CVE-2026-29099 SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality.

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, the retrieve function in include/OutboundEmail/OutboundEmail.php fails to properly neutralize the user controlled $id parameter. It is assumed that the...

UniFi Network Application - Multiple vulnerabilities

https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b reports: An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges. A...

CVE-2026-33058 Kanboard has Authenticated SQL Injection in Project Permissions Handler

Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard database. Version 1.2.51...

EUVD-2026-12627

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue...

CVE-2026-25936 GLPI Vulnerable to Authenticated SQL Injection

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue...

GHSA-QP2J-V5JG-HG68 LibreNMS contains an authenticated SQL Injection vulnerability

LibreNMS 1.46 contains an authenticated SQL Injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL Injection techniques to retrieve...

CVE-2020-36947

LibreNMS 1.46 contains an authenticated SQL injection in the MAC accounting graph endpoint. An attacker with valid credentials can modify the sort parameter to perform SQL queries that extract sensitive database contents via time-based blind SQL injection. The exploitation targets the MAC account...

PT-2026-3307

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.2 Description WeGIA is a web manager for charitable institutions. A SQL Injection issue exists that allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigur...

EUVD-2025-50812

TorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topicid parameter...

CVE-2025-52914

A vulnerability in the Suite Applications Services component of Mitel MiCollab 10.0 through SP1 FP1 10.0.1.101 could allow an authenticated attacker to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary SQ...

PT-2024-15413 · Manageengine · Zoho Manageengine Adaudit Plus

Name of the Vulnerable Software and Affected Versions: ManageEngine ADAudit Plus versions 7270 and below Description: The issue is related to an Authenticated SQL injection in the home Graph-Data of ManageEngine ADAudit Plus. Recommendations: For ManageEngine ADAudit Plus versions 7270 and below,...

PT-2023-31471

Name of the Vulnerable Software and Affected Versions Student Information System version 1.0 Description The issue concerns multiple Authenticated SQL Injection vulnerabilities. Specifically, the coursecode parameter of the "marks.php" resource does not validate the characters received and they a...

CVE-2022-3141

The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language via the settings page containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected...

CVE-2021-24628

The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection...

CVE-2021-24662

The Game Server Status WordPress plugin through 1.0 does not validate or escape the serverid parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page...