PT-2026-22580

Name of the Vulnerable Software and Affected Versions DobryCMS versions prior to 8.0 Description A Blind SQL injection issue exists in DobryCMS. An unauthenticated remote attacker can inject SQL syntax into a URL path, leading to a Blind SQL injection. The vulnerability allows for the injection o...

EUVD-2026-9254

code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/edit-orders.php...

CVE-2026-26710

code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/edit-orders.php...

PT-2026-22576

In the "CheckUnitCodeAndKey.pl" service, the "validateOrgUnit" function is vulnerable to SQL injection...

CVE-2026-26711

code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket.php...

PT-2026-22684

Name of the Vulnerable Software and Affected Versions Simple Gym Management System version 1.0 Description The Simple Gym Management System version 1.0 is susceptible to SQL Injection. This issue affects the /gym/trainer search.php endpoint. The trainer search.php script is vulnerable due to...

PT-2026-22606

Name of the Vulnerable Software and Affected Versions sourcecodester Personnel Property Equipment System version 1.0 Description The software is susceptible to a SQL Injection issue. The vulnerability exists in the /ppes/admin/advance search.php file. The vulnerable parameter is not specified...

EUVD-2026-9221

sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/viewsupplier.php...

CVE-2026-28562

CVE-2026-28562 affects wpForo 2.4.14. The vulnerability is an unauthenticated SQL injection in Topics::get_topics(), where the ORDER BY clause relies on insufficient esc_sql() sanitization for unquoted identifiers. An attacker can craft wpfob payloads (e.g., using CASE WHEN) to perform blind bool...

CVE-2026-28516

OpenDCIM 23.04 (commit 4467e9c4) contains a SQL injection in Config::UpdateParameter. install.php and container-install.php interpolate user input into SQL without prepared statements, allowing an authenticated user to execute arbitrary SQL against the database. The vulnerability is documented as...

CVE-2026-27832

Group-Office (enterprise CRM/groupware) is affected by an authenticated SQL Injection in the advancedQueryData parameter (comparator) on index.php?r=email/template/emailSelection. Pre-fix versions 26.0.8, 25.0.87, and 6.8.153 process advancedQueryData with a weak allowlist, enabling blind boolean...

EUVD-2026-9058

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection SQLi vulnerability, exploitable through the advancedQueryData parameter comparator field on an authenticated endpoint. The endpoint...

CVE-2019-25497 osCommerce 2.3.4.1 SQL Injection via currency Parameter

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shoppingcart.php with malicious currency values using boolean-based SQL injection...

CVE-2019-25494 Homey BNB V4 SQL Injection Authentication Bypass via Admin Panel

Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. Attackers can submit SQL operators like '=' 'or' in both credentials to manipulate the...

CVE-2019-25495 osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviewsid parameter. Attackers can send GET requests to productreviewswrite.php with malicious reviewsid values using boolean-based SQL...

CVE-2026-3287

A security flaw has been discovered in youlaitech youlai-mall 2.0.0. This affects the function listPagedSpuForApp of the file mall-pms/pms-boot/src/main/java/com/youlai/mall/pms/controller/app/SpuController.java of the component App-side Product Pagination Endpoint. Performing a manipulation of t...

Doditsolutions Homey BNB SQL注入漏洞

Doditsolutions Homey BNB is a homestay reservation system operated by the Indian company Doditsolutions. Doditsolutions Homey BNB V4 has a SQL injection vulnerability; this vulnerability stems from the SQL injection vulnerability in the catid parameter, which may allow unverified attackers to...

osCommerce SQL注入漏洞

osCommerce is a set of open-source e-commerce solutions developed by osCommerce Inc., licensed under the GNU GPL. Version 2.3.4.1 of osCommerce contains a SQL injection vulnerability. This vulnerability stems from the reviewsid parameter, which allows for SQL injections, potentially enabling...

CVE-2026-28226 Phishing Club has Authenticated Blind SQL Injection in GetOrphaned Recipient Listing

Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint constructs a raw SQL query and concatenates the...

CVE-2026-3200

A vulnerability was identified in z-9527 admin 1.0/2.0. The affected element is the function checkName/register/login/getUser/getUsers of the file /server/controller/user.js. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might...