503 matches found
CVE-2026-28399
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3...
CVE-2026-24908
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the sort parameter...
CVE-2026-23627
OpenEMR before v8.0.0 exposes an SQL Injection in the Immunization module. The vulnerability arises because user-supplied patient_id values are concatenated into SQL WHERE clauses without parameterization or escaping, allowing an authenticated user to execute arbitrary SQL. This can lead to compl...
PT-2026-21970
Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0 Description OpenEMR is an electronic health records and medical practice management application. A flaw exists in the Immunization module where user-supplied patient id values are directly incorporated into SQL...
NoviSmart CMS SQL注入漏洞
NoviSmart CMS is a content management system developed by the Austrian company NoviSmart. NoviSmart CMS has a SQL injection vulnerability, which stems from the SQL injection present in the Referer HTTP header field. This vulnerability could allow remote attackers to execute arbitrary SQL queries...
CVE-2026-27470
ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents function. Event field values specifically Name a...
CVE-2025-67102
Jorani versions up to 1.0.4 contain a SQL injection vulnerability in the alldayoffs feature, exploitable by an authenticated attacker via the entity parameter to execute arbitrary SQL commands. Multiple sources (Red Hat, CVE listings, PT-Security advisory) concur that the issue stems from imprope...
PT-2026-8039
Name of the Vulnerable Software and Affected Versions PrestaShop Advanced Popup Creator module versions 1.1.26 through 1.2.6 Description A SQL Injection issue exists in the Advanced Popup Creator module for PrestaShop. The issue is due to unsanitized data being passed to SQL queries within the...
GHSA-XX7M-69FF-9CRP SurrealDB vulnerable to Denial of Service through scripting function memory edge case
In SurrealDB instances with the scripting capability enabled --allow-scripting, users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart. The query...
Flowring Docpedia SQL注入漏洞
Flowring Docpedia is a document management system developed by Flowring Corporation in China. Flowring Docpedia has a SQL injection vulnerability. This vulnerability arises from unvalidated remote attacks, allowing attackers to inject arbitrary SQL commands, potentially leading to the reading of...
CVE-2020-37105
PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php...
Plikli CMS 4.0.0 Blind SQL Injection
A blind SQL injection vulnerability exists in Plikli CMS version 4.0.0. The vulnerability allows remote attackers to execute arbitrary SQL commands and potentially compromise the database. This is older research added to the archive...
EUVD-2021-34756
PHP Melody version 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to inject malicious SQL commands. Attackers can exploit the unvalidated 'vid' parameter to execute arbitrary database queries and potentially compromise the web...
CVE-2021-47915
Summary: CVE-2021-47915 affects PHP Melody 3.0, where the video edit module accepts an unvalidated vid parameter, enabling authenticated users to perform a remote SQL injection. This can lead to arbitrary database queries and potential compromise of the web app and its database management system....
CVE-2025-27378
AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries...
Azure Linux 3.0 Security Update: CBL-Mariner Releases (CVE-2025-12819)
The version of CBL-Mariner Releases installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-12819 advisory. - Untrusted search path in authquery connection handler in PgBouncer before 1.25.1 allows an...
CVE-2025-14598 CVE-2025-14598
BeeS Software Solutions BET Portal contains an SQL injection vulnerability in the login functionality of affected sites. The vulnerability enables arbitrary SQL commands to be executed on the backend database...
BeeS BET e-Portal 安全漏洞
BeeS BET e-Portal is a faculty and exam management system from BeeS India. A security vulnerability exists in BeeS BET e-Portal that stems from a SQL injection in the login function, which could lead to the execution of arbitrary SQL commands...
EUVD-2025-203921
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the src/UserEditor.php file. When an administrator saves a user's configuration settings, the keys of the type POST parameter array are not properly sanitized or type-casted befor...
PT-2025-51868
Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3 Description ChurchCRM is an open-source church management system. A SQL injection issue exists in the src/ListEvents.php file. The WhichType POST parameter is not properly sanitized before being used in SQL...