EUVD-2026-8888

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering listprivatemessagestag allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and...

CVE-2026-27149 Discourse has SQL injection in PM tag filtering

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering listprivatemessagestag allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and...

GHSA-F3F2-MCXC-PWJX n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes

Impact An authenticated user with permission to create or modify workflows and access to a database credential could unknowingly create a workflow that was vulnerable to SQL injection, even while expecting inputs to be handled safely through escaped parameters. By supplying specially crafted tabl...

CVE-2026-1198

SIMPLE.ERP is affected by a SQL Injection in the search feature in the "Obroty na kontach" window. The issue arises from insufficient input validation, allowing an authenticated attacker to craft a query that could be executed by the database. The CVE entry notes a high impact (CVSS v4.0 base sco...

Hoppscotch 安全漏洞

Hoppscotch is an open-source API development ecosystem developed by Hoppscotch. Versions of Hoppscotch prior to 2026.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization checks in the userCollection GraphQL queries, which could lead to insecure dire...

GO-2026-4531 New API has an SQL LIKE Wildcard Injection DoS via Token Search in github.com/QuantumNous/new-api

New API has an SQL LIKE Wildcard Injection DoS via Token Search in github.com/QuantumNous/new-api...

n8n has Potential Remote Code Execution via Merge Node

Impact An authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. Patches The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to...

CVE-2026-3200

A vulnerability was identified in z-9527 admin 1.0/2.0. The affected element is the function checkName/register/login/getUser/getUsers of the file /server/controller/user.js. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might...

CVE-2026-25746

CVE-2026-25746 (OpenEMR) affects OpenEMR versions prior to 8.0.0, where a SQL injection vulnerability exists in the prescription listing functionality due to insufficient input validation in the code path that builds the prescriptions query (Prescription.class.php and C_Prescription.list_action)....

CVE-2026-24908

OpenEMR vulnerability CVE-2026-24908: Prior to v8.0.0, an SQL injection flaw in the Patient REST API endpoint allows authenticated API users to inject arbitrary SQL via the _sort parameter. This can lead to database access and exposure of PHI and credentials. A fix is available in v8.0.0. No expl...

CVE-2026-2416 Geo Mashup <= 1.13.17 - Unauthenticated SQL Injection via 'sort' Parameter

The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.17. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

EUVD-2026-8512

A vulnerability was found in itsourcecode News Portal Project 1.0. This issue affects some unknown processing of the file /admin/contactus.php. The manipulation of the argument pagetitle results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and...

EUVD-2026-8509

A vulnerability has been found in itsourcecode Document Management System 1.0. Impacted is an unknown function of the file /register.php. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public a...

EUVD-2026-8609

The SPIP refererspam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the refererspamajouter and refererspamsupprimer action handlers. The handlers read the url parameter from a GET request and interpolate it directly into SQL LIKE clauses without input...

CVE-2026-3149

A weakness has been identified in itsourcecode College Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/asign-single-student-subjects.php. Executing a manipulation of the argument coursecode can lead to sql injection. The attack can be executed...

CVE-2026-3152 itsourcecode College Management System teacher-salary.php sql injection

A flaw has been found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/teacher-salary.php. This manipulation of the argument teacherid causes sql injection. It is possible to initiate the attack remotely. The exploit has been published a...

CVE-2026-3150

A security vulnerability has been detected in itsourcecode College Management System 1.0. This affects an unknown part of the file /admin/display-teacher.php. The manipulation of the argument teacherid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been...

CVE-2026-3148 SourceCodester Simple and Nice Shopping Cart Script signup.php sql injection

A vulnerability was determined in SourceCodester Simple and Nice Shopping Cart Script 1.0. This impacts an unknown function of the file /signup.php. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and m...

CVE-2026-27747

The CVE concerns the SPIP plugin interface_traduction_objets (versions prior to 4.3.3). The vulnerability is an authenticated SQL injection in interface_traduction_objets_pipelines.php: the plugin reads the id_parent parameter from user input and directly concatenates it into a SQL WHERE clause i...

CVE-2026-3134

A security flaw has been discovered in itsourcecode News Portal Project 1.0. The affected element is an unknown function of the file /newsportal/admin/edit-category.php. The manipulation of the argument Category results in sql injection. The attack may be performed from remote. The exploit has be...