2812 matches found
NocoBase - SQL Injection
NocoBase versions prior to 2.0.39 contain a SQL injection vulnerability in the @nocobase/database package. The queryParentSQL function in eager-loading-tree.ts constructs a recursive CTE query by directly concatenating user-controlled primary key values into the SQL WHERE IN clause without...
EUVD-2026-41822
Prog Management System developed by PROG MIS has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents...
EUVD-2026-41786
A vulnerability was found in itsourcecode Hospital Management System 1.0. This affects an unknown function of the file /payment.php. The manipulation of the argument patientid results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used...
CVE-2026-14764 code-projects Hotel and Tourism Reservation Event Management add_event.php sql injection
A vulnerability has been found in code-projects Hotel and Tourism Reservation 1.0. This impacts an unknown function of the file /admin/addevent.php of the component Event Management Page. Such manipulation of the argument fdetails leads to sql injection. The attack can be launched remotely. The...
CVE-2026-14754
A flaw has been found in code-projects Hotel and Tourism Reservation 1.0. Affected is an unknown function of the file /admin/addroom.php. Executing a manipulation of the argument deleteimage/edit/description/number/price/rooms/type can lead to sql injection. The attack can be launched remotely. T...
CVE-2026-14731 itsourcecode Hospital Management System patientreport.php sql injection
A weakness has been identified in itsourcecode Hospital Management System 1.0. This affects an unknown part of the file /patientreport.php. Executing a manipulation of the argument editid can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the...
CVE-2026-14653
SourceCodester Simple and Nice Shopping Cart Script 1.0 contains an SQL injection in /admin/mensproductdeletequery.php exposed by manipulating the user_id argument. The vulnerability is remotely exploitable (attack vector: NETWORK) with LOW to MEDIUM impacts per CVSS data: Confidentiality, Integr...
CVE-2026-14641
A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /editcourse.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit h...
CVE-2026-14640
CVE-2026-14640 describes a SQL injection in CodeAstro Apartment Visitor Management System 1.0. The vulnerability is in the Login component, specifically an unknown function in /index.php, where manipulating the Username argument can lead to remote exploitation. The exploit is publicly available a...
EUVD-2026-41399
A malicious actor with access to the network and low privileges could exploit an authenticated SQL Injection vulnerability found in UniFi Protect Application to escalate privileges on the host device...
EUVD-2026-41102
Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection. This issue affects Mediawiki - Cargo Extension: from before 1.43.9,1.44.6,1.45.4...
CVE-2026-34105
CVE-2026-34105 — Guardian Language-System : The vulnerability is in translate_text.php where the id GET parameter is directly interpolated into an unsanitized SQL query: SELECT id, filename, extension, type FROM files where id = '".$_GET['id']."'. This enables an error-based SQL injection, allowi...
EUVD-2026-40263
The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied array keys before using them in a SQL statement, allowing unauthenticated users to perform SQL injection attacks...
CVE-2026-40522
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM0 POST parameter. Attackers can supply malicious SQL syntax through the...
PT-2026-53759
Summary The checkUserPassword GraphQL query in Dgraph is vulnerable to DQL Dgraph Query Language injection. User-supplied password values are interpolated directly into a DQL checkpwd query via fmt.Sprintf without any escaping or parameterization. An attacker can inject a password containing a...
CVE-2026-56067
Unauthenticated SQL Injection in JetSmartFilters = 3.8.3 versions...
CVE-2026-57643 WordPress WP Post Author plugin <= 3.9.1 - SQL Injection vulnerability
Contributor SQL Injection in WP Post Author = 3.9.1 versions...
CVE-2026-57631
CVE-2026-57631 affects the WordPress Popup box plugin (versions
WordPress JetEngine plugin <= 3.8.10.2 - SQL Injection vulnerability
SQL Injection vulnerability discovered by Rafie Muhammad in WordPress Plugin JetEngine versions = 3.8.10.2...
CVE-2026-54836 WordPress Filter & Grids plugin <= 3.11.5 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in YMC Filter allows SQL Injection. This issue affects YMC Filter: from n/a through 3.11.5...