CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

178 matches found

UbuntuCve•added 2026/05/10 5:16 a.m.•8 views

CVE-2025-14179

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat, which stops at...

9.8CVSS5.8AI score0.00069EPSS

Exploits0References3

AstraLinux•added 2026/05/20 5:53 a.m.•2 views

Astra Linux - уязвимость в libpgjava

pgjdbc is an open-source PostgreSQL JDBC Driver. In affected versions, a prepared statement using either PreparedStatement.setTextint, InputStream or PreparedStatemet.setByteaint, InputStream will create a temporary file if the InputStream exceeds 2 kilobytes in size. This temporary file can be...

5.5CVSS6.4AI score0.00082EPSS

Exploits1References1

GithubExploit•added 2026/04/13 12:32 a.m.•64 views

blind-sqli-lab

🔬 Blind SQL Injection Lab — Time-Based PostgreSQL + FastAPI...

6AI score

Exploits0

Veracode•added 2026/03/28 5:20 a.m.•4 views

SQL Injection

wwbn/avideo is vulnerable to SQL Injection. The vulnerability is due to improper use of prepared statements where user-controlled input videosid is directly concatenated into the query, which allows an attacker to inject and execute arbitrary SQL commands...

8.8CVSS6.1AI score0.00025EPSS

Exploits1References2Affected Software1

NVD•added 2026/03/27 5:16 p.m.•2 views

CVE-2026-33770

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized...

9.8CVSS0.00027EPSS

Exploits1References2

ATTACKERKB•added 2026/03/27 4:13 p.m.•2 views

CVE-2026-33770

7.1CVSS6AI score0.00027EPSS

Exploits1References3Affected Software1

Cvelist•added 2026/03/27 4:12 p.m.•21 views

CVE-2026-33767 AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query

WWBN AVideo is an open source video platform. In versions up to and including 26.0, in objects/like.php, the getLike method constructs a SQL query using a prepared statement placeholder ? for usersid but directly concatenates $this-videosid into the query string without parameterization. An...

7.1CVSS0.00025EPSS

Exploits1References2

Github Security Blog•added 2026/03/16 9:19 p.m.•8 views

Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)

Summary The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the admlistcolumns table via prepared statements safe storage, but are later read back and...

8CVSS6.1AI score0.00041EPSS

Exploits1References4Affected Software1

Cvelist•added 2026/02/04 8:25 a.m.•28 views

CVE-2025-15268 Infility Global <= 2.14.46 - Unauthenticated SQL Injection via Predictable API Key and IP Whitelist Bypass

The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infilitygetdata' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

7.5CVSS0.00043EPSS

Exploits0References4

RedHat Linux•added 2026/01/27 5:44 p.m.•3 views

php: PHP: Denial of Service via invalid character sequence in PDO PostgreSQL prepared statement

A flaw was found in PHP. When the PDO PHP Data Objects PostgreSQL driver is configured with PDO::ATTREMULATEPREPARES enabled, a remote attacker can exploit a vulnerability by providing an invalid character sequence within a prepared statement parameter. This can cause a null pointer dereference,...

8.2CVSS5.8AI score0.00056EPSS

Exploits2References5

SUSE CVE•added 2025/12/28 12:30 a.m.•4 views

SUSE CVE-2025-14180

In PHP versions 8.1. before 8.1.34, 8.2. before 8.2.30, 8.3. before 8.3.29, 8.4. before 8.4.16, 8.5. before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTREMULATEPREPARES enabled, an invalid character sequence such as \x99 in a prepared statement parameter may cause the quoting function...

5.9CVSS6.5AI score0.00056EPSS

Exploits2References12

CVE•added 2025/12/27 7:21 p.m.•38 views

CVE-2025-14180

CVE-2025-14180 affects PHP’s PDO PostgreSQL driver when using PDO::ATTR_EMULATE_PREPARES and can cause a NULL return from PQescapeStringConn on certain invalid parameter sequences, leading to a NULL pointer dereference in pdo_parse_params() and potential server crashes. Connected advisories confi...

8.2CVSS6.5AI score0.00056EPSS

Exploits2References1Affected Software1

GithubExploit•added 2025/10/30 8:7 a.m.•122 views

cafeorder_vuln_SQL

cafeordervulnSQL Proof-of-Concept and Advisory for Simple Ca...

8.2AI score

Exploits0

CNVD•added 2025/10/15 12:0 a.m.•3 views

WordPress Community Events plugin SQL Injection Vulnerability

The WordPress Community Events plugin is a plugin that allows users to publish event information independently through a website form, while administrators can retain the right to final review of calendar content. WordPress Community Events plugin suffers from a SQL injection vulnerability that...

9.8CVSS7.7AI score0.0005EPSS

Exploits0References1