CVE-2026-8054

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' in the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrar...

Joomla! Component eXtroForms SQL注入漏洞

Joomla! Component eXtroForms is an open source Joomla! A SQL injection vulnerability exists in Joomla! Component eXtroForms version 2.1.5, which stems from an SQL injection in the filtertypeid, filterpidid, and filtersearch parameters, which could allow an authenticated attacker to extract...

PT-2026-41559

Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the login parameter in login.php. Attackers can submit crafted POST requests with SQL injection payloa...

CVE-2026-0242 Trust Protection Foundation: SQL Injection Vulnerability

A SQL injection vulnerability in Trust Protection Foundation allows an authenticated attacker to execute arbitrary SQL commands against the product database. Successful exploitation could allow an attacker to read sensitive data, modify database contents, and escalate privileges to gain full...

PT-2026-38417

An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration i...

CVE-2026-4119

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers adminpost action hooks for creating tables adminpostaddtable and deleting tables adminpostdeletedbtable without implementing any capability checks via...

PT-2026-34290

Name of the Vulnerable Software and Affected Versions Table Manager versions prior to 1.0.1 Description The Table Manager plugin for WordPress allows authenticated attackers with Contributor-level access and above to extract sensitive data from arbitrary WordPress database tables. The issue occur...

PT-2026-34287

Name of the Vulnerable Software and Affected Versions Create DB Tables versions prior to 1.2.2 Description The Create DB Tables plugin for WordPress contains an authorization bypass. The plugin registers admin post action hooks for creating tables 'admin post add table' and deleting tables 'admin...

EUVD-2025-209515

Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases...

CubeCart 安全漏洞

CubeCart is an open-source e-commerce software developed by CubeCart. Versions of CubeCart prior to 6.6.0 contained security vulnerabilities, which were caused by SQL injection attacks. These vulnerabilities could allow attackers to execute arbitrary SQL statements on the product side...

PT-2026-33426

Name of the Vulnerable Software and Affected Versions Sparx Pro Cloud Server affected versions not specified Description An unauthenticated user can execute arbitrary SQL commands in the database. This SQL injection allows for a complete database takeover without requiring credentials...

CVE-2026-33207

DataEase (open-source data visualization/analytics) contains a SQL injection in versions ≤ 2.10.20 at the /datasource/getTableField endpoint. The getTableFiledSql method concatenates the tableName into SQL via String.format without parameterization, and validation in DatasourceServer.py can be by...

CVE-2026-34228

Emlog (open source website building system) contains CSRF in the backend upgrade interface prior to version 2.6.8. The interface accepts remote SQL and ZIP URLs via GET parameters; the server downloads and executes the SQL file, then downloads and extracts the ZIP into the web root without CSRF t...

EUVD-2026-18336

OpenSTAManager: SQL Injection via Aggiornamenti Module...

PT-2026-29744

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions prior to 2.10.2 Description The OpenSTAManager software contains a flaw in the Aggiornamenti Updates module. This module includes a database conflict resolution feature that accepts a JSON array of SQL statements via PO...

CVE-2026-4317

CVE-2026-4317 describes an SQL injection in the Umami Software web application where an improperly sanitized timezone parameter is interpolated directly into SQL queries (potentially via prisma.rawQuery/prisma.$queryRawUnsafe or raw queries with ClickHouse). This authenticated-access vulnerabilit...

CVE-2018-25207

Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to...

WordPress Linksy Search and Replace plugin <= 1.0.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Update via linksy_search_and_replace_item_details vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Database Update via linksysearchandreplaceitemdetails vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Linksy Search and Replace versions = 1.0.4...

CVE-2026-33133 WeGIA has an arbitrary SQL execution vulnerability via crafted backup archive

WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator...

SuiteCRM SQL注入漏洞

SuiteCRM is a customer relationship management system developed by the SuiteCRM team. Versions of SuiteCRM prior to 7.15.1 and 8.9.3 had an SQL injection vulnerability. This vulnerability stemmed from the authentication mechanism not properly clearing the username provided by users when directory...