CVE-2026-33755 Authenticated SQL Injection in Contact/query addressBookIds filter

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP Contact/query endpoint allows any authenticated user with basic addressbook access to extract arbitrary data...

msfpro

msfpro 🔥 Lightweight Web Exploitation Framework for Bug Bou...

PT-2026-28402

A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file specifically the save user action. The application fails to properly sanitize user input supplied to the "username" parameter. This allows an authenticated attacker to inject malicious...

PT-2026-28403

A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file specifically the save customer action. The application fails to properly sanitize user input supplied to the "username" parameter. This allows an attacker to inject malicious SQL comman...

PT-2026-28582

Name of the Vulnerable Software and Affected Versions Azure Data Explorer MCP Server versions prior to commit 0abe0ee55279e111281076393e5e966335fffd30 Azure Data Explorer MCP Server versions up to and including 0.1.1 Description Azure Data Explorer MCP Server, a Model Context Protocol MCP server,...

Django: Django: SQL injection via crafted column aliases in QuerySet.order_by()

A flaw was found in Django. A remote attacker could exploit a SQL injection vulnerability in the .QuerySet.orderby method. This occurs when column aliases containing periods are used, and the same alias is also present in FilteredRelation via a specially crafted dictionary. Successful exploitatio...

AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables

Summary The fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a craft...

CVE-2026-32458

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in RealMag777 WOLF bulk-editor allows Blind SQL Injection.This issue affects WOLF: from n/a through = 1.0.8.7...

CVE-2026-2503

The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'metaquerycompare' parameter in the 'tcgselect2searchpost' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query...

CVE-2026-32306

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .appe...

CVE-2026-33058

Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard database. Version 1.2.51...

EUVD-2018-21671

KomSeo Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL commands through the 'myitemsearch' parameter in edit.php. Attackers can submit POST requests with malicious SQL payloads to extract sensitive database information using boolean-based blind or error-based...

CVE-2018-25209 OpenBiz Cubi Lite 3.0.8 SQL Injection via username Parameter

OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Attackers can submit POST requests to /bin/controller.php with malicious SQL code in the username field to extract...

Sitemakin KomSeo Cart SQL注入漏洞

Sitemakin KomSeo Cart is an e-commerce website construction and management system provided by Sitemakin Corporation. Version 1.3 of Sitemakin KomSeo Cart has a SQL injection vulnerability, which stems from insufficient input validation for the myitemsearch parameter. This vulnerability may lead t...

Wecodex Shipping System CMS SQL注入漏洞

Wecodex Shipping System CMS is a logistics content management system developed by Wecodex Corporation. Version 1.0 of the Wecodex Shipping System CMS has a SQL injection vulnerability. This vulnerability stems from insufficient validation of the username parameter input, which may lead to SQL...

CVE-2026-4826 SourceCodester Sales and Inventory System HTTP GET Parameter update_stock.php sql injection

A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /updatestock.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is...

CVE-2026-29187

OpenEMR has an authenticated blind boolean-based SQL injection vulnerability in the Patient Search feature (/interface/new/new_search_popup.php) present before version 8.0.0.3. The flaw allows an attacker to influence SQL logic by manipulating HTTP parameter keys, enabling arbitrary SQL commands....

EUVD-2026-15847

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.This issue affects ChatBot: from n/a through = 7.7.9...

CVE-2026-33713

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulate...

CVE-2026-32516

CVE-2026-32516 affects the WordPress Miraculous Core Plugin (versions prior to 2.1.2). The issue is an SQL Injection vulnerability caused by improper neutralization of special elements in SQL commands, enabling Blind SQL Injection. The CVSSv3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L with a...