Lucene search
+L

263 matches found

cve
cve
added last week7 views

CVE-2026-58492

Technical details are not publicly available in the provided documents. Monitor for updates.

9.2CVSS6.3AI score0.00302EPSS
Exploits0References3
cvelist
cvelist
added last week30 views

CVE-2026-58492 grav-plugin-database: SQL Injection in PDO::tableExists() due to Unsanitized Table Name Interpolation

grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, the PDO::tableExists method interpolates its table argument directly into a raw SQL query string without sanitization, escaping, quoting, or whitelisting, allowing attacker-controlled table names passed by consuming plugin ...

9.2CVSS0.00302EPSS
Exploits0References3
cvelist
cvelist
added 2026/07/06 8:33 p.m.37 views

CVE-2026-14471 Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-registry

Improper Neutralization of Special Elements in the metrics-service retention policy management component in Amazon mcp-gateway-registry before 1.0.13 might allow an authenticated remote user to execute arbitrary SQL queries via a crafted tablename value that is interpolated into SQL statements in...

8.6CVSS0.00325EPSS
Exploits0References3
osv
osv
added 2026/06/24 11:7 a.m.7 views

BIT-NIFI-2026-44913 Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not...

7.2CVSS5.9AI score0.00385EPSS
Exploits0References3
nvd
nvd
added 2026/06/22 8:17 a.m.15 views

CVE-2026-44913

Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not...

7.2CVSS0.00385EPSS
Exploits0References2
cve
cve
added 2026/05/23 6:30 p.m.37 views

CVE-2018-25358

The CVE-2018-25358 entry concerns the D-Link DIR-601 (firmware 2.02NA) where an unauthenticated attacker can disclose credentials via /my_cgi.cgi by manipulating the table_name parameter in POST requests. Affected data includes administrative credentials and wireless keys, exposed in cleartext. T...

8.7CVSS5.8AI score0.00585EPSS
Exploits0References5
attackerkb
attackerkb
added 2026/05/23 6:30 p.m.13 views

CVE-2018-25358

D-Link DIR601 2.02NA contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by manipulating the tablename parameter in POST requests. Attackers can send requests to /mycgi.cgi with tablename values like adminuser,...

8.7CVSS5.8AI score0.00585EPSS
Exploits0References5
osv
osv
added 2026/05/18 5:53 a.m.8 views

BIT-POSTGRESQL-2026-6638 PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18...

8.8CVSS6.1AI score0.0018EPSS
Exploits0References2
mscve
mscve
added 2026/05/16 8:4 a.m.48 views

PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

...

8.8CVSS5.8AI score0.0018EPSS
Exploits0
cvelist
cvelist
added 2026/05/14 1:0 p.m.62 views

CVE-2026-6638 PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18...

3.7CVSS0.0018EPSS
Exploits0References1
github
github
added 2026/05/04 6:30 p.m.11 views

Apache Polaris has an Improper Input Validation issue

In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across the configured bucket instead. Apache Polaris builds Google Cloud Storage downscoped credentials b...

9.9CVSS5.7AI score0.00431EPSS
Exploits0References5Affected Software1
githubexploit
githubexploit
added 2026/04/29 9:16 p.m.86 views

Exploit for Improper Neutralization of Special Elements in Data Query Logic in Pab1It0 Azure_Data_Explorer_Mcp_Server

CVE-2026-33980 — KQL Injection in adx-mcp-server via tablenam...

8.3CVSS6.1AI score0.00396EPSS
Exploits3
redhatcve
redhatcve
added 2026/04/20 7:22 p.m.9 views

CVE-2026-33207

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query string...

8.8CVSS6AI score0.00349EPSS
Exploits1References1
ptsecurity
ptsecurity
added 2026/04/17 12:0 a.m.20 views

PT-2026-37121

Name of the Vulnerable Software and Affected Versions praisonai versions prior to 4.6.9 praisonaiagents versions prior to 1.6.9 Description Multiple backends in the multi-agent teams system fail to validate input, leading to arbitrary SQL execution. Specifically, nine backends—MySQL, PostgreSQL,...

8.1CVSS6AI score0.00347EPSS
Exploits2References16
osv
osv
added 2026/04/16 7:37 p.m.2 views

CVE-2026-33207 DataEase SQL Injection Vulnerability

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query string...

8.6CVSS6.2AI score0.00349EPSS
Exploits1References4
euvd
euvd
added 2026/04/16 7:24 p.m.5 views

EUVD-2026-23290

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource update process. When a new table definition is added during a datasource update via /de2api/datasource/update, the deTableName field from th...

8.6CVSS6AI score0.00405EPSS
Exploits1References2
cnnvd
cnnvd
added 2026/04/16 12:0 a.m.11 views

DataEase 安全漏洞

DataEase is an open-source data visualization and analysis tool developed by DataEase. It helps users quickly analyze data and gain insights into business trends, thereby enabling improvements and optimizations in their businesses. DataEase versions 2.10.20 and earlier contain security...

8.8CVSS5.9AI score0.00349EPSS
Exploits1References2
snyk
snyk
added 2026/03/27 11:24 p.m.6 views

Improper Neutralization of Special Elements in Data Query Logic

Overview adx-mcp-server is a MCP server for Azure Data Explorer integration Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the gettableschema, sampletabledata, and gettabledetails handlers when the tablename parameter is...

8.7CVSS6.1AI score0.00396EPSS
Exploits3References2
osv
osv
added 2026/03/27 9:32 p.m.9 views

CVE-2026-33980 Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries

Azure Data Explorer MCP Server is a Model Context Protocol MCP server that enables AI assistants to execute KQL queries and explore Azure Data Explorer ADX/Kusto databases through standardized interfaces. Versions up to and including 0.1.1 contain KQL Kusto Query Language injection vulnerabilitie...

8.3CVSS6.1AI score0.00396EPSS
Exploits3References4
attackerkb
attackerkb
added 2026/03/27 9:32 p.m.4 views

CVE-2026-33980

Azure Data Explorer MCP Server is a Model Context Protocol MCP server that enables AI assistants to execute KQL queries and explore Azure Data Explorer ADX/Kusto databases through standardized interfaces. Versions up to and including 0.1.1 contain KQL Kusto Query Language injection vulnerabilitie...

8.3CVSS6.1AI score0.00396EPSS
Exploits3References3Affected Software1
Rows per page
Query Builder