CVE-2018-25410 SIM-PKH 2.4.1 SQL Injection via media.php id Parameter

SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQ...

CVE-2018-25392

MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability exploitable by authenticated users through the log_activity function. The flaw occurs in /index.php/user/log_activity where parameters nomor, user, and jenis can be tainted with arbitrary SQL. Successful exploitation can enumerate...

CVE-2026-42100

Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service DoS attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly. The vendor was notified early about this vulnerability,...

CVE-2026-42100

Technical details (affected products/versions, root cause, impact, mitigation) are not publicly available in the provided documents. Monitor for updates as new information may be published.

CVE-2026-42100 DoS in Sparx Pro Cloud Server

Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service DoS attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly. The vendor was notified early about this vulnerability,...

CVE-2026-42100

Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service DoS attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly. The vendor was notified early about this vulnerability,...

CVE-2026-42100 DoS in Sparx Pro Cloud Server

Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service DoS attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly. The vendor was notified early about this vulnerability,...

EUVD-2026-30931

Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. The vendor was notified early about this vulnerability, but...

CVE-2026-42097

Sparx products show multiple CVEs with concrete details across Pro Cloud Server and Enterprise Architect. CVE-2026-42097 describes an authentication bypass: a request can omit the model parameter and embed the model name in a POST blob, enabling SQL query execution without authentication. CVE-202...

CVE-2026-8827 SQL Injection in extension "Address List" (tt_address)

The AddressRepository::getSqlQuery method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call...

CVE-2025-36122 IBM® Db2® is vulnerable to a denial of service with a specially crafted query when stmtheap is set to automatic

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows includes DB2 Connect Server could allow an authenticated user to cause a denial of service using a specially crafted SQL query due to improper allocation of system resources...

EUVD-2025-209601

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows includes DB2 Connect Server could allow an authenticated user to cause a denial of service using a specially crafted SQL query due to improper allocation of system resources...

CVE-2025-36122

CVE-2025-36122 affects IBM Db2 11.5.0–11.5.9 and 12.1.0–12.1.3 for Linux, UNIX and Windows (including DB2 Connect Server). An authenticated user can cause a denial of service via a specially crafted SQL query due to improper allocation of system resources when stmtheap is set to AUTOMATIC. CVSS v...

ROS-20260417-73-0047

Vulnerability in glpi related to failure to take measures to protect sql query structure. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code...

ROS-20260417-73-0034

Vulnerability in zabbix7-lts related to failure to take measures to protect sql query structure. Exploitation of the vulnerability could allow a remote attacker to execute arbitrary code...

SQL Injection

Overview griptape-tools is a Tools for the Griptape framework. Affected versions of this package are vulnerable to SQL Injection through the executequery path in the SQL tool and loader components. An attacker can execute malicious SQL against the connected database by prompt-injecting the LLM to...

CVE-2026-30273

pandas-ai v3.0.0 was discovered to contain a SQL injection vulnerability via the pandasai.agent.base.executesqlquery component...

GHSA-9CQ8-3V94-434G PraisonAI Has Second-Order SQL Injection in `get_all_user_threads`

Summary The getalluserthreads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via updatethread. When the application loads the thread list, the injected payload executes and grants full database...

CVE-2026-34747

Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patche...

EUVD-2026-17959

pandas-ai v3.0.0 was discovered to contain a SQL injection vulnerability via the pandasai.agent.base.executesqlquery component...