CVE-2026-28210

FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr Call Data Record is vulnerable to SQL query injection. This issue has been patched in versions 16.0.49 and 17.0.7...

EUVD-2025-208305

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in don-themes Riode Core riode-core allows Blind SQL Injection.This issue affects Riode Core: from n/a through = 1.6.26...

CVE-2026-3523 Apocalypse Meow <= 22.1.0 - Authenticated (Administrator+) SQL Injection via 'type' Parameter

The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses && AND instead of || OR, causing the...

PT-2026-23611

Name of the Vulnerable Software and Affected Versions Agentgateway versions prior to 0.12.0 Description Agentgateway, an open source data plane for agentic AI connectivity, has an issue where input path, query, and header values are not sanitized when converting MCP tools/call requests to OpenAPI...

EUVD-2019-19724

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landinglocation parameter. Attackers can send POST requests to the searched endpoint with malicious SQL payloads to bypass authenticatio...

CVE-2019-25506

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to...

CVE-2019-25503

CVE-2019-25503 affects PHPads 2.0. The vulnerability is an SQL injection in the bannerID parameter of click.php3, allowing unauthenticated attackers to craft values (e.g., SQL comments, extractvalue) to execute arbitrary queries and reveal data such as the current database name. The impact is hig...

CVE-2019-25500 Simple Job Script SQL Injection via register-recruiters endpoint

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the employerid parameter. Attackers can send POST requests to the register-recruiters endpoint with time-based SQL injection payloads to...

Cisco Secure Firewall Management Center Software SQL Injection Vulnerabilities

Multiple vulnerabilities in the web-based management interface and REST API of Cisco Secure Firewall Management Center FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Detai...

PT-2026-22857

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflow ids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

PT-2026-22961

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc...

CVE-2026-26694

code-projects Simple Student Alumni System v1.0 is vulnerale to SQL Injection in /TracerStudy/modalview.php...

PT-2026-22786

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage stock.php...

PT-2026-22804

Name of the Vulnerable Software and Affected Versions GLPI versions 0.60 through 10.0.23 Description GLPI is an Asset and IT Management Software package. An authenticated technician user can store a cross-site scripting XSS payload in supplier fields. This allows for potential malicious code...

CVE-2025-48650

In multiple locations, there is a possible information disclosure due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-3180 Contest Gallery <= 28.1.4 - Unauthenticated SQL Injection

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cglmail’ parameter in all versions up to, and including, 28.1.4 due to insufficient escaping on the user supplied parameter...

CVE-2026-26698

code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/modaledit.php...

CVE-2026-2584

A critical SQL Injection SQLi vulnerability has been identified in the authentication module of the system. An unauthenticated, remote attacker AV:N/PR:N can exploit this flaw by sending specially crafted SQL queries through the login interface. Due to low attack complexity AC:L and the absence o...

CVE-2026-26702

CVE-2026-26702 affects sourcecodester Personnel Property Equipment System v1.0. The vulnerability is an SQL Injection in /ppes/admin/myitem_reuse.php (as reported across multiple sources). The root cause is insufficient input sanitization in the affected file, enabling a attacker to inject SQL st...

Code-Projects Simple Student Alumni System 安全漏洞

Code-Projects Simple Student Alumni System is an open-source student alumni system developed by Code-Projects. Version 1.0 of the Code-Projects Simple Student Alumni System has a security vulnerability, which stems from an SQL injection vulnerability in the /TracerStudy/recordstudent edit.php fil...