CVE-2018-25161

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. Attackers can submit crafted SQL statements...

Security Bulletin: Multiple vulnerabilties affects IBM DB2 Data Management Console

Summary sshd-common-2.10.0.jar, dompurify-2.2.7.tgz, derby-10.16.1.1.jar, ion-java-1.2.0.jar dependency packages are being used by IBM Db2 Data Management Console. This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2024-41909 DESCRIPTION:...

CVE-2026-29073

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0...

CVE-2025-69338

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in don-themes Riode Core riode-core allows Blind SQL Injection.This issue affects Riode Core: from n/a through = 1.6.26...

MAL-2026-1260 Malicious code in webmd-url (npm)

Package exfiltrates data via pre/postinstall scripts, and has a suspicious main entrypoint targeting MongoDB configurations. Package extracts data like username, hostname and current working directory and sends it to malicious domain http://4v6heh2m.requestrepo.com/depconf/webmd-url/ --- -= Per...

CVE-2026-29073 SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0...

CVE-2026-29073 SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0...

CVE-2026-29073

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0...

CVE-2026-29073

Technical details about CVE-2026-29073 are not provided in the connected documents. The SUSE/OSV entries reference the CVE within a broader vulndb update but do not describe affected products, versions, or exploit specifics. Monitor for updates.

CVE-2026-27005

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew MySQL, PostgreSQL. This allows...

CVE-2026-28785 Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import

Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the...

EUVD-2026-9978

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew MySQL, PostgreSQL. This allows...

CVE-2026-28501 WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a...

PT-2026-23754

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.7 Parse Server versions prior to 9.5.0-alpha.6 Description Parse Server is an open-source backend deployable on Node.js infrastructures. A malformed $regex query parameter, such as abc, can cause the database...

chartbrew SQL注入漏洞

Chartbrew is an open-source data visualization and dashboard building tool developed by Chartbrew. Versions of Chartbrew prior to 4.8.3 contained a SQL injection vulnerability. This vulnerability allows unverified attackers to inject arbitrary SQL queries into the database, potentially leading to...

PT-2026-23688

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to th...

PT-2026-23698

Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. Attackers can send POST requests to the WsModelGrid.php endpoint with crafted SQL payloads to extract...

PT-2026-23692

Maitra 1.7.2 contains an sql injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the mailid parameter in outmail and inmail modules. Attackers can also download the SQLite database file directly from the application...

WWBN AVideo SQL注入漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 24.0 contained a SQL injection vulnerability. This vulnerability stemmed from improper cleaning of the catName parameter in the objects/videos.json.php and objects/video.ph...

PT-2026-23697

Name of the Vulnerable Software and Affected Versions Tina4 Stack version 1.0.3 Description Tina4 Stack version 1.0.3 has multiple issues that allow unauthenticated attackers to access sensitive database files and execute SQL injection attacks. Attackers can directly request the kim.db database...