CVE-2026-33616

An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

PraisonAI SQL注入漏洞

PraisonAI is a low-code multi-intelligent body collaboration framework. PraisonAI suffers from a SQL injection vulnerability that stems from the getalluserthreads function constructing raw SQL queries using unescaped thread IDs, which can be exploited by an attacker to cause SQL injection and gai...

PT-2026-30243

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated...

GO-2026-4914 Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database in github.com/fleetdm/fleet

Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database in github.com/fleetdm/fleet...

EUVD-2026-18470

OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3...

CVE-2026-35168 OpenSTAManager: SQL Injection via Aggiornamenti Module

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti Updates module in OpenSTAManager contains a database conflict resolution feature op=risolvi-conflitti-database that accepts a JSON array of SQL statements via PO...

CVE-2026-33616 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the mb24api Endpoint

An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-33614 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the getinfo endpoint

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

Vanna 安全漏洞

Vanna is a personalized AI SQL proxy from Vanna Corporation. Versions of vanna 2.0.2 and earlier contained security vulnerabilities. These vulnerabilities were caused by overly lax cross-domain policies implemented in the FastAPI/Flask Server component, which could lead to remote attacks...

MB Connect Line mbCONNECT24 SQL注入漏洞

MB Connect Line mbCONNECT24 is a remote service portal developed by the German company MB Connect Line. This product supports functions such as remote access, data recording, and alarm notifications. MB Connect Line mbCONNECT24 has a SQL injection vulnerability, which stems from improper handling...

MB Connect Line mbCONNECT24 SQL注入漏洞

MB Connect Line mbCONNECT24 is a remote service portal developed by the German company MB Connect Line. This product supports features such as remote access, data recording, and alarm notifications. MB Connect Line mbCONNECT24 has a SQL injection vulnerability, which stems from improper handling ...

PT-2026-29682

Name of the Vulnerable Software and Affected Versions AlejandroArciniegas mcp-data-vis affected versions not specified Description A SQL injection issue exists in the Request function within the src/servers/database/server.js file of the MCP Handler component. This manipulation can be initiated...

PT-2026-29954

Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database in github.com/fleetdm/fleet...

Zabbix 7.0.x < 7.0.22 / 7.2.x < 7.2.15 / 7.4.x < 7.4.6 Multiple Vulnerabilities (ZBX-27639)

The version of Zabbix Server installed on the remote host is prior to 7.0.22, 7.2.15, 7.4.6. It is, therefore, affected by multiple vulnerabilities : - A blind SQL injection vulnerability exists in the Zabbix API via the sortfield parameter in include/classes/api/CApiService.php. A low privilege...

CVE-2026-5206

A security vulnerability has been detected in code-projects Simple Gym Management System 1.0. This vulnerability affects unknown code of the component Payment Handler. The manipulation of the argument Paymentid/Amount/customerid/paymenttype/customername leads to sql injection. Remote exploitation...

SQL Injection

Overview @payloadcms/drizzle is an A library of shared functions used by different payload database adapters Affected versions of this package are vulnerable to SQL Injection via the endpoints accepting dynamic query for Collections. An attacker can access sensitive information or modify data by...

CVE-2026-34604 @tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed conten...

CVE-2026-33949

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. T...

CVE-2026-21630

CVE-2026-21630 affects Joomla! Core — specifically the com_content articles webservice endpoint. The root cause is improperly built order clauses that enable a SQL injection. Exploitation details are not provided in the supplied documents, but CVSS metrics indicate a high-impact vulnerability aff...

BIT-GRAFANA-2026-33375 Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user Viewer to bypass API restrictions and trigger a catastrophic Out-Of-Memory OOM memory exhaustion, crashing the host container...