CVE-2019-25746 WordPress Sliced Invoices 3.8.2 SQL Injection via post Parameter

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicatequoteinvoice and...

CVE-2026-46538

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by sessionid only and does not verify that a TASKEND message came from the device that originally received the task...

CVE-2026-46538

CVE-2026-46538 affects Microsoft UFO open-source framework; in version 3.0.1-4-ge2626659, the constellation client tracks pending task responses by session_id and does not bind completion to the originating device. An authenticated peer can forge a TASK_END with the same session_id to inject atta...

CVE-2026-40836

CVE-2026-40836 describes an unauthenticated SQL Injection in the inmessage model that can be exploited by a low-privileged remote attacker. The vulnerability arises from improper neutralization of special elements in a SQL DELETE command, enabling reading of the entire database and deletion of en...

CVE-2026-9065

SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters 'modelname', 'modelid', 'integrationid', 'provider' on the REST API endpoint '/surecart/v1/integrations/id'. The root cause is a flawed escaping bypass in the query builder 'wp-query-builder'...

CVE-2020-37226

Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby' values to extract...

CVE-2020-37226

Joomla J2 JOBS 1.3.0 has an authenticated SQL injection in the sortby parameter. With legitimate admin access, an attacker can send crafted POST requests to the administrator index to modify queries and extract sensitive data using automated tools. The CVSS data in the connected records shows a h...

WordPress Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin <= 1.8.10.4 - Authenticated (Custom+) SQL Injection vulnerability

Authenticated Custom+ SQL Injection vulnerability discovered by Abi Wiranata in WordPress Plugin Charitable versions = 1.8.10.4...

CVE-2026-41143 YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data'idfiche' value sourced from $POST'idfiche' is concatenated directly into a raw SQL query without any...

CVE-2026-6674 Plugin: CMS für Motorrad Werkstätten <= 1.0.0 - Authenticated (Subscriber+) SQL Injection via 'arttype' Parameter

The Plugin: CMS für Motorrad Werkstätten plugin for WordPress is vulnerable to SQL Injection via the 'arttype' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

CVE-2026-40482 ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}`

ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0...

WordPress Accessibility Suite by Ability, Inc plugin <= 4.20 - Authenticated (Subscriber+) SQL Injection via 'scan_id' Parameter vulnerability

Authenticated Subscriber+ SQL Injection via 'scanid' Parameter vulnerability discovered by Victor Pasman in WordPress Plugin Accessibility Suite versions = 4.20...

CVE-2026-39425

CVE-2026-39425 affects MaxKB (enterprise AI assistant). Versions 2.7.1 and earlier allow Stored XSS via unsanitized tags in the Application prologue, stored through /admin/api/workspace/{workspace_id}/application and rendered by the frontend via innerHTML, enabling persistent XSS and potential s...

groupoffice SQL注入漏洞

GroupOffice is an open-source groupware and CRM solution developed by Intermesh. Versions of GroupOffice prior to 6.8.158, 25.0.92, and 26.0.17 contain SQL injection vulnerabilities. These vulnerabilities stem from authenticated SQL injections at the JMAP Contact/query endpoint, which may lead to...

CVE-2026-33025 AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although realescapestring was applied, it only escapes...

DEBIAN-CVE-2026-33058

Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard database. Version 1.2.51...

CVE-2026-33058

Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard database. Version 1.2.51...

Linux Distros Unpatched Vulnerability : CVE-2026-33058

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers wit...

CVE-2026-28284

FreePBX is an open‑source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contained authenticated SQL injection vulnerabilities, attributed to the module’s handling of logs. The issues were fixed in versions 16.0.10 and 17.0.5. The CVE is rated with CVSS v4.0 base score ...

CVE-2026-28210

This entry concerns CVE-2026-28210 affecting FreePBX (open source IP PBX). The vulnerability lies in the cdr (Call Data Record) module, where an SQL query injection affects versions prior to 16.0.49 and 17.0.7. The issue is caused by unsafe SQL construction within the cdr component, leading to po...