CVE-2025-22953

A SQL injection vulnerability exists in Epicor HCM 2021 1.9, with patches available: 5.16.0.1033/HCM2022, 5.17.0.1146/HCM2023, and 5.18.0.573/HCM2024. The injection is specifically in the filter parameter of the JsonFetcher.svc endpoint. An attacker can exploit this vulnerability by injecting...

PT-2025-13576 · Epicor · Epicor Hcm

Name of the Vulnerable Software and Affected Versions: Epicor HCM version 2021 1.9 Description: A SQL injection vulnerability exists in the Epicor HCM, specifically in the filter parameter of the "JsonFetcher.svc" endpoint. An attacker can exploit this vulnerability by injecting malicious SQL...

CVE-2025-30365

WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.2.8 in the endpoint /WeGIA/html/socio/sistema/controller/querygeracaoauto.php, specifically in the query parameter. This vulnerability allows the execution of arbitrary SQL...

CVE-2025-30365

CVE-2025-30365 concerns WeGIA, a web manager for charitable organizations. The flaw is a SQL Injection in the endpoint "/WeGIA/html/socio/sistema/controller/query_geracao_auto.php" (parameter \query\\). Affected versions are prior to 3.2.8. Successful exploitation enables arbitrary SQL execution,...

CVE-2024-10901

In eosphoros-ai/db-gpt version v0.6.0, the web API POST /api/v1/editor/chart/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write, enabling them to write arbitrary files to the victim's file...

CVE-2024-10835

In eosphoros-ai/db-gpt version v0.6.0, the web API POST /api/v1/editor/sql/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write using DuckDB SQL, enabling them to write arbitrary files to the...

CVE-2025-2585 EBM Technologies EBM Maintenance Center - SQL injection

EBM Maintenance Center From EBM Technologies has a SQL Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary SQL commands to read, modify, and delete database contents...

LlamaIndex Retrievers Integration: DuckDBRetriever SQL Injection

A SQL injection vulnerability exists in the duckdbretriever component of the run-llama/llamaindex repository, specifically in llama-index-retrievers-duckdb-retriever prior to v0.4.0. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an...

CVE-2024-10901

In eosphoros-ai/db-gpt version v0.6.0, the web API POST /api/v1/editor/chart/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write, enabling them to write arbitrary files to the victim's file...

CVE-2024-10835

In eosphoros-ai/db-gpt version v0.6.0, the web API POST /api/v1/editor/sql/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write using DuckDB SQL, enabling them to write arbitrary files to the...

CVE-2024-10901

CVE-2024-10901 affects eosphoros-ai/db-gpt. In v0.6.0 (and earlier per OSV entry), the web API POST /api/v1/editor/chart/run allows executing arbitrary SQL without access controls, enabling Arbitrary File Write and potentially Remote Code Execution by writing files such as init .py into Python’s ...

CVE-2024-10835

CVE-2024-10835 affects eosphoros-ai/db-gpt v0.6.0. The web API endpoint POST /api/v1/editor/sql/run allows executing arbitrary SQL without access control, enabling Arbitrary File Write via DuckDB SQL and potentially Remote Code Execution (RCE). Affected component: DB-GPT web API handler for edito...

DB-GPT 代码问题漏洞

DB-GPT is an AWEL and agent-based AI native data application development framework open-sourced by eosphoros. A code issue vulnerability exists in DB-GPT version v0.6.0, which stems from the web API POST /api/v1/editor/chart/run allows the execution of arbitrary SQL queries, which allows an...

MENNEKES Ladesäule Smart SQL注入漏洞

MENNEKES Ladesäule Smart is a smart charging post from MENNEKES. A SQL injection vulnerability exists in MENNEKES Ladesäule Smart versions prior to 2.15, which stems from an insufficient value neutralization and could lead to the execution of arbitrary SQL commands...

CVE-2024-42844

A SQL Injection vulnerability has been identified in EPICOR Prophet 21 P21 up to 23.2.5232. This vulnerability allows authenticated remote attackers to execute arbitrary SQL commands through unsanitized user input fields to obtain unauthorized information...

TYPO 3.16.0 SQL Injection

TYPO version 3.16.0 suffers from a remote SQL injection vulnerability. ============================================================================================================================================= | Title : TYPO 3.16.0 Code Injection Vulnerability | | Author : indoushka | | Tested...

CVE-2024-50706

CVE-2024-50706 describes an unauthenticated SQL injection in Uniguest Tripleplay. The vulnerability affects Tripleplay 23.1+ and enables remote attackers to execute arbitrary SQL queries on the backend database. Multiple sources corroborate the issue and classify it as high/critical risk (CVSS v3...

CVE-2025-22210

The CVE-2025-22210 entry relates to a SQL injection in the Hikashop Joomla component (versions 3.3.0–5.1.4) that is exploitable by authenticated administrators via the category management area in the backend. Affected software: Hikashop component for Joomla. Root cause: improper handling of SQL q...

CVE-2025-26606

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A SQL Injection vulnerability was discovered in the WeGIA application, informacaoadicional.php endpoint. This vulnerability could allow an attacker to execute arbitrary SQL queries, allowing unauthoriz...

CVE-2025-26605

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A SQL Injection vulnerability was discovered in the WeGIA application, deletarcargo.php endpoint. This vulnerability could allow an authorized attacker to execute arbitrary SQL queries, allowing access...