CVE-2020-37078 i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion

i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the deleteimport parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from...

EUVD-2020-30996

i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the deleteimport parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from...

CVE-2020-37078

i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the deleteimport parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from...

CVE-2019-25260 OXID eShop 6.3.4 - 'sorting' SQL Injection

OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute...

CVE-2019-25260

OXID eShop 6.x prior to 6.3.4 is affected by a SQL injection in the sorting parameter, which can allow an attacker to alter the database content and, per the sources, execute arbitrary code via crafted URLs. The issue is confirmed across CVE-2019-25260 entries and corroborated by Snyk and CVE rec...

CVE-2025-10878

A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full...

CVE-2026-25236

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN ... list. This issue has been patched in version 1.33.0...

UBUNTU-CVE-2026-25238

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0...

OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)

Summary A SQL Injection vulnerability exists in the ajaxcomplete.php endpoint when handling the getsedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. Proof of Concept Vulnerable Code File:...

SQL Injection

Overview devcode-it/openstamanager is a management software for technical assistance and electronic invoicing Affected versions of this package are vulnerable to SQL Injection via the getsedi operation in ajaxcomplete endpoint when user input from the idanagrafica parameter is concatenated direct...

CVE-2026-25240 PEAR is Vulnerable to SQL Injection in user::maintains() Role IN() Filter

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains when role filters are provided as an array and interpolated into an IN ... clause. This issue has been patched in version 1.33.0...

CVE-2026-25239 PEAR is Vulnerable to SQL Injection in apidoc_queue Insert via Unescaped Filename

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0...

GHSA-7G56-FWXJ-CM23 FUXA contains an Unrestricted File Upload vulnerability

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files such as the SQLite user...

CVE-2026-25238 PEAR is Vulnerable to SQL Injection in Bug Subscription Deletion via Weak Email Validation

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0...

EUVD-2026-5197

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the all function. An attacker can extract sensitive information from the database, including user credentials, configuration settings, and business data by injecting malicious SQL queries through user-controlled...

CVE-2025-70758

chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/authvalidate.php. The application sends an HTTP redirect via headerLocation:login.php when a user is not authenticated but fails to call exit afterward. This allows remote...

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key APPKEY, database credentials, SMTP/SendGrid API...

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key APPKEY, database credentials, SMTP/SendGrid API...

CVE-2025-69981

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files such as the SQLite user...