CVE-2026-28517

openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in reportnetworkmap.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec without validation or sanitization. If an attacker can modify the...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: php (UTSA-2026-005379)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005379 advisory. In PHP versions 8.1. before 8.1.31, 8.2. before 8.2.26, 8.3. before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containin...

CVE-2026-28562 wpForo Forum 2.4.14 SQL Injection via Topics ORDER BY Parameter

wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::gettopics where the ORDER BY clause relies on ineffective escsql sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials...

CVE-2026-28562

wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::gettopics where the ORDER BY clause relies on ineffective escsql sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials...

CVE-2019-25491

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cmsgetpagetitle.php endpoint with malicious catid values to extract sensitive...

CVE-2019-25496

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the productsid parameter. Attackers can modify the productsid value in productinfo.php requests and append boolean-based SQL injection...

CVE-2026-2831

The MailArchiver plugin for WordPress is vulnerable to SQL Injection via the ‘logid’ parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

OESA-2026-1428 openldap security update

OpenLDAP is an open source suite of LDAP Lightweight Directory Access Protocol applications and development tools. LDAP is a set of protocols for accessing directory services usually phone book style information, but other information is possible over the Internet, similar to the way DNS Domain...

OESA-2026-1426 openldap security update

OpenLDAP is an open source suite of LDAP Lightweight Directory Access Protocol applications and development tools. LDAP is a set of protocols for accessing directory services usually phone book style information, but other information is possible over the Internet, similar to the way DNS Domain...

Input Validation Bypass

Apache Superset is vulnerable to Input Validation Bypass. The vulnerability is due to specially crafted SQL statements can bypass the read-only verification check when using a PostgreSQL database connection, and attackers can exploit it to execute unauthorized actions...

Deserialization Of Untrusted Data

Apache Camel is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to the DefaultLevelDBSerializer class deserializing data using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions, which allows an attacker to inject a crafted...

SQL Injection

LibreNMS is vulnerable to SQL Injection. The vulnerability is due to improper input sanitization and lack of parameterization in the IPv6 address search logic, where the prefix value is directly concatenated into the SQL query string without validation, and attackers can inject arbitrary SQL...

CVE-2026-3261

A flaw has been found in itsourcecode School Management System 1.0. This impacts an unknown function of the file /settings/index.php of the component Setting Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been published an...

CVE-2026-27149

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering listprivatemessagestag allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and...

EUVD-2026-9098

openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in reportnetworkmap.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec without validation or sanitation. If an attacker can modify the...

PT-2026-22483

Name of the Vulnerable Software and Affected Versions wpForo version 2.4.14 Description The software contains an unauthenticated SQL injection issue in the Topics::get topics function. The problem stems from ineffective sanitization using esc sql on unquoted identifiers within the ORDER BY clause...

CVE-2026-28409

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution RCE vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access which can be obtained via the previously reported...

CVE-2026-28517

openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in reportnetworkmap.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec without validation or sanitization. If an attacker can modify the...

CVE-2026-28516 openDCIM <= 23.04 SQL Injection in Config::UpdateParameter

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input...

CVE-2026-28516

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input...