CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

13191 matches found

EUVD•added 2026/04/22 8:39 p.m.•3 views

EUVD-2026-25098

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

9.1CVSS6.1AI score0.0052EPSS

Exploits0References2

Vulnrichment•added 2026/04/22 8:39 p.m.•1 views

CVE-2026-41167 Jellystat has SQL Injection that leads to to Remote Code Execution

9.1CVSS6.1AI score0.0052EPSS

Exploits0References2

ATTACKERKB•added 2026/04/22 8:39 p.m.•3 views

CVE-2026-41167

9.1CVSS6.1AI score0.0052EPSS

Exploits0References3Affected Software1

CVE•added 2026/04/22 8:39 p.m.•12 views

CVE-2026-41167

Jellystat prior to 1.1.10 exposes SQL injection via POST /api/getUserDetails and POST /api/getLibrary, where unsanitized request-body fields are interpolated into raw SQL. This allows an authenticated user to read any table (including app_config) and, due to node-postgres simple query usage, enab...

9.1CVSS6.1AI score0.0052EPSS

Exploits0References2

Positive Technologies•added 2026/04/22 12:0 a.m.•3 views

PT-2026-34561

9.1CVSS6.1AI score0.0052EPSS

Exploits0References4

NVD•added 2026/04/21 9:16 p.m.•0 views

CVE-2026-40906

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the orderby parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted...

9.9CVSS0.00405EPSS

Exploits1References2

EUVD•added 2026/04/21 8:5 p.m.•3 views

EUVD-2026-24475

9.9CVSS5.8AI score0.00405EPSS

Exploits1References2

Vulnrichment•added 2026/04/21 8:5 p.m.•3 views

CVE-2026-40906 Electric: SQL Injection via ORDER BY Parameter in Shape API

9.9CVSS5.8AI score0.00405EPSS

Exploits1References2

CVE•added 2026/04/21 8:5 p.m.•4 views

CVE-2026-40906

Electric’s CVE-2026-40906 describes an error-based SQL injection in the order_by parameter of the ElectricSQL /v1/shape API in Electric (Postgres sync engine). Affected versions range from 1.1.12 up to before 1.5.0; an authenticated user could craft ORDER BY expressions to read, write, and destro...

9.9CVSS5.8AI score0.00405EPSS

Exploits1References2Affected Software1

Github Security Blog•added 2026/04/21 6:26 p.m.•6 views

OpenBao's SQL Injection in PostgreSQL database secrets engine

Impact When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability w...

4.9CVSS5.8AI score0.00235EPSS

Exploits0References6Affected Software1

OSV•added 2026/04/21 6:26 p.m.•3 views

GHSA-6VGR-CP5C-FFX3 OpenBao's SQL Injection in PostgreSQL database secrets engine

4.9CVSS5.8AI score0.00235EPSS

Exploits0References6

SUSE CVE•added 2026/04/21 12:16 p.m.•1 views

SUSE CVE-2026-39946

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...

4.9CVSS5.8AI score0.00235EPSS

Exploits0References3

RedhatCVE•added 2026/04/21 11:46 a.m.•2 views

CVE-2026-39946

A flaw was found in OpenBao. When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, it failed to use proper database quoting on schema names. This oversight could lead to role revocation failures or, in rarer instances, allow a management user to perform SQL injectio...

4.9CVSS5.8AI score0.00235EPSS

Exploits0References4

Snyk•added 2026/04/21 2:8 a.m.•1 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection due to improper quoting of schema names in the PostgreSQL database secrets engine during the role revocation process. An attacker can execute arbitrary SQL commands as the management user by supplying crafted schema names...

5.8CVSS6.2AI score0.00235EPSS

Exploits0References2

NVD•added 2026/04/21 1:16 a.m.•2 views

CVE-2026-39946

4.9CVSS0.00235EPSS

Exploits0References1

Cvelist•added 2026/04/21 12:19 a.m.•25 views

CVE-2026-39946 OpenBao allows SQL Injection in PostgreSQL database secrets engine

4.6CVSS0.00235EPSS

Exploits0References1

Vulnrichment•added 2026/04/21 12:19 a.m.•2 views

CVE-2026-39946 OpenBao allows SQL Injection in PostgreSQL database secrets engine

4.6CVSS5.8AI score0.00235EPSS

Exploits0References1

CVE•added 2026/04/21 12:19 a.m.•9 views

CVE-2026-39946

OpenBao (open source identity-based secrets manager) before version 2.5.3 is affected. When revoking privileges on a role within the PostgreSQL database secrets engine, OpenBao could fail to properly quote schema names provided by PostgreSQL, potentially leading to role revocation failures and, m...

4.9CVSS5.8AI score0.00235EPSS

Exploits0References1Affected Software1

AlpineLinux•added 2026/04/21 12:19 a.m.•1 views

CVE-2026-39946

4.9CVSS5.8AI score0.00235EPSS

Exploits0

Positive Technologies•added 2026/04/21 12:0 a.m.•3 views

PT-2026-34173

Name of the Vulnerable Software and Affected Versions Electric versions 1.1.12 through 1.4.x Description The '/v1/shape' API in ElectricSQL contains an error-based SQL injection flaw. This occurs when the order by parameter is processed, allowing an authenticated user to execute crafted ORDER BY...

9.9CVSS5.9AI score0.00405EPSS

Exploits1References7

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by