CVE-2026-44521

elFinder contains an authenticated SQL injection in the MySQL volume driver (elFinderVolumeMySQL). A logged-in user, including those with read-only access, can inject SQL via a crafted target file hash, potentially leading to unauthorized data disclosure and denial of service. Affected installati...

CVE-2026-44521 elFinder: SQL Injection MySQL Volume Driver (elFinderVolumeMySQL)

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver elFinderVolumeMySQL allows any logged-in user, including users with read-only access to the affected volume, to...

GHSA-C3GJ-Q88F-7HQJ elFinder MySQL has a SQL Injection in its Volume Driver (elFinderVolumeMySQL)

Summary An authenticated SQL injection vulnerability in the elFinder MySQL volume driver elFinderVolumeMySQL allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized...

[SECURITY] Fedora 44 Update: python-asyncmy-0.2.11-2.fc44

asyncmy is a fast asyncio MySQL/MariaDB driver, which reuses most of pymysql and aiomysql but rewrites the core protocol with Cython to speed it up...

filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity

Point.MultiScalarMult failed to initialize its receiver. If the method was called on an initialized point that is not the identity point, MultiScalarMult produced an incorrect result. If the method was called on an uninitialized point, the behavior was undefined. In particular, if the receiver wa...

SQL Injection

Overview asyncmy is an A fast asyncio MySQL driver Affected versions of this package are vulnerable to SQL Injection through the escapedict function. An attacker can execute arbitrary SQL commands by using untrusted JSON input because keys are not properly escaped. Remediation A fix was pushed in...

JimuReport 代码问题漏洞

JimuReport is a free reporting tool open source by JEECG in China. A code issue vulnerability exists in JimuReport 2.1.2 and earlier versions, which stems from a deserialization issue in file /drag/onlDragDataSource/testConnection in the MySQL JDBC Handler component, which could lead to remote...

PT-2025-35547

Name of the Vulnerable Software and Affected Versions: H2O-3 versions prior to 3.46.0.8 Description: A deserialization issue exists in the H2O-3 REST API /99/ImportSQLTable. The vulnerability allows remote code execution RCE due to improper validation of JDBC connection parameters when using a...

H2O-3 MySQL JDBC Driver Deserialization Vulnerability_Key-Value Bypass Parameter Inspection

Creator： zack H2O-3 Version： 3.46.0.7、3.47.0.6928 MySQL JDBC Driver Version： 8.0.19 JDK Version： 8u112 Description There is a JDBC deserialization vulnerability in the H2O-3 REST API（POST /99/ImportSQLTable） that does not require authentication. This vulnerability can lead to Remote Code Executio...

CVE-2018-18529

ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI...

Deserialization Of Untrusted Data

H2O-3 is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe deserialization due to user-controlled JDBC URLs being passed to DriverManager.getConnection, which can trigger deserialization of untrusted data when MySQL or PostgreSQL drivers are available in the...

CVE-2024-10553

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are...

CVE-2024-10553

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are...

SUSE CVE-2025-24787

WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string concatenation to build...

CVE-2025-24787 Parameter injection in DB connection URIs leading to local file inclusion in WhoDB

WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string concatenation to build...

Leak partial content of the heap through heap buffer over-read in mysqlnd

...

CVE-2024-23833

OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefineversion=3.7.7 where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest...

CVE-2024-23833

OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefineversion=3.7.7 where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest...

Design/Logic Flaw

OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefineversion=3.7.7 where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest...

CVE-2024-23833 OpenRefine JDBC Attack Vulnerability

OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefineversion=3.7.7 where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest...