82391 matches found
CVE-2026-32715 AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admi...
CVE-2026-32715
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admi...
EUVD-2026-12175
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admi...
CVE-2026-32704 SiYuan renderSprig: missing admin check allows any user to read full workspace DB
SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. Thi...
CVE-2026-32704 SiYuan renderSprig: missing admin check allows any user to read full workspace DB
SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. Thi...
CVE-2026-32704 SiYuan renderSprig: missing admin check allows any user to read full workspace DB
SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. Thi...
SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB
Summary POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes. Details File: kernel/api/router.go Every sensitive endpoint i...
EUVD-2026-12146
SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB...
CVE-2026-32628
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected...
CVE-2026-32628 AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected...
CVE-2026-32628
AnythingLLM has a SQL injection in the built‑in SQL Agent plugin (v1.11.1 and earlier) allowing a user who can invoke the agent to run arbitrary SQL on connected databases. The vulnerability stems from getTableSchemaSql() building queries via direct string concatenation of the table_name paramete...
CVE-2026-32628 AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected...
EUVD-2026-11719
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters...
CVE-2025-36368
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.72, 6.2.0.0 through 6.2.0.51, and 6.2.1.0 through 6.2.1.11 are vulnerable to SQL injection. An administrative user could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or...
CVE-2025-36368 IBM Sterling B2B Integrator and IBM Sterling File Gateway SQL Injection
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.72, 6.2.0.0 through 6.2.0.51, and 6.2.1.0 through 6.2.1.11 are vulnerable to SQL injection. An administrative user could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or...
CVE-2025-36368
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.72, 6.2.0.0 through 6.2.0.51, and 6.2.1.0 through 6.2.1.11 are vulnerable to SQL injection. An administrative user could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or...
CVE-2025-36368
IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by a SQL injection vulnerability (CVE-2025-36368) in the Dashboard UI affecting versions 6.1.0.0–6.1.2.7_2, 6.2.0.0–6.2.0.5_1, and 6.2.1.0–6.2.1.1_1. The issue allows an administrative user to send crafted SQL statements to vi...
CVE-2011-4342
creationtimestamp| type| source ---|---|--- 2026-03-13 13:52:14+00:00| seen| https://www.exploit-db.com/exploits/17056...
SQL Injection Vulnerability in Ally WordPress Plugin Exposes 200K+ Sites
SQL injection flaw in Ally WordPress plugin exposes 200,000+ sites to data theft. Patch released, but most installations remain unpatched and vulnerable...
CVE-2026-32433 WordPress CP Contact Form with Paypal plugin <= 1.3.61 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in codepeople CP Contact Form with Paypal cp-contact-form-with-paypal allows Blind SQL Injection.This issue affects CP Contact Form with Paypal: from n/a through = 1.3.61...