77 matches found
CVE-2026-27461
Summary : Pimcore pre-12.3.3 exposes a SQL-like injection in the dependency listing filter. In versions up to 11.5.14.1 and 12.3.2, the filter query parameter is JSON-decoded and the value is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Impact : With adm...
CVE-2026-0488 Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)
An authenticated attacker in SAP CRM and SAP S/4HANA Scripting Editor could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impa...
CVE-2020-37116
GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise...
CVE-2026-25137
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store...
CVE-2026-24139
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export...
CVE-2026-24139
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export...
CVE-2026-24139
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export...
CVE-2023-54333 Social-Share-Buttons 2.2.3 - SQL Injection via project_id Parameter
Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the projectid parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and potentially steal entir...
EUVD-2025-205435
SQL injection vulnerability in krishanmuraiji SMS v.1.0, within the /studentms/admin/edit-class-detail.php via the editid GET parameter. An attacker can trigger controlled delays using SQL SLEEP to infer database contents. Successful exploitation may lead to full database compromise, especially...
ChurchCRM Event Participant Editor SQL Injection Vulnerability
ChurchCRM is an open source church management system. ChurchCRM suffers from a SQL injection vulnerability that stems from a lack of validation of externally entered SQL statements in the event participant editor. An attacker can exploit the vulnerability to cause a full database disclosure and...
CVE-2025-63891
The vulnerability CVE-2025-63891 affects SourceCodester’s Simple Online Book Store System. A remote, unauthenticated attacker can disclose the full database contents (including schema and credential hashes) by accessing a web‑accessible backup file via an unauthenticated HTTP GET to /obs/database...
PT-2025-44587
Name of the Vulnerable Software and Affected Versions Abis Technology BAPSIS versions prior to 202510271606 Description An Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' issue exists in Abis Technology BAPSIS, allowing for Blind SQL Injection. This allows...
Revive Adserver: Error-Based & Time-Based SQL Injection in 'keyword' Parameter of admin-search.php Allowing Full Database Access in Revive Adserver v6.0.0
==Cricetinae== Summary: A critical SQL Injection vulnerability has been identified in Revive Adserver's administrative search functionality, specifically in the admin-search.php file. The vulnerability exists in the handling of the keyword GET parameter, which is passed to multiple database queri...
EUVD-2025-5887
Malicious code in bioql PyPI...
CVE-2025-52042
In Frappe ERPNext 15.57.5, the function getrfqcontainingsupplier at erpnext/buying/doctype/requestforquotation/requestforquotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter...
PT-2025-38610
Name of the Vulnerable Software and Affected Versions Vasion Print Virtual Appliance Host versions prior to 22.0.843 Vasion Print Application versions prior to 20.0.1923 Description Vasion Print contains dangerous PHP dead code in multiple Docker-hosted PHP instances. A script located at...
CVE-2025-58443 FOG's authentication bypass leads to full SQL DB dump
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1673 and below contain an authentication bypass vulnerability. It is possible for an attacker to perform an unauthenticated DB dump where they could pull a full SQL DB without credentials. A fix is...
Exploit for CVE-2025-58443
CVE-2025-58443 exploit POC for https://github.com/FOGProject/...
PT-2025-4856 · Wegia · Wegia
Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.2.10 Description: WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the...
PT-2024-39144 · Unknown · Alisonic Sibylla
Name of the Vulnerable Software and Affected Versions: Alisonic Sibylla affected versions not specified Description: The issue concerns SQL injection attacks, which could allow complete access to the database. Attackers can remotely compromise databases. There is no information provided about the...