CVE-2026-48231

Open ISES Tickets prior to 3.44.2 contains a SQL injection in tables.php. The vulnerability arises because multiple POST parameters (tablename, indexname, sortby) are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization, allowi...

EUVD-2026-29359

SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting...

BMC Control-M/MFT 安全漏洞

BMC Control-M/MFT is an enterprise-level file transfer and job scheduling integration management software developed by the American company BMC. Versions of BMC Control-M/MFT 9.0.22 and earlier contained security vulnerabilities. These vulnerabilities were due to improper input validation in the...

SQL Injection

Overview payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to SQL Injection via the endpoints accepting dynamic query for Collections. An attacker can access sensitive information or modify data by submitting specially...

PT-2026-25865

Summary The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the adm list columns table via prepared statements safe storage, but are later read back and...

CVE-2026-26745

OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currencysymbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or...

CVE-2026-26745

OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currencysymbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or...

EUVD-2025-200301

Lvzhou CMS before commit c4ea0eb9cab5f6739b2c87e77d9ef304017ed615 2025-09-22 is vulnerable to SQL injection via the 'title' parameter in com.wanli.lvzhoucms.service.ContentServicefindPage. The parameter is concatenated directly into a dynamic SQL query without sanitization or prepared statements,...

CVE-2020-15008

A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user...