection vulnerability

Contributor SQL Injection in WP Job Portal = 2.5.2 versions...

CVE-2026-57642

The CVE-2026-57642 entry documents a Contributor SQL Injection in the WordPress Gallery plugin, affected in versions up to 4.7.8. The vulnerability targets the Gallery plugin’s SQL queries (contributor-related flow) and is tracked with CVSS 3.1: Network attack vector, low attack complexity, privi...

EUVD-2026-39747

Administrator SQL Injection in Popup box = 6.0.1 versions...

WordPress WP Job Portal plugin <= 2.5.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by hhhai in WordPress Plugin WP Job Portal versions = 2.5.2...

EUVD-2026-39439

K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...

EUVD-2026-39373

Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce = 1.1.11 versions...

EUVD-2026-39370

Unauthenticated SQL Injection in MDTF = 1.3.7 versions...

WordPress Groundhogg — CRM, Newsletters, and Marketing Automation plugin <= 4.5.4 - Authenticated (Custom+) SQL Injection vulnerability

Authenticated Custom+ SQL Injection vulnerability discovered by PRISM in WordPress Plugin Groundhogg versions = 4.5.4...