CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

19 matches found

Github Security Blog•added 2026/04/08 12:14 a.m.•7 views

Drizzle ORM has SQL injection via improperly escaped SQL identifiers

Summary Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled...

7.5CVSS5.8AI score0.00392EPSS

Exploits0References3Affected Software1

Positive Technologies•added 2026/03/20 12:0 a.m.•3 views

PT-2026-26762

Name of the Vulnerable Software and Affected Versions Kysely versions prior to 0.28.14 Description Kysely's DefaultQueryCompiler.sanitizeStringLiteral function inadequately escapes backslashes when handling string literals. Specifically, it only doubles single quotes but does not address...

8.1CVSS6.2AI score0.00419EPSS

Exploits1References7

Cvelist•added 2026/03/19 11:14 p.m.•18 views

CVE-2026-32763 SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...

8.2CVSS0.00419EPSS

Exploits1References3

OSV•added 2026/03/18 12:59 p.m.•2 views

GHSA-WMRF-HV6W-MR66 SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.

Summary Kysely through 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path string literals '$.key' without escaping single quotes. An...

8.2CVSS6.1AI score0.00419EPSS

Exploits1References5

CakePHP•added 2026/02/24 12:0 a.m.•20 views

CakePHP 5.3.2 Released

CakePHP 5.3.2 Released The CakePHP core team is happy to announce the immediate availability of CakePHP 5.3.2. This is a maintenance release for the 5.3 branch that fixes community reported issues, regressions and a security issue with PaginatorHelper. Bugfixes You can expect the following change...

5.6AI score

Exploits0

EUVD•added 2025/10/03 8:7 p.m.•4 views

EUVD-2022-6798

Malicious code in bioql PyPI...

9.8CVSS7.4AI score0.01861EPSS

Exploits0References3

OSV•added 2022/09/12 12:0 a.m.•35 views

GHSA-FJ2M-W3WV-X9PR Apache Calcite before 1.32.0 vulnerable to potential XML External Entity (XXE) attack

In Apache Calcite prior to version 1.32.0 the SQL operators EXISTSNODE, EXTRACTXML, XMLTRANSFORM and EXTRACTVALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity XXE attack. Therefore any client exposing these...

9.8CVSS8.5AI score0.01861EPSS

Exploits0References3

Prion•added 2022/09/11 12:15 p.m.•30 views

Xxe

Apache Calcite 1.22.0 introduced the SQL operators EXISTSNODE, EXTRACTXML, XMLTRANSFORM and EXTRACTVALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity XXE attack. Therefore any client exposing these operators,...

7.5CVSS9.2AI score0.01861EPSS

Exploits0References2Affected Software1

Positive Technologies•added 2022/09/11 12:0 a.m.•4 views

PT-2022-5789 · Apache · Apache Calcite

Name of the Vulnerable Software and Affected Versions: Apache Calcite versions prior to 1.32.0 Description: The issue is related to the SQL operators EXISTS NODE, EXTRACT XML, XML TRANSFORM, and EXTRACT VALUE not restricting XML External Entity references in their configuration, making them...

10CVSS7AI score0.01861EPSS

Exploits0References11

Cvelist•added 2022/09/11 12:0 a.m.•28 views

CVE-2022-39135 Apache Calcite: potential XEE attacks

9.6AI score0.01861EPSS

Exploits0References2

OSV•added 2019/11/06 5:11 p.m.•4 views

GHSA-J9XP-92VC-559J SQL Injection in sequelize

Affected versions of sequelize are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation If you are using sequelize 5.x, upgrade to version...

9.8CVSS7.5AI score0.01315EPSS

Exploits1References5

Fedora•added 2019/06/14 2:17 a.m.•27 views

[SECURITY] Fedora 29 Update: php-phpmyadmin-sql-parser-4.3.2-1.fc29

A validating SQL lexer and parser with a focus on MySQL dialect. This library was originally developed for phpMyAdmin during the Google Summer of Code 2015. Autoloader: /usr/share/php/PhpMyAdmin/SqlParser/autoload.php...

9.8CVSS4.5AI score0.19184EPSS

Exploits4

Fedora•added 2019/06/14 12:55 a.m.•30 views

[SECURITY] Fedora 30 Update: php-phpmyadmin-sql-parser-4.3.2-1.fc30

9.8CVSS4.5AI score0.19184EPSS

Exploits4

Fedora•added 2018/03/01 3:58 p.m.•23 views

[SECURITY] Fedora 26 Update: php-phpmyadmin-sql-parser-4.2.4-3.fc26

5.4CVSS4.5AI score0.01679EPSS

Exploits1

Fedora•added 2016/03/14 12:20 a.m.•33 views

[SECURITY] Fedora 22 Update: php-udan11-sql-parser-3.4.0-1.fc22

A validating SQL lexer and parser with a focus on MySQL dialect. This library was originally developed for phpMyAdmin during the Google Summer of Code 2015. To use this library, you just have to add, in your project: requireonce '/usr/share/php/SqlParser/autoload.php';...

6.8CVSS3.9AI score0.03109EPSS

Exploits0

Fedora•added 2016/03/09 8:16 p.m.•25 views

[SECURITY] Fedora 23 Update: php-udan11-sql-parser-3.4.0-1.fc23

6.8CVSS3.9AI score0.03109EPSS

Exploits0

Fedora•added 2015/11/10 11:20 p.m.•29 views

[SECURITY] Fedora 21 Update: php-udan11-sql-parser-3.0.4-1.fc21

5CVSS3.9AI score0.02624EPSS

Exploits0

Fedora•added 2015/11/10 8:26 p.m.•22 views

[SECURITY] Fedora 23 Update: php-udan11-sql-parser-3.0.4-1.fc23