EUVD-2026-16032

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 contais a SQL injection vulnerability in the ajaxsave CAMOS form that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input...

CVE-2026-29187

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a Blind SQL Injection vulnerability exists in the Patient Search functionality /interface/new/newsearchpopup.php. The vulnerability allows an authenticated attacker t...

CVE-2026-33914 OpenEMR has SQL Injection in PostCalendar Category Delete

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the categoriesUpdate administrative function. The dels POST parameter is read via...

CVE-2026-33914

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the categoriesUpdate administrative function. The dels POST parameter is read via...

CVE-2026-33910 OpenEMR has a SQL Injection Vulnerability in patient selection

OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The vulnerability exists due to...

CVE-2026-33909 OpenEMR Vulnerable to SQL Injection via Unsanitized Variables in MedEx Recall/Reminder Processing

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several variables in the MedEx recall/reminder processing code are concatenated directly into SQL queries without parameterization or type casting, enabling SQL...

CVE-2026-33909 OpenEMR Vulnerable to SQL Injection via Unsanitized Variables in MedEx Recall/Reminder Processing

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several variables in the MedEx recall/reminder processing code are concatenated directly into SQL queries without parameterization or type casting, enabling SQL...

CVE-2026-29187 OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a Blind SQL Injection vulnerability exists in the Patient Search functionality /interface/new/newsearchpopup.php. The vulnerability allows an authenticated attacker t...

AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter

Summary The Subscribe::save method in objects/subscribe.php concatenates the $this-usersid property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from $POST'userid' in both subscribe.json.php and subscribeNotify.json.php. An authenticate...

EUVD-2026-15992

Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files containing API keys and database credentials, Windows...

EUVD-2026-14492

AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name...

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal in the pluginRunDatabaseScript.json.php endpoint. An administrator can execute arbitrary SQL commands and disclose sensitive file contents by...

AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name

Summary The objects/pluginRunDatabaseScript.json.php endpoint accepts a name parameter via POST and passes it to Plugin::getDatabaseFileName without any path traversal sanitization. This allows an authenticated admin or an attacker via CSRF to traverse outside the plugin directory and execute the...

GHSA-PVW4-P2JM-CHJM AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()

Summary The remindMe.json.php endpoint passes $REQUEST'livescheduleid' through multiple functions without sanitization until it reaches Schedulercommands::getAllActiveOrToRepeat, which directly concatenates it into a SQL LIKE clause. Although intermediate functions new Liveschedule,...

GHSA-8G29-8XWR-QMHR @grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling

Impact JSON.parseenv.adapterConfig is called without error handling in three locations within the gRPC service. While the data originates from the server's own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled...

CVE-2026-32516

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection.This issue affects Miraculous Core Plugin: from n/a through 2.1.2...

CVE-2026-27039

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in AA-Team WZone woozone allows Blind SQL Injection.This issue affects WZone: from n/a through = 14.0.31...

CVE-2026-25377

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in eyecix Addon Jobsearch Chat addon-jobsearch-chat allows SQL Injection.This issue affects Addon Jobsearch Chat: from n/a through = 3.0...

CVE-2026-25007

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Blind SQL Injection.This issue affects ElementInvader Addons for Elementor: from n/a through = 1.4.2...

Hackers claim to have accessed data tied to millions of crime tipsters

Millions of crime tips may have been exposed after a hacker group claims to have compromised systems used by Crime Stoppers programs and other organizations worldwide. The incident centers on P3 Global Intel, a Texas-based provider of cloud-based tip and intelligence management software owned by...