CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

83 matches found

CVE-2026-45288

Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to...

9.8CVSS5.9AI score0.00038EPSS

Exploits0References1

The Hacker News•added 6 days ago•11 views

Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit

An unknown threat actor has been observed using a large language model LLM agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability. "The attacker compromised an...

9.8CVSS8.1AI score0.79886EPSS

Exploits11

GithubExploit•added 2026/05/20 6:38 p.m.•63 views

drupal-sa-core-2026-004-lab

SA-CORE-2026-004 — Lab, PoC, and Post-mortem Drupal core SQ...

6AI score

Exploits0

Debian CVE•added 2026/05/14 3:10 a.m.•2 views

CVE-2026-46445

SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection...

7.1CVSS5.9AI score0.00031EPSS

Exploits0

OSV•added 2026/05/06 4:44 p.m.•0 views

GHSA-6J7P-QJHG-9947 Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API

Summary A SQL injection vulnerability in FilterEngine.createpostgresquery allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint GET /dids//dids/search. When the external metadata plugin postgresmeta is...

9.9CVSS6.8AI score0.00048EPSS

Exploits0References3

RedhatCVE•added 2026/04/22 10:58 a.m.•1 views

CVE-2026-40906

A flaw was found in ElectricSQL, a Postgres sync engine. An authenticated user could exploit an error-based SQL injection vulnerability in the /v1/shape API's orderby parameter. This flaw allows an attacker to read, write, and destroy the full contents of the underlying PostgreSQL database. Such ...

9.9CVSS5.8AI score0.00034EPSS

Exploits1References5

CNNVD•added 2026/04/21 12:0 a.m.•3 views

OpenBao SQL注入漏洞

OpenBao is an open-source sensitive data management software developed by OpenBao. Versions of OpenBao prior to 2.5.3 had a SQL injection vulnerability. This vulnerability occurred when revoking role permissions in the PostgreSQL database key engine, where the correct database reference was not...

4.9CVSS5.8AI score0.00032EPSS

Exploits0References2

Snyk•added 2026/04/01 6:32 a.m.•0 views

SQL Injection

Overview @langchain/google-cloud-sql-pg is a LangChain.js integrations for Google Cloud SQL for PostgreSQL Affected versions of this package are vulnerable to SQL Injection via the PostgresChatMessageHistory.initialize method due to the improper parameters validation before incorporating them int...

5CVSS6.1AI score

Exploits0References3

Vulnrichment•added 2026/03/30 12:0 a.m.•1 views

CVE-2026-29953

SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the columnAsInsert function in file plugins/postgres/lib/column.go...

6AI score0.00034EPSS

Exploits1References2

Github Security Blog•added 2026/03/24 7:12 p.m.•4 views

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

Impact An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-lev...

8.6CVSS6.1AI score0.00024EPSS

Exploits0References7Affected Software1

Cvelist•added 2026/03/12 7:14 p.m.•21 views

CVE-2026-32248 Parse Server: Account takeover via operator injection in authentication data identifier

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user...

9.3CVSS0.001EPSS

Exploits0References3

Github Security Blog•added 2026/03/06 11:59 p.m.•4 views

WeKnora Vulnerable to Remote Code Execution via SQL Injection Bypass in AI Database Query Tool

Summary A critical Remote Code Execution RCE vulnerability exists in the application's database query functionality. The validation system fails to recursively inspect child nodes within PostgreSQL array expressions and row expressions, allowing attackers to bypass SQL injection protections. By...

9.9CVSS6.5AI score0.0024EPSS

Exploits1References3Affected Software1

Veracode•added 2026/02/28 5:14 a.m.•2 views

Input Validation Bypass

Apache Superset is vulnerable to Input Validation Bypass. The vulnerability is due to specially crafted SQL statements can bypass the read-only verification check when using a PostgreSQL database connection, and attackers can exploit it to execute unauthorized actions...

7.1CVSS5.7AI score0.00041EPSS

Exploits0References2Affected Software1

Packet Storm•added 2026/01/30 12:0 a.m.•121 views

📄 Advantech IoTSuite / IoT Edge SQL Injection

A critical unauthenticated SQL injection vulnerability was identified in Advantech WISE-IoTSuite / SaaS Composer. The issue resides in the /displays/filename.json endpoint, where the filename parameter is improperly sanitized before being concatenated into a backend PostgreSQL query. An attacker...

6.5AI score

Exploits0