47 matches found
CVE-2026-40843
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the alarming view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...
CVE-2026-40846
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...
CVE-2026-40846 Authenticated SQLi in system view
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...
CVE-2026-40845 Authenticated SQLi in devices_configuration view
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devicesconfiguration view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...
CVE-2026-40829
CVE-2026-40829 describes an unauthenticated SQL Injection in the view.html.php UpdateParam function, exploitable by a high-privilege remote attacker. It can read the entire database and alter values in a non-critical table, leading to total confidentiality loss and some integrity loss. The connec...
CVE-2026-40818 Unauthenticated SQLi in _mb24confi_getDevice function function
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24configetDevice function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...
CVE-2026-40810 Unauthenticated SQLi in userinfo Endpoint
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the userinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...
WordPress Custom CSS JS PHP plugin <= 2.0.7 - Unauthenticated SQL Injection to RCE vulnerability
Unauthenticated SQL Injection to RCE vulnerability discovered by John Umoru in WordPress Plugin Custom css-js-php versions = 2.0.7...
PT-2026-39315
Name of the Vulnerable Software and Affected Versions WP Photo Album Plus versions prior to 9.1.11.001 Description The plugin fails to properly sanitize and escape a parameter before its use in a SQL query. This allows unauthenticated users to execute SQL injection attacks, which involve insertin...
CVE-2026-3489
The CVE-2026-3489 entry concerns the DirectoryPress WordPress plugin (Business Directory and Classified Ad Listing) with vulnerable versions up to 3.6.26. The issue is an SQL Injection via the 'packages' parameter caused by insufficient escaping of user input and inadequate SQL query preparation,...
CVE-2026-3830
The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks...
CVE-2026-28430
Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the customdates parameter. By chaining this with a predictable legacy password reset mechanism, an...
EUVD-2026-12492
Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the customdates parameter. By chaining this with a predictable legacy password reset mechanism, an...
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
Impact An unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and...
EUVD-2025-206786
The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infilitygetdata' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...
PT-2026-6290
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get// endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0...
CVE-2025-12850 My auctions allegro <= 3.6.32 - Unauthenticated SQL Injection via auction_id
The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the ‘auctionid’ parameter in all versions up to, and including, 3.6.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...
CVE-2025-7402 Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.95 - Unauthenticated SQL Injection via site_id
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘siteid’ parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...
Linux Distros Unpatched Vulnerability : CVE-2025-24799
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability ...
CVE-2023-23737
Unauth. SQL Injection SQLi vulnerability in MainWP MainWP Broken Links Checker Extension plugin = 4.0 versions...