Lucene search
K

206 matches found

Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.7 views

PT-2026-29744

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions prior to 2.10.2 Description The OpenSTAManager software contains a flaw in the Aggiornamenti Updates module. This module includes a database conflict resolution feature that accepts a JSON array of SQL statements via PO...

8.8CVSS6.2AI score0.00668EPSS
Exploits1References9
CVE
CVE
added 2026/03/31 9:53 a.m.10 views

CVE-2026-4317

CVE-2026-4317 describes an SQL injection in the Umami Software web application where an improperly sanitized timezone parameter is interpolated directly into SQL queries (potentially via prisma.rawQuery/prisma.$queryRawUnsafe or raw queries with ClickHouse). This authenticated-access vulnerabilit...

9.3CVSS6.2AI score0.00345EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/26 11:39 a.m.2 views

CVE-2018-25207

Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to...

7.1CVSS6.2AI score0.0027EPSS
Exploits0References4Affected Software1
Patchstack
Patchstack
added 2026/03/23 8:22 a.m.6 views

WordPress Linksy Search and Replace plugin <= 1.0.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Update via linksy_search_and_replace_item_details vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Database Update via linksysearchandreplaceitemdetails vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Linksy Search and Replace versions = 1.0.4...

8.8CVSS5.8AI score0.003EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/03/20 10:31 a.m.23 views

CVE-2026-33133 WeGIA has an arbitrary SQL execution vulnerability via crafted backup archive

WeGIA is a web manager for charitable institutions. In versions 3.6.5 and 3.6.6, the loadBackupDB function imports SQL files from uploaded backup archives without any content validation. An attacker can craft a backup archive containing arbitrary SQL statements that create rogue administrator...

8.6CVSS0.00401EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/03/20 12:0 a.m.7 views

SuiteCRM SQL注入漏洞

SuiteCRM is a customer relationship management system developed by the SuiteCRM team. Versions of SuiteCRM prior to 7.15.1 and 8.9.3 had an SQL injection vulnerability. This vulnerability stemmed from the authentication mechanism not properly clearing the username provided by users when directory...

8.8CVSS6.1AI score0.0044EPSS
Exploits0References2
CVE
CVE
added 2026/03/18 12:0 a.m.7 views

CVE-2025-58112

CVE-2025-58112 affects Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034). The vulnerability arises when an attacker uploads a malicious .rdl (Report Definition Language) file that is processed by SQL Server Reporting Services, enabling generation of customized reports via...

8.8CVSS6.1AI score0.00464EPSS
Exploits0References2
OSV
OSV
added 2026/03/16 8:44 p.m.1 views

GHSA-J7WH-X834-P3R7 SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API

Summary SiYuan Note v3.6.0 and likely prior versions contains an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database...

9.8CVSS6.3AI score0.00541EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/03/16 8:44 p.m.10 views

SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API

Summary SiYuan Note v3.6.0 and likely prior versions contains an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database...

9.8CVSS6.3AI score0.00541EPSS
Exploits1References6Affected Software1
NVD
NVD
added 2026/03/16 2:19 p.m.6 views

CVE-2026-32704

SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. Thi...

6.5CVSS0.00246EPSS
Exploits1References1
CVE
CVE
added 2026/03/13 8:50 p.m.21 views

CVE-2026-32628

AnythingLLM has a SQL injection in the built‑in SQL Agent plugin (v1.11.1 and earlier) allowing a user who can invoke the agent to run arbitrary SQL on connected databases. The vulnerability stems from getTableSchemaSql() building queries via direct string concatenation of the table_name paramete...

8.8CVSS6.2AI score0.00299EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/12 12:0 a.m.27 views

CVE-2026-26794

GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a SQL injection vulnerability via the addgroup function. This vulnerability allows attackers to execute arbitrary SQL database operations via a crafted HTTP request...

0.00453EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.5 views

PT-2026-23647

Name of the Vulnerable Software and Affected Versions Ghostfolio versions prior to 2.244.0 Description Ghostfolio is a wealth management software susceptible to arbitrary SQL command execution. An attacker can bypass symbol validation to execute SQL commands through the getHistorical method...

9.8CVSS6AI score0.00367EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/02/27 10:11 p.m.259 views

CVE-2026-28516 openDCIM <= 23.04 SQL Injection in Config::UpdateParameter

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input...

9.3CVSS0.0097EPSS
Exploits2References7
CNNVD
CNNVD
added 2026/02/24 12:0 a.m.9 views

Apache Superset 安全漏洞

Apache Superset is a data visualization and data exploration platform from the Apache USA Foundation. Apache Superset suffers from a SQL injection vulnerability that can be exploited by an attacker to view, add, modify, or delete arbitrary files on the database...

6.5CVSS6AI score0.00503EPSS
Exploits2References2
NVD
NVD
added 2026/02/21 8:16 a.m.8 views

CVE-2026-27470

ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents function. Event field values specifically Name a...

8.8CVSS0.0048EPSS
Exploits2References4
RedhatCVE
RedhatCVE
added 2026/01/20 5:21 p.m.5 views

CVE-2026-22850

Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path pa and referrer r values to the public...

8.3CVSS6.3AI score0.00411EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/01/19 4:51 p.m.3 views

CVE-2026-22850

Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path pa and referrer r values to the public...

8.3CVSS6.1AI score0.00411EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/01/19 4:51 p.m.5 views

EUVD-2026-3319

Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path pa and referrer r values to the public...

8.3CVSS6.3AI score0.00411EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/01/19 4:51 p.m.4 views

CVE-2026-22850 Koko Analytics vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import

Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path pa and referrer r values to the public...

8.3CVSS6.3AI score0.00411EPSS
Exploits1References3
Rows per page
Query Builder