CVE-2026-26980

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1...

CVE-2026-26988

CVE-2026-26988 affects LibreNMS (versions ≤ 25.12.0) via an SQL Injection in the IPv6 address search path of the ajax_table.php endpoint. The root cause is that the address parameter is split into an address and a prefix, and the prefix is directly concatenated into the SQL query without validati...

CVE-2026-26980

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1...

CVE-2025-15560

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can...

CVE-2025-59920

CVE-2025-59920 affects time@work v7.0.5: when hours are entered, a query to display a user’s assigned projects can be exposed. Copying the query URL and opening it in a new browser window makes the ‘IDClient’ parameter vulnerable to blind authenticated SQL injection. If the attacker uses a TWAdmi...

Exploit for Improper Restriction of XML External Entity Reference in Adobe Commerce

CVE-2024-34102 - CosmicSting XXE Exploit !Python Versionht...

CVE-2019-25346

CVE-2019-25346 pertains to TheSystem 1.0, with a SQL injection in the server_name parameter that enables authentication bypass. The vulnerability allows an attacker to inject SQL like ' or '1=1' to retrieve unauthorized database records and potentially access sensitive system information. Multipl...

CVE-2026-1602

Ivanti Endpoint Manager prior to 2024 SU5 is affected by an SQL injection vulnerability that allows a remote authenticated attacker to read arbitrary data from the database. The CVSSv3.1 base score is 6.5 (Medium) with Network attack vector, Low attack complexity, Privileges Required: Low, No use...

CVE-2026-2096 Flowring｜Agentflow - Missing Authenticaton

Agentflow developed by Flowring has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality...

CVE-2026-2096

Agentflow developed by Flowring has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality...

Flowring Docpedia SQL注入漏洞

Flowring Docpedia is a document management system developed by Flowring Corporation in China. Flowring Docpedia has a SQL injection vulnerability. This vulnerability arises from unvalidated remote attacks, allowing attackers to inject arbitrary SQL commands, potentially leading to the reading of...

PT-2026-7235

Name of the Vulnerable Software and Affected Versions Docpedia affected versions not specified Description Docpedia developed by Flowring has a SQL Injection issue. Authenticated remote attackers can inject arbitrary SQL commands, potentially allowing them to read, modify, and delete database...

CVE-2026-2132

A security flaw has been discovered in code-projects Online Music Site 1.0. This issue affects some unknown processing of the file /Administrator/PHP/AdminUpdateCategory.php. The manipulation of the argument txtcat results in sql injection. The attack can be executed remotely. The exploit has bee...

CVE-2020-37141

AMSS++ version 4.31 contains a SQL injection vulnerability in the mail module's maildetail.php script through the 'id' parameter. Attackers can manipulate the 'id' parameter in /modules/mail/main/maildetail.php to inject malicious SQL queries and potentially access or modify database contents...

CVE-2026-2115

A flaw has been found in itsourcecode Society Management System 1.0. This issue affects some unknown processing of the file /admin/deleteexpenses.php. This manipulation of the argument expensesid causes sql injection. It is possible to initiate the attack remotely. The exploit has been published...

CVE-2026-2103

Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt a...

CVE-2020-37141 AMSS++ v 4.31 - 'id' SQL Injection

AMSS++ version 4.31 contains a SQL injection vulnerability in the mail module's maildetail.php script through the 'id' parameter. Attackers can manipulate the 'id' parameter in /modules/mail/main/maildetail.php to inject malicious SQL queries and potentially access or modify database contents...

OpenSTAManager has a SQL Injection in Scadenzario Print Template

Summary An authenticated SQL Injection vulnerability in OpenSTAManager's Scadenzario Payment Schedule print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables...

CVE-2026-2103

Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt a...

CVE-2019-25300

thejshen Globitek CMS 1.4 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or modify database information...