PT-2026-49504

Unauthenticated SQL Injection in Advanced 301 and 302 Redirect = 1.6.9 versions...

PT-2026-49355

Contributor SQL Injection in PowerPress Podcasting = 11.15.10 versions...

PT-2026-49487

Subscriber SQL Injection in WP Time Slots Booking Form = 1.2.50 versions...

PT-2026-49518

Unauthenticated SQL Injection in eCommerce Product Catalog = 3.5.5 versions...

PT-2026-49493

Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System = 3.3.6 versions...

CVE-2026-39196

Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection vulnerability in the seturiquery parameter in the KeyPartitioner::partition function. This vulnerability allows attackers to access sensitive database information via crafted SQL statements...

CVE-2026-36670

A Time-Based Blind SQL Injection vulnerability in the aliasmanagement module of OpenSIPS Control Panel opensips-cp prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in aliasmanagement.php...

PT-2026-49306

Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert builds an INSERT against HARVEST SITE SCHEDULE via string...

PT-2026-49490

Unauthenticated SQL Injection in JS Help Desk = 3.0.9 versions...

PT-2026-49331

Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement...

PT-2026-49211

Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' POST parameter. Attackers can submit crafted SQL statements to the modal.php endpoint to extract...

PT-2026-49206

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint wit...

PT-2026-49207

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to...

📄 FreePBX SQL Injection / Shell Upload / Remote Root

This Python3 script exploits a remote SQL injection vulnerability in FreePBX and adds a remote shell that achieves root privileges. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3...

PT-2026-49466

Unauthenticated SQL Injection in Realtyna Organic IDX plugin = 5.1.0 versions...

PT-2026-49209

The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through unsanitized user input. Attackers can craft GET requests with SQL injection payloa...

PT-2026-49387

Unauthenticated SQL Injection in Form Maker by 10Web = 1.15.38 versions...

CVE-2026-38812

CVE-2026-38812 affects RuoYi v4.8.2; the code-generation tool (endpoint /tool/gen/createTable) is vulnerable to SQL Injection. An authenticated administrator could potentially access sensitive database information. An exploit exists in a public GitHub repository illustrating the issue. No patch/v...

PT-2026-49298

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information...

PT-2026-49302

Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection vulnerability in the set uri query parameter in the KeyPartitioner::partition function. This vulnerability allows attackers to access sensitive database information via crafted SQL statements...