1404 matches found
CVE-2026-59515
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Sergey AIWU ai-copilot-content-generator allows Blind SQL Injection.This issue affects AIWU: from n/a through = 1.5.4...
CVE-2026-56690
Dell PowerFlex Manager, Version prior to 5.1.0.1, contains an Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure, Information...
CVE-2026-59834 SiYuan: SQL Query in Block Search Exposes Hidden Published Document Content
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the block search endpoint POST /api/search/fullTextSearchBlock concatenates attacker-controlled paths values into SQL predicates used by non-SQL search modes, allowing an unauthenticated publish visitor to inject a UNI...
CVE-2026-39179
SOGo
CVE-2026-14809
CVE-2026-14809 affects PROG MISβs Prog Management System. The connected CVE records confirm an SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands and read database contents. The description does not specify the exact vulnerable component, versi...
CVE-2026-14657
A flaw has been found in code-projects Assessment Management 1.0. This issue affects some unknown processing of the file /lecturer/marking-scheme.php of the component Database Query Handler. This manipulation of the argument squestions causes sql injection. The attack can be initiated remotely. T...
CVE-2026-14657 code-projects Assessment Management Database Query marking-scheme.php sql injection
A flaw has been found in code-projects Assessment Management 1.0. This issue affects some unknown processing of the file /lecturer/marking-scheme.php of the component Database Query Handler. This manipulation of the argument squestions causes sql injection. The attack can be initiated remotely. T...
CVE-2026-14657
A flaw has been found in code-projects Assessment Management 1.0. This issue affects some unknown processing of the file /lecturer/marking-scheme.php of the component Database Query Handler. This manipulation of the argument squestions causes sql injection. The attack can be initiated remotely. T...
CVE-2026-14657
CVE-2026-14657 describes a SQL injection flaw in the code-projects Assessment Management 1.0, affecting the Database Query Handler. The vulnerability arises from how the argument squestions[] is processed in the file /lecturer/marking-scheme.php, enabling remote exploitation. The exploit is publi...
CVE-2026-14652
A vulnerability was found in SourceCodester Simple and Nice Shopping Cart Script 1.0. This affects an unknown function of the file /admin/login.php of the component Admin Login. The manipulation of the argument Username results in sql injection. The attack may be launched remotely. The exploit ha...
PT-2026-55737
Name of the Vulnerable Software and Affected Versions code-projects Assessment Management version 1.0 Description An SQL injection flaw exists in the Database Query Handler component due to improper processing of the /lecturer/marking-scheme.php endpoint. A remote attacker can exploit this by...
CVE-2026-13357
The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepareitems method...
CVE-2026-49048
The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation...
CVE-2026-49048 Joomla Extension - joomcoder.com - Unauthenticated SQL Injection in JoomCCK extension for Joomla < 6.4.1
The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation...
EUVD-2026-39986
A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/6.php. This impacts an unknown function of the file /preview6.php. Executing a manipulation of the argument courseyearsection can lead to sql injection. The attack can be launched remotely. The exploit has been...
EUVD-2026-39625
The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as...
PT-2026-53001
Name of the Vulnerable Software and Affected Versions Fleet DM affected versions not specified Description An issue exists in the global policy read endpoint GET /api/latest/fleet/policies/policy id where authorization is performed against an empty structure with a nil TeamID. This allows the...
CVE-2026-9785
Quest NetVault Backup NVBULibrarySlot SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing...
EUVD-2025-210326
Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to ...
PT-2026-52093
π¨ CVE-2026-45688 Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOn...