Lucene search
K

217415 matches found

Nuclei
Nuclei
added yesterday46 views

Subscribe to Category <= 2.7.4 - SQL Injection

The Subscribe to Category contains a sqlinjection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction. id: CVE-2023-32590 info: name: Subscribe to Category = 2.7.4 - SQL Injection author:...

9.3CVSS7.2AI score0.01646EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday119 views

Piwigo 13.7.0 - SQL Injection

Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header User-Agent is vulnerable at the endpoint that records user information when logging in to the...

9.8CVSS7.2AI score0.97405EPSS
Exploits21References5
Nuclei
Nuclei
added yesterday36 views

Hongjing e-HR 2020 - SQL Injection

A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /wselfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument...

9.8CVSS6.7AI score0.03766EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday32 views

Mingsoft MCMS 5.2.9 - SQL Injection

Mingsoft MCMS v5.2.9 contains a SQL injection caused by unsanitized categoryType parameter at /content/list.do, letting attackers execute arbitrary SQL commands, exploit requires crafted input. id: CVE-2023-50578 info: name: Mingsoft MCMS 5.2.9 - SQL Injection author: ritikchaddha severity:...

9.8CVSS7.2AI score0.02222EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday23 views

WordPress GamiPress <= 2.5.7 - SQL Injection

The GamiPress plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.5.7 due to insufficient escaping on the user supplied parameter '$qv$fieldid' and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to...

9.8CVSS7AI score0.0257EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday10 views

LogDash Activity Log <= 1.1.3 - SQL Injection

The LogDash Activity Log plugin for WordPress is vulnerable to SQL Injection via the username parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

5.4CVSS6.1AI score0.00748EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday123 views

ECTouch v2 - SQL Injection

ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr'id' parameter at \default\helpers\insert.php. id: CVE-2023-39560 info: name: ECTouch v2 - SQL Injection author: s4e-io severity: critical description: | ECTouch v2 was discovered to contain a SQL injection vulnerabili...

9.8CVSS7.1AI score0.04109EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday121 views

Wordpress Gift Cards <= 4.3.1 - SQL Injection

The Gift Cards Gift Vouchers and Packages WordPress Plugin, version = 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgvdoajaxvoucherpdfsavefunc action. id: CVE-2023-28662 info: name: Wordpress Gift Cards = 4.3.1 - SQL Injection author: xxcd...

9.8CVSS7AI score0.42186EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday27 views

Quiz and Survey Master <= 8.1.4 - SQL Injection

ExpressTech Quiz And Survey Master versions up to 8.1.4 contains an SQL injection caused by improper neutralization of special elements used in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires user interaction. id: CVE-2023-28787 info: name: Quiz and Survey Master =...

9.3CVSS7.2AI score0.01977EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday79 views

Cacti 1.2.24 - SQL Injection

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graphview.php. Since guest users can access graphview.php without authentication by default, if guest users are being utilized in an enabled state, there...

9.8CVSS7.2AI score0.87688EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday104 views

Slimstat Analytics < 4.9.3.3 Subscriber - SQL Injection

The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query. id: CVE-2023-0630 info: name: Slimstat Analytics 4.9.3.3 Subscriber - SQL Injection author: DhiyaneshDK severity: high description...

8.8CVSS7.1AI score0.05141EPSS
Exploits3References5
Nuclei
Nuclei
added yesterday49 views

404 to 301 <= 2.0.2 - Authenticated Blind SQL Injection

The 404 to 301 – Redirect, Log and Notify 404 Errors WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability. id: CVE-2015-9323 info: name: 404 to 301 = 2.0.2 - Authenticated Blind SQL Injection author: Harsh severity: critical description: | The 404 to 301 –...

9.8CVSS7AI score0.46125EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday15 views

Vendure Core - SQL Injection

Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated directly into a raw SQL CASE expression in ProductService.findOneBySlug without parameterization or inp...

9.1CVSS6.4AI score0.01762EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday17 views

phpMyFAQ <= 4.1.1 - SQL Injection

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captc...

9.8CVSS6.1AI score0.01709EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday26 views

Geo Mashup <= 1.13.17 - SQL Injection

Geo Mashup WordPress plugin = 1.13.17 contains a SQL injection caused by insufficient escaping of the 'sort' parameter, letting unauthenticated attackers extract sensitive database information remotely. id: CVE-2026-2416 info: name: Geo Mashup = 1.13.17 - SQL Injection author: Shivam Kamboj...

7.5CVSS6.1AI score0.01392EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday29 views

LiteLLM - SQL Injection

LiteLLM 1.81.16 to 1.83.7 contains a SQL injection caused by improper handling of caller-supplied key in database query during proxy API key checks, letting unauthenticated attackers read and modify database data, exploit requires crafted Authorization header. id: CVE-2026-42208 info: name: LiteL...

9.8CVSS6.2AI score0.86607EPSS
Exploits7References3
Nuclei
Nuclei
added yesterday12 views

WordPress Newsletters <= 4.13 - Unauthenticated SQL Injection

Newsletters WordPress plugin = 4.13 contains a time-based SQL injection caused by insufficient escaping of the 'wpmlsubscriberid' parameter, letting unauthenticated attackers extract sensitive database information. id: CVE-2026-3018 info: name: WordPress Newsletters = 4.13 - Unauthenticated SQL...

7.5CVSS6.1AI score0.01382EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday64 views

NocoBase - SQL Injection

NocoBase @nocobase/plugin-collection-sql versions prior to 2.0.39 are vulnerable to SQL injection via the sqlCollection:update endpoint. The checkSQL function, which blocks dangerous SQL keywords and ensures only SELECT statements are allowed, is not called during collection updates. id:...

7.2CVSS6.1AI score0.01833EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday14 views

WordPress ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'armdirectorypagingaction' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of...

7.5CVSS6.1AI score0.01383EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday129 views

Vanna - SQL injection

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents . This can lead to...

9.8CVSS7.2AI score0.03452EPSS
Exploits0References4
Rows per page
Query Builder