PT-2026-24668

🚨 CVE-2026-3944 A vulnerability was determined in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /att add.php. This manipulation of the argument Name causes sql injection. The attack may be initiated remotely. The exploit has been publicly...

WeGIA SQL注入漏洞

WeGIA is a web manager for the welfare organization developed by Nilson Lazarin. Versions of WeGIA prior to 3.6.6 contained an SQL injection vulnerability. This vulnerability stemmed from the id Produto parameter in the html/matPat/restaurarProduto.php file being directly concatenated into the SQ...

CVE-2025-70024

An issue pertaining to CWE-89: Improper Neutralization of Special Elements used in an SQL Command was discovered in benkeen generatedata 4.0.14...

PT-2026-24595

🚨 CVE-2024-14025 An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the...

PT-2026-24780

Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user id parameter. Attackers can submit POST requests with crafted SQL payloads in the user id field to bypass authentication and extract...

PT-2026-24827

CVE-2025-70024 An issue pertaining to CWE-89: Improper Neutralization of Special Elements used in an SQL Command was discovered in benkeen generatedata 4.0.14. https://t.co/Am32DAzE8m...

PT-2026-24825

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with...

CVE-2026-31825 Sylius has a DQL Injection via API Order Filters

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL. The issue is fixed in...

CVE-2026-31825 Sylius has a DQL Injection via API Order Filters

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL. The issue is fixed in...

CVE-2026-31800 Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API rout...

CVE-2026-30951

CVE-2026-30951 affects Sequelize (Node.js ORM). Prior to version 6.37.8, JSON/JSONB where-clause processing can interpolate an unescaped cast type via _traverseJSON(), inserting CAST(... AS ) with attacker-controlled JSON keys, enabling arbitrary SQL and data exfiltration from any table. The vuln...

CVE-2026-29174 Craft Commerce has a SQL Injection in Commerce Inventory Table Sorting

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort0direction and sort0sortField parameters are concatenated directly into an addOrderBy clause without any validation or...

CVE-2026-29172

Craft Commerce (Craft CMS) is affected by a SQL Injection in the purchasables table sorting. Prior to versions 4.10.2 and 5.5.3, the sort parameter is split by | and the first part (column name) is used directly as an array key in orderBy() without whitelist validation, allowing an authenticated ...

EUVD-2026-10686

Improper neutralization of special elements used in an sql command 'sql injection' in SQL Server allows an authorized attacker to elevate privileges over a network...

EUVD-2026-10455

SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code through user-controlled input fields. The application concatenates these inputs directly into SQL queries without proper validation or escaping. A...

SQL Injection

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to SQL Injection in the processing of the sort0direction and sort0sortField parameters within the inventory levels table data endpoint. An attacker can execute arbitrary SQL commands by supplying craft...

EUVD-2026-10813

Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting...

CVE-2025-56421

SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database...

CVE-2025-49784

An improper neutralization of special elements used in an sql command 'sql injection' vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiAnalyzer-BigDa...

CVE-2026-26115

CVE-2026-26115: Microsoft SQL Server Elevation of Privilege due to improper validation of input. Affects Microsoft SQL Server; vulnerability is exploitable over a network by an authorized attacker with LOW privileges; CVSS v3.1 base score 8.8 (High). Connected sources also reference related bugs ...