Mailcow < 2026-03b - Href Link Injection

mailcow 2026-03b reflects raw REQUESTURI into JavaScript and href links on the login page, allowing attackers to inject parameters that break JS logic and enable phishing. id: CVE-2026-40878 info: name: Mailcow 2026-03b - Href Link Injection author: ritikchaddha severity: low description: | mailc...

QNAP Photo Station < 6.0.3 - Remote Code Execution

QNAP Photo Station versions prior to 6.0.3 contain multiple vulnerabilities that, when chained together, enable unauthenticated remote code execution RCE. id: CVE-2019-7194 info: name: QNAP Photo Station 6.0.3 - Remote Code Execution author: x-stp severity: critical description: | QNAP Photo...

EUVD-2019-20191

Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Attackers can send POST requests to the editReview task endpoint with URL-encoded SQL UNION...

EUVD-2017-18998

Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with the option=comstreetguess&view=maps parameters a...

PT-2026-50988

Name of the Vulnerable Software and Affected Versions Joomla! Component J-BusinessDirectory version 4.9.7 Description An SQL injection allows unauthenticated attackers to execute arbitrary SQL queries. This is achieved by injecting malicious code into the type parameter via GET requests to the...

EUVD-2026-37851

Nur-Alam39 bus-ticket no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad contains an unauthenticated SQL injection vulnerability in businfo.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query select from businfo where id=$busid...

CVE-2026-48875

Unauthenticated SQL Injection in JetSmartFilters = 3.8.1 versions...

CVE-2026-40725

Unauthenticated PHP Object Injection in WooCommerce Product Filters 2.0.6 versions...

CVE-2026-22332

Unauthenticated SQL Injection in Tutor LMS Pro = 3.9.6 versions...

CVE-2026-54811

CVE-2026-54811 : Affected software is the WordPress WP eMember plugin versions older than 10.9.4. The issue is an unauthenticated SQL Injection in the plugin, allowing an attacker with network access (no user credentials, no UI interaction) to potentially read or exfiltrate data. The CVSS metrics...

CVE-2026-54187 WordPress JetEngine plugin <= 3.8.10.1 - SQL Injection vulnerability

Unauthenticated SQL Injection in JetEngine = 3.8.10.1 versions...

CVE-2026-52706

CVE-2026-52706 : Unauthenticated PHP Object Injection in WordPress JetEngine plugin (versions ≤ 3.8.10). Affected component: JetEngine; vulnerability type: PHP Object Injection. Impact: high confidentiality, integrity, and availability (CVSS 3.1 base score 9.8; network attack vector; no user inte...

CVE-2026-49084

JetEngine (WordPress plugin) versions earlier than 3.8.9.1 are affected by unauthenticated SQL Injection. The vulnerability is described as a high-severity (CVSS 3.1: 9.3) issue with network access and no required privileges, impacting confidentiality. A fix is available in 3.8.9.1 and later; upg...

CVE-2026-40758

The CVE concerns WordPress Léonie theme versions

CVE-2026-52715

Unauthenticated SQL Injection in GEO my WordPress = 4.5.5 versions...

CVE-2026-52715

GEO my WordPress plugin (WordPress)

EUVD-2026-36960

Unauthenticated SQL Injection in SpeakOut! Email Petitions = 4.6.5 versions...

EUVD-2026-36950

Unauthenticated SQL Injection in WP Photo Album Plus = 9.1.08.001 versions...

CVE-2026-49776

Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites = 2.32.6 versions...

CVE-2026-42639

Unauthenticated SQL Injection in GD Rating System = 3.6.2 versions...