CVE-2026-42383

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in YITH YITH WooCommerce Product Add-Ons allows Blind SQL Injection. This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.29.0...

CVE-2026-42747

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects Easy Form Builder: from n/a through = 4.0.6...

CVE-2026-42774

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Crocoblock JetEngine allows SQL Injection. This issue affects JetEngine: from n/a through 3.8.8.1...

CVE-2026-40827

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the RemoveRequest function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can resu...

CVE-2026-40818

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24configetDevice function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40841

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40331

Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable method without validation or sanitization. This...

CVE-2026-40829

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the view.html.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical...

CVE-2026-40837

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-40819

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the syncdata24 task due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2026-8054

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' in the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrar...

NocoDB: SQL Injection via Column Title in Bulk GroupBy

Summary An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. Details The bulk groupBy path in group-by.ts builds three database-specific knex.raw aggregations that interpolate the request's columnname...

NocoBase - SQL Injection

NocoBase versions prior to 2.0.39 contain a SQL injection vulnerability in the @nocobase/database package. The queryParentSQL function in eager-loading-tree.ts constructs a recursive CTE query by directly concatenating user-controlled primary key values into the SQL WHERE IN clause without...

PT-2026-47052

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation requires no authentication or user interaction and...

PT-2026-47007

A vulnerability has been found in code-projects Hotel and Tourism Reservation System 1.0. This affects an unknown function of the file /details.php. Such manipulation of the argument room leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and...

CVE-2026-10811 itsourcecode Fees Management System receipt.php sql injection

A security vulnerability has been detected in itsourcecode Fees Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /receipt.php. Such manipulation of the argument efid leads to sql injection. The attack may be performed from remote. The exploit has been...

CVE-2019-25728

Care2x 2.7 Hospital Information System is affected by SQL injection via the ck_config cookie parameter. The vulnerability allows unauthenticated attackers to inject arbitrary SQL through endpoints such as login.php, indexframe.php, and various module files, enabling extraction of sensitive databa...

CVE-2019-25728 Care2x 2.7 Hospital Information System SQL Injection via ck_config

Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ckconfig cookie parameter. Attackers can inject malicious SQL through the ckconfig cookie in multiple endpoints including login.php, indexframe.php...

CVE-2026-10808

A vulnerability was identified in itsourcecode Fees Management System 1.0. This affects an unknown function of the file /managestudent.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be use...

CVE-2026-4104 SQLi in Akmer Informatics' TeknoPass

Authorization bypass through User-Controlled SQL primary key vulnerability in Akmer Informatics Automation Industry and Trade Ltd. Co. TeknoPass allows SQL Injection. This issue affects TeknoPass: from 20210501 through 20260429...