EUVD-2026-25594

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a...

GHSA-MRXX-39G5-PH77 Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field

Executive Summary A vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a...

Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field

Executive Summary A vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a...

EUVD-2025-209568

Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module...

CVE-2026-6887

Borg SPM 2007 Sales Ended in 2008 developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents...

CVE-2026-40529

CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface...

SocialEngine SQL注入漏洞

SocialEngine is a content management platform developed by SocialEngine Company in India, designed for supporting community interactions and building social networks. SocialEngine versions 7.8.0 and earlier contained an SQL injection vulnerability. This vulnerability stemmed from the text paramet...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection when using the simple protocol with dollar quoted string literals. An attacker can execute arbitrary SQL commands by crafting input that is interpreted as a placeholder within a dollar quoted string literal. Note: This is...

EUVD-2026-25098

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

Jellystat SQL注入漏洞

Jellystat is a free and open-source statistical application developed by Thegan Govender as an individual project. Versions of Jellystat prior to 1.1.10 contained a SQL injection vulnerability. This vulnerability stemmed from multiple API endpoints that constructed queries by directly inserting...

PT-2026-34246

CVE-2026-6833 The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. https://t.co/t19jGHdUjW...

SQLi-Injection-Payloads

No d...

CVE-2026-40906 Electric: SQL Injection via ORDER BY Parameter in Shape API

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the orderby parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted...

EUVD-2026-24035

OpenBao's SQL Injection in PostgreSQL database secrets engine...

CVE-2025-70420

Based on connected sources, CVE-2025-70420 concerns Genesys Latitude v25.1.0.420 where an authenticated attacker can execute arbitrary SQL queries due to unsanitized user input concatenated into SQL statements. The affected component is Genesys Latitude, version 25.1.0.420; root cause is input un...

CVE-2026-39110

SQL Injection vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the contactno parameter of the forgot password page forgot-password.php. This allows an unauthenticated attacker to manipulate backend SQL queries during authentication and retrieve...

CVE-2026-6629 Metasoft 美特软件 MetaCRM Interface sql.jsp Statement.executeUpdate sql injection

A vulnerability has been found in Metasoft 美特软件 MetaCRM up to 6.4.0. This vulnerability affects the function Statement.executeUpdate of the file sql.jsp of the component Interface. Such manipulation of the argument sql leads to sql injection. The attack can be launched remotely. The exploit has...

CVE-2026-5964 Digiwin｜EasyFlow .NET - SQL Injection

EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents...

PT-2026-33818

Name of the Vulnerable Software and Affected Versions Apartment Visitors Management System version 1.1 Description An issue exists in the forgot password page 'forgot-password.php' where the email parameter is susceptible to SQL Injection. This allows an unauthenticated attacker to manipulate...

Digiwin EasyFlow .NET 安全漏洞

Digiwin EasyFlow .NET is an enterprise-level Workflow Management platform developed by Digiwin in Taiwan, China. There is a security vulnerability in Digiwin EasyFlow .NET, which stems from SQL injection attacks. This vulnerability could allow unverified remote attackers to inject arbitrary SQL...