CVE-2026-31952 Xibo CMS API has SQL Injection via DataSet Filter Parameter

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to...

Xibo CMS SQL注入漏洞

Xibo CMS is an open-source content management system for Xibo Digital Signage. Versions 1.7 to 4.4.0 of Xibo CMS have SQL injection vulnerabilities. These vulnerabilities stem from SQL injection in the dataset filtering parameters within the API routing, which may allow authorized users to access...

PT-2026-34835

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy section save function in app/routes/config/routes.py. The server ip parameter, sourced from the URL path, is passed unsanitized throug...

CVE-2025-63029

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through = 3.7.1...

EUVD-2026-25224

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this...

CVE-2026-41460

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this...

GHSA-V529-VHWC-WFC5 OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database

Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' Attack type: Authenticated remote Impact: Telemetry data disclosure and deletion Affected components: openc3-tsdb QuestDB A SQL injection vulnerability exists in the Time-Series Database...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the query construction in the TSDB access code. An attacker can execute arbitrary TSDB queries by supplying crafted starttime, endtime, or column/table-related values that are interpolated directly into SQL strings. Th...

SQL Injection

Overview openc3 is a Python support for OpenC3 COSMOS Affected versions of this package are vulnerable to SQL Injection via the query construction in the TSDB access code. An attacker can execute arbitrary TSDB queries by supplying crafted starttime, endtime, or column/table-related values that a...

OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database

Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' Attack type: Authenticated remote Impact: Telemetry data disclosure and deletion Affected components: openc3-tsdb QuestDB A SQL injection vulnerability exists in the Time-Series Database...

CVE-2026-41460

CVE-2026-41460 (SocialEngine) affects SocialEngine versions 7.8.0 and earlier, with a SQL injection in the /activity/index/get-memberall endpoint. User input passed via the text parameter is not sanitized before being used in a SQL query. An unauthenticated remote attacker can read arbitrary data...

CVE-2026-41460 SocialEngine <= 7.8.0 SQL Injection via activity/index/get-memberall

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this...

CVE-2026-41460 SocialEngine <= 7.8.0 SQL Injection via activity/index/get-memberall

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this...

CVE-2026-41460

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this...

CVE-2026-6887

The CVE-2026-6887 entry concerns Borg SPM 2007 (BorG Technology Corporation). The connected sources describe a SQL Injection vulnerability that allows unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. The vulnerability impact is descr...

web-vulnerability-scanner

web-vulnerability-scanner This Reposito...

CMS ALAYA vulnerable to SQL injection

Overview CMS ALAYA provided by KANATA Limited contains the following vulnerability. SQL injection CWE-89 - CVE-2026-40529 Naoto Senda of Five Drive Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...

EUVD-2026-25184

CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface...

hangover-ctf-wolfpack-deals

🎰 The Hangover CTF — Machine 1: Wolfpack Deals "What happe...

CVE-2026-40529

CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface...