CVE-2019-25684

OpenDocMan 1.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'where' parameter. Attackers can send GET requests to search.php with malicious SQL payloads in the 'where' parameter to extract sensitiv...

CVE-2019-25684

OpenDocMan 1.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'where' parameter. Attackers can send GET requests to search.php with malicious SQL payloads in the 'where' parameter to extract sensitiv...

CVE-2019-25684 OpenDocMan 1.3.4 SQL Injection via where Parameter

OpenDocMan 1.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'where' parameter. Attackers can send GET requests to search.php with malicious SQL payloads in the 'where' parameter to extract sensitiv...

CVE-2019-25684

OpenDocMan 1.3.4 is vulnerable to an SQL injection via the where parameter in the search.php endpoint. The issue arises from unsafely constructed SQL queries that allow unauthenticated attackers to manipulate database queries and potentially extract sensitive information. Documented impact includ...

CVE-2019-25684 OpenDocMan 1.3.4 SQL Injection via where Parameter

OpenDocMan 1.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'where' parameter. Attackers can send GET requests to search.php with malicious SQL payloads in the 'where' parameter to extract sensitiv...

CVE-2026-31840 Parse Server has a SQL injection via dot-notation field name in PostgreSQL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper...

CVE-2026-1708 Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the dbwhereconditions method in the TDDBModel class failing to prevent the appendwheresql paramet...

PT-2026-24651

Impact An attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with t...

PT-2026-24635

Impact An attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with t...

CVE-2026-23980

Improper Neutralization of Special Elements used in a SQL Command 'SQL Injection' vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users...

CVE-2026-23980 Apache Superset: Improper Neutralization of Special Elements used in a SQL Command

Improper Neutralization of Special Elements used in a SQL Command 'SQL Injection' vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users...

CVE-2025-12166

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the order and appendwheresql parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack o...

CVE-2022-38539

Archery v1.7.5 to v1.8.5 was discovered to contain a SQL injection vulnerability via the where parameter at /archive/apply...

CVE-2022-28961

Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the liertrad and where parameters...

CVE-2023-39805

iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php...

PT-2023-27112 · Icms · Icms

Name of the Vulnerable Software and Affected Versions: iCMS version 7.0.16 Description: The issue is related to a SQL injection vulnerability. It can be exploited via the where parameter at the "admincp.php" endpoint. Recommendations: For iCMS version 7.0.16, avoid using the where parameter in th...

iCMS SQL Injection Vulnerability

iCMS is a software application. An efficient and simple content management system built with PHP and MySQL. A security vulnerability exists in iCMS v7.0.16, which originated from a SQL injection vulnerability found in the where parameter of admincp.php...

MEOL1 SQL注入漏洞

MEOL1 is a PHP project by the individual developer Mies van der Lippe. MEOL1 suffers from a SQL injection vulnerability that stems from a problem with the function GetAnimal in the file opdracht4/index.php, where manipulation of the parameter where can lead to sql injection...

IBAX go-ibax SQL注入漏洞

IBAX go-ibax is a blockchain system platform from IBAX Corporation. IBAX go-ibax suffers from a SQL injection vulnerability that originates from some unknown functionality in file/api/v2/open/rowsInfo, where manipulation of the parameter where leads to SQL injection...

CVE-2022-38539

Archery v1.7.5 to v1.8.5 was discovered to contain a SQL injection vulnerability via the where parameter at /archive/apply...