SuiteCRM SQL注入漏洞

SuiteCRM is a customer relationship management system developed by the SuiteCRM team. Versions of SuiteCRM prior to 7.15.1 and 8.9.3 had an SQL injection vulnerability. This vulnerability stemmed from the authentication mechanism not properly clearing the username provided by users when directory...

PT-2026-26618

A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/search student.php. The manipulation of the argument Search leads to sql injection. The attack is possible to be carried out remotely. The exploit has been...

PT-2026-26558

Name of the Vulnerable Software and Affected Versions ERP versions prior to 16.8.0 ERP versions prior to 15.100.0 Description The software contains a flaw due to insufficient parameter validation, leading to time-based and boolean-based blind SQL injection in certain endpoints. This allows...

itsourcecode Online Frozen Foods Ordering System SQL注入漏洞

itsourcecode Online Frozen Foods Ordering System is an open-source online frozen food ordering system developed by itsourcecode. Version 1.0 of the system has a SQL injection vulnerability, which stems from incorrect handling of the parameter SupplierName in the file/admin/admineditsupplier.php,...

Admidio 安全漏洞

Admidio is a set of open-source member management systems developed by the Admidio team. This system supports features such as member lists, event management, message boards, photo albums, and downloads. Versions of Admidio 5.0.6 and earlier have security vulnerabilities; these vulnerabilities st...

PT-2026-26565

WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files docker-compose.yml, env.example ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance deployed...

PT-2026-26673

A vulnerability has been found in eosphoros-ai DB-GPT up to 0.7.5. This issue affects the function module plugin.refresh plugins of the file packages/dbgpt-serve/src/dbgpt serve/agent/hub/controller.py of the component FastAPI Endpoint. Such manipulation leads to unrestricted upload. It is possib...

PT-2026-26765

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description AVideo, an open source video platform, has multiple security issues within its CloneSite plugin that, when combined, allow a completely unauthenticated attacker to execute code remotely. The...

PT-2026-26544

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled search custom filter, user-supplied input from the search GET...

Cockpit < 2.13.5 SQLi (GHSA-7x5c-vfhj-9628)

The version of Cockpit CMS running on the remote web server is prior to 2.13.5. It is, therefore, affected by a SQL injection vulnerability in the MongoLite Aggregation Optimizer. - An unsanitized field name in the toJsonExtractRaw method in lib/MongoLite/Aggregation/Optimizer.php allows an...

ROS-20260320-73-0002

A vulnerability in the command line interface of the SQLite database management system is associated with errors in the implementation of the azAllowedFunctions protection mechanism. Exploitation of the vulnerability may allow an attacker to gain unauthorized access to prohibited user functions...

CVE-2026-32763

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...

CVE-2026-32763 SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...

CVE-2026-33288

CVE-2026-33288 affects SuiteCRM, where an authenticated SQL injection exists in the authentication module when directory support is enabled. The root cause is improper sanitization of the user-provided username before using it in a local database query, allowing an attacker with valid, low-privil...

CVE-2026-33288 SuiteCRM has Authenticated SQL Injection in Authentication Module

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize...

CVE-2026-33288 SuiteCRM has Authenticated SQL Injection in Authentication Module

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize...

CVE-2026-29099 SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality.

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, the retrieve function in include/OutboundEmail/OutboundEmail.php fails to properly neutralize the user controlled $id parameter. It is assumed that the...

CVE-2026-29096 SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Report Fields

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report AORReports module, the fieldfunction parameter from POST data is saved directly into the aorfields table without any...

CVE-2026-29096 SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Report Fields

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report AORReports module, the fieldfunction parameter from POST data is saved directly into the aorfields table without any...

CVE-2026-32750

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their...