Code-Projects Simple Food Order System SQL注入漏洞

Code-Projects Simple Food Order System is a simple food ordering system developed by Code-Projects as open source. Version 1.0 of the Code-Projects Simple Food Order System has a SQL injection vulnerability; this vulnerability arises from the file/food/view-ticket.php being vulnerable to SQL...

ASB-A-415783046

In multiple locations, there is a possible way to read files belonging to other apps due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2025-13673 Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'couponcode' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

EUVD-2026-9097

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input...

PT-2026-22465

Name of the Vulnerable Software and Affected Versions Tutor LMS versions prior to 3.9.7 Description The Tutor LMS plugin for WordPress is susceptible to SQL Injection due to inadequate input validation and query preparation. Specifically, the coupon code parameter is not properly sanitized,...

EUVD-2019-19717

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cmsgetpagetitle.php endpoint with malicious catid values to extract sensitive...

CVE-2019-25491

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cmsgetpagetitle.php endpoint with malicious catid values to extract sensitive...

CVE-2019-25496

CVE-2019-25496 affects osCommerce 2.3.4.1. The vulnerability is a SQL injection in the products_id parameter used by product_info.php, allowing unauthenticated attackers to manipulate database queries and extract sensitive information by appending boolean-based payloads. The described exploit pat...

EUVD-2026-8996

A security flaw has been discovered in youlaitech youlai-mall 2.0.0. This affects the function listPagedSpuForApp of the file mall-pms/pms-boot/src/main/java/com/youlai/mall/pms/controller/app/SpuController.java of the component App-side Product Pagination Endpoint. Performing a manipulation of t...

GO-2026-4557 Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter in github.com/fleetdm/fleet

Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter in github.com/fleetdm/fleet...

Doditsolutions Homey BNB SQL注入漏洞

Doditsolutions Homey BNB is a homestay reservation system operated by the Indian company Doditsolutions. Doditsolutions Homey BNB V4 has a SQL injection vulnerability; this vulnerability stems from the val parameter being susceptible to SQL injections, which may allow unverified attackers to...

EUVD-2026-8888

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering listprivatemessagestag allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and...

CVE-2026-27149 Discourse has SQL injection in PM tag filtering

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering listprivatemessagestag allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and...

GHSA-F3F2-MCXC-PWJX n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes

Impact An authenticated user with permission to create or modify workflows and access to a database credential could unknowingly create a workflow that was vulnerable to SQL injection, even while expecting inputs to be handled safely through escaped parameters. By supplying specially crafted tabl...

CVE-2026-1198

SIMPLE.ERP is affected by a SQL Injection in the search feature in the "Obroty na kontach" window. The issue arises from insufficient input validation, allowing an authenticated attacker to craft a query that could be executed by the database. The CVE entry notes a high impact (CVSS v4.0 base sco...

CVE-2026-25746

CVE-2026-25746 (OpenEMR) affects OpenEMR versions prior to 8.0.0, where a SQL injection vulnerability exists in the prescription listing functionality due to insufficient input validation in the code path that builds the prescriptions query (Prescription.class.php and C_Prescription.list_action)....

CVE-2026-3152 itsourcecode College Management System teacher-salary.php sql injection

A flaw has been found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/teacher-salary.php. This manipulation of the argument teacherid causes sql injection. It is possible to initiate the attack remotely. The exploit has been published a...

CVE-2026-3148 SourceCodester Simple and Nice Shopping Cart Script signup.php sql injection

A vulnerability was determined in SourceCodester Simple and Nice Shopping Cart Script 1.0. This impacts an unknown function of the file /signup.php. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and m...

CVE-2026-27747

The CVE concerns the SPIP plugin interface_traduction_objets (versions prior to 4.3.3). The vulnerability is an authenticated SQL injection in interface_traduction_objets_pipelines.php: the plugin reads the id_parent parameter from user input and directly concatenates it into a SQL WHERE clause i...

CVE-2026-3134

A security flaw has been discovered in itsourcecode News Portal Project 1.0. The affected element is an unknown function of the file /newsportal/admin/edit-category.php. The manipulation of the argument Category results in sql injection. The attack may be performed from remote. The exploit has be...