CVE-2026-40529

CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface...

CVE-2026-3599

The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'productdata' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on t...

CVE-2026-49491

Pixa Bank 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter. Attackers can send POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads to retrieve user information includi...

CVE-2026-45545

Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries,...

CVE-2026-40900

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement...

CVE-2026-40823

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can resu...

CVE-2026-36499

A missing upper-bound check in the udpifsetthreads function of Open vSwitch v3.6.90 allows an attacker with OVSDB write access to request an excessive number of handler or revalidation threads. This can cause a denial of service DoS via resource exhaustion...

CVE-2019-25726

CVE-2019-25726 affects All in One Video Downloader 1.2. An SQL injection vulnerability exists in the admin page edit via the id parameter, allowing unauthenticated attackers to execute arbitrary SQL queries and potentially extract sensitive data (usernames, databases, version details). The provid...

CVE-2026-49491

Pixa Bank 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter. Attackers can send POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads to retrieve user information includi...

CVE-2026-40546 Multiple SQL Injections in SOPlanning

SOPlanning is vulnerable to SQL Injection across multiple endpoints and parameters. Attacker with low privileges can inject arbitrary SQL commands, potentially gaining full control over the database. This issue affects SOPlanning version 1.55 and below...

CVE-2026-49490

OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by...

CVE-2026-9757 GEO my WP <= 4.5.5 - Unauthenticated SQL Injection via 'swlatlng' / 'nelatlng' Parameters

The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $SERVER'QUERYSTRING' via parsestr bypassing WordPress's wpmagicquotes protection, which only covers...

CVE-2026-41075

A flaw was found in RT, an open-source issue and ticket tracking system. An authenticated user can exploit an SQL injection vulnerability by crafting malicious input. This input is then incorporated into database queries without proper validation, potentially allowing the attacker to read or modi...

CVE-2026-40827

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the RemoveRequest function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can resu...

CVE-2026-40834 Authenticated SQLi in saveDashboardLayout function

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashlayout.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non...

CVE-2026-40834

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashlayout.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non...

CVE-2026-40830

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical...

EUVD-2026-32157

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can...

CVE-2026-40828 Authenticated SQLi in DeleteSysLogEntry function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can...

CVE-2026-40828 Authenticated SQLi in DeleteSysLogEntry function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can...