ChanCMS SQL Injection Vulnerability

ChanCMS is a content management system. ChanCMS 3.3.0 and earlier versions suffer from a SQL injection vulnerability, which originates from the lack of validation of the Search parameter key in the app/modules/api/service/Api.js function against external input SQL statements. An attacker can...

NewType Infortech NUP Portal SQL注入漏洞

NewType Infortech NUP Portal is a portal management and collaborative office software system from NewType Infortech Taiwan, China. NewType Infortech NUP Portal suffers from a SQL injection vulnerability that originates from an unauthenticated, remote attacker who can inject arbitrary SQL commands...

GHSA-H8WV-VV58-468H Subrion CMS: Authenticated administrators are able to gain escalated access through Run SQL Query tool

An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel — to gain escalated privileges in the context of the SQL query tool...

CVE-2025-9451

The CVE relates to the WordPress plugin Smartcat Translator for WPML. It describes a time-based SQL injection via the orderby parameter in all versions up to 3.1.69, caused by insufficient escaping of user input and inadequate preparation of the SQL query. The vulnerability requires authenticatio...

Online Fire Reporting System SQL注入漏洞

Online Fire Reporting System is an online fire reporting system by Carlo Montero Personal Developer. A SQL injection vulnerability exists in Online Fire Reporting System version 1.2, which stems from incorrect manipulation of the parameter requestid in the endpoint /ofrs/details.php, which could...

Online Fire Reporting System SQL注入漏洞

Online Fire Reporting System is an online fire reporting system developed by Carlo Montero, an individual developer. A SQL injection vulnerability exists in Online Fire Reporting System version 1.2, which stems from an incorrect manipulation of the parameter todate in the file...

PT-2025-37176

Name of the Vulnerable Software and Affected Versions: Online Fire Reporting System version 1.2 Description: The Online Fire Reporting System contains a SQL injection flaw. This flaw allows an attacker to retrieve, create, update, and delete database information via the requestid parameter in the...

PT-2025-37170

Name of the Vulnerable Software and Affected Versions: Online Fire Reporting System version 1.2 Description: The Online Fire Reporting System contains a SQL injection flaw. This flaw allows an attacker to retrieve, create, update, and delete database information via the mobilenumber, teamleadname...

CVE-2025-10218

A flaw has been found in lostvip-com ruoyi-go 2.1. This affects the function SelectListPage of the file modules/system/dao/SysRoleDao.go of the component Background Management Page. This manipulation of the argument sortName causes sql injection. Remote exploitation of the attack is possible. The...

CVE-2025-10210

A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. Impacted is the function Search of the file app/modules/api/service/Api.js. Executing manipulation of the argument key can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the...

ExploitNotes

It is an offline collection of notes and examples for exploit...

CVE-2025-56407

A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. This vulnerability affects the function RunSql of the file app/modules/ut-data/admin/mysql.php. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. The exploit has been...

CVE-2025-9943 Unauthenticated SQL Injection Vulnerability in Shibboleth Service Provider

An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider SP is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing f...

CVE-2025-7826 Testimonial <= 2.3 - Authenticated (Contributor+) SQL Injection

The Testimonial plugin for WordPress is vulnerable to SQL Injection via the 'iNICtestimonial' shortcode in all versions up to, and including, 2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

WordPress plugin Testimonial SQL注入漏洞

WordPress Testimonial Plugin is a plugin for displaying customer feedback, testimonials or user reviews in your website, mainly for enhancing website trust and social proof. WordPress Testimonial Plugin suffers from a SQL injection vulnerability that stems from insufficient cleaning and escaping ...

ChanCMS SQL注入漏洞

ChanCMS is a content management system. ChanCMS 3.3.0 and earlier versions suffer from a SQL injection vulnerability, which originates from the lack of validation of the Search parameter key in the app/modules/api/service/Api.js function against external input SQL statements. An attacker can...

PT-2025-37002

Name of the Vulnerable Software and Affected Versions: HJSoft HCM Human Resources Management System versions prior to 20250823 Description: A SQL injection issue exists in HJSoft HCM Human Resources Management System. The vulnerability is located in an unknown functionality of the file...

Linux Distros Unpatched Vulnerability : CVE-2024-5314

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially...

PT-2025-37091

Name of the Vulnerable Software and Affected Versions: ChanCMS versions up to 3.3.0 Description: A SQL injection weakness exists in the Search function within the app/modules/api/service/Api.js file. Manipulation of the key argument can lead to SQL injection. The exploit has been publicly release...

Linux Distros Unpatched Vulnerability : CVE-2018-10094

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without...