SUSE CVE-2026-39825

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery...

CVE-2026-8207

Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.phpL145 feature. Successful exploitation requires Teacher or high...

CVE-2025-63704

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-016790)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016790 advisory. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. FilteredRelation is subject to SQL injection in column aliases via control...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: golang (UTSA-2026-016805)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016805 advisory. Cancelling a query e.g. by cancelling the context passed to one of the query methods during a call to the Scan method of the returned Rows can result in unexpected...

PT-2026-39317

Name of the Vulnerable Software and Affected Versions Gibbon versions prior to 30.0.01 Description An authenticated SQL Injection exists in the Tracking/graphing feature. Users with Teacher or higher privileges can abuse this functionality to perform unintended read and write activities on the...

GHSA-H36F-RQPX-J5WX Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search

Unauthorized File and Knowledge Base Content Access via RAG Vector Search Affected Component RAG source resolution in chat completion pipeline: - backend/openwebui/retrieval/utils.py lines 963-965, 1063-1068, 1126-1131 in getsourcesfromitems Affected Versions Current main branch commit 6fdd19bf1...

SQL Injection

Overview @mikro-orm/knex is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript. Affected versions of this package are vulnerable to SQL Injection via improper...

MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys

Summary MikroORM's identifier-quoting helper Platform.quoteIdentifier and the postgres/mssql overrides and its JSON-path emitters Platform.getSearchJsonPropertyKey, quoteJsonKey did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When...

absinthe_plug Has a Cross-site Scripting vulnerability

Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...

EUVD-2026-28805

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a...

CVE-2026-42794

Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...

CVE-2026-44337

PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names...

CVE-2026-44337 PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries

PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names...

CVE-2026-41496 PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)

PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase,...

EUVD-2023-46797

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet...

XML External Entity (XXE) Injection

Overview org.opencms:opencms-core is a Java open source content management system by Alkacon Software. Affected versions of this package are vulnerable to XML External Entity XXE Injection via the cmis-online/query process. An attacker can access sensitive information by submitting specially...

CVE-2026-8129

A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly...

CVE-2026-42208 LiteLLM: SQL injection in Proxy API key verification

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An...

CVE-2026-8132

A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txtusername causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be...