UFIDA U8 Cloud suffers from SQL injection vulnerability (CNVD-2026-12149)

U8 Cloud is a new-generation cloud ERP Enterprise Resource Planning solution launched by UFIDA, mainly for growing and innovative enterprises, aiming to provide a comprehensive enterprise-level cloud ERP total solution. A SQL injection vulnerability exists in UFIDA U8 Cloud, which can be exploite...

SQL Injection Vulnerability in Remote Medical Comprehensive Service Platform of Beijing Divine Vision Han Technology Co. Ltd (CNVD-C-2025-928742)

Ltd. is a deep-rooted enterprise in the field of visualization. A SQL injection vulnerability exists in the remote medical integrated service platform of Beijing Shenzhou Vision Han Technology Co. Ltd, which can be exploited by attackers to obtain sensitive information from the database...

PT-2025-48161

Name of the Vulnerable Software and Affected Versions Frappe CRM version 1.53.1 Description The Frappe CRM Dashboard Controller contains multiple SQL injection flaws. These flaws are due to the unsafe concatenation of user-controlled parameters into dynamic SQL statements. The issue allows for...

CVE-2025-65235

OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function...

IBM DB2 DoS (7250479) (Windows)

According to its self-reported version number, IBM Db2 on Windows may be affected by a vulnerability: - IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows includes Db2 Connect Server could allow an authenticated us...

IBM DB2 DoS (7250479) (Unix)

According to its self-reported version number, IBM Db2 on Unix may be affected by a vulnerability: - IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows includes Db2 Connect Server could allow an authenticated user ...

EUVD-2025-199642

An issue was discovered in jishenghua JSHERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject, introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads...

EUVD-2025-199617

Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database...

CVE-2025-64066

Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database...

CVE-2025-64066

Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database...

CVE-2025-65998

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...

Cross-site Scripting

form-to-database is vulnerable to Cross-Site Scripting. The vulnerability is due to improper handling of form values, where non-string inputs were not sanitized or safely normalized, and attackers can exploit this by injecting malicious JavaScript that executes when the data is rendered...

Exploit for Unrestricted Upload of File with Dangerous Type in Skittles Employee_Records_System

CVE-2021-4462 Test Environment Docker-based test environment...

EUVD-2025-199560

A SQL injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary SQL queries, leading to unauthorized data access. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security...

EUVD-2025-199566

The ProjectList plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 0.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

WordPress ProjectList plugin <= 0.3.0 - Authenticated (Editor+) SQL Injection via 'id' Parameter vulnerability

Authenticated Editor+ SQL Injection via 'id' Parameter vulnerability discovered by Ivan Cese in WordPress Plugin ProjectList versions = 0.3.0...

SQL Injection Vulnerability in Multimedia Integrated Service Display System of Beijing Shenzhou Vision Han Technology Co., Ltd (CNVD-C-2025-921601)

Ltd. is a deep-rooted enterprise in the field of visualization. A SQL injection vulnerability exists in the multimedia integrated business display system of Beijing Divine Vision Han Technology Co. Ltd, which can be exploited by attackers to obtain sensitive information from the database...

SQL Injection Vulnerability in Multimedia Integrated Service Display System of Beijing Divine Vision Han Technology Co., Ltd (CNVD-C-2025-924158)

Ltd. is a deep-rooted enterprise in the field of visualization. A SQL injection vulnerability exists in the multimedia integrated business display system of Beijing Divine Vision Han Technology Co. Ltd, which can be exploited by attackers to obtain sensitive information from the database...

SQL Injection Vulnerability in Multimedia Integrated Service Display System of Beijing Divine Vision Han Technology Co., Ltd (CNVD-C-2025-924847)

Ltd. is a deep-rooted enterprise in the field of visualization. A SQL injection vulnerability exists in the multimedia integrated business display system of Beijing Divine Vision Han Technology Co. Ltd, which can be exploited by attackers to obtain sensitive information from the database...

SQL Injection Vulnerability in Multimedia Integrated Service Display System of Beijing Shenzhou Vision Han Technology Co., Ltd (CNVD-C-2025-925280)

Ltd. is a deep-rooted enterprise in the field of visualization. A SQL injection vulnerability exists in the multimedia integrated business display system of Beijing Divine Vision Han Technology Co. Ltd, which can be exploited by attackers to obtain sensitive information from the database...