CVE-2026-38428

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the...

CVE-2026-3330

The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ipsearch', 'startdate', 'enddate', 'usernamesearch', and 'useremailsearch' parameters in all versions up to, and including, 1.15.40. This is due to the WDWFMLibrary::validatedata method calling stripslashes on us...

WWBN AVideo SQL注入漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 26.0 contained a SQL injection vulnerability. This vulnerability stemmed from the direct concatenation of SQL queries within the onpublish.php callback function, which coul...

CVE-2025-10692 OpenSupports 4.11.0 — SQL Injection

The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user level ≥ 1 can inject SQL to alter the filter logic, effectively bypassing department scoping...

PT-2023-19177 · Joomla · Visforms Base Package For Joomla

Name of the Vulnerable Software and Affected Versions: Visforms Base Package for Joomla 3 affected versions not specified Description: The issue allows an attacker to interact with the database, potentially enabling them to read, modify, and delete data, due to the use of concatenation in...

Cross site request forgery (csrf)

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cgFields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive...