Lucene search
K

26058 matches found

Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.12 views

PT-2026-49302

Name of the Vulnerable Software and Affected Versions Vector versions prior to 0.55.0 Description The ClickHouse sink contains a SQL/identifier injection flaw. The software escaped the table identifier but interpolated the database value raw into the INSERT statement, allowing a crafted database...

9.8CVSS5.4AI score0.00321EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.11 views

PT-2026-49210

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL...

8.8CVSS6.1AI score0.0027EPSS
Exploits0References5
CVE
CVE
added 2026/06/15 12:0 a.m.9 views

CVE-2026-36670

CVE-2026-36670: Time-based blind SQL injection in the OpenSIPS Control Panel (opensips-cp) alias_management module before version 9.3.3. Authenticated attackers can leverage the table parameter in alias_management.php to execute arbitrary SQL. Connected sources confirm the affected component is O...

8.8CVSS6.3AI score0.00361EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.11 views

PT-2026-49532

Name of the Vulnerable Software and Affected Versions elixir-grpc versions 0.8.0 through 0.9.x Description Authenticated attackers can access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. This occurs in...

7.6CVSS5.3AI score0.00273EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.11 views

PT-2026-49523

Subscriber SQL Injection in WCMultiShipping = 3.0.2 versions...

8.5CVSS5.7AI score0.0037EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.17 views

PT-2026-49225

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate quote invoice an...

7.1CVSS5.7AI score0.00226EPSS
Exploits0References5
CVE
CVE
added 2026/06/15 12:0 a.m.13 views

CVE-2026-39196

Datadog Vector v0.54.0 contains a SQL injection in the set_uri_query parameter of KeyPartitioner::partition. The vulnerability could allow an attacker to access sensitive database information via crafted SQL statements. Affected component: Vector’s data routing/partition logic (KeyPartitioner::pa...

9.8CVSS5.7AI score0.00321EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.12 views

PT-2026-49415

Unauthenticated SQL Injection in Contest Gallery = 28.1.6 versions...

9.3CVSS5.7AI score0.00283EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.13 views

PT-2026-49390

Unauthenticated SQL Injection in GeoDirectory = 2.8.152 versions...

9.3CVSS5.7AI score0.00283EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/13 10:45 p.m.7 views

CVE-2026-12175 CodeAstro Student Attendance Management System createStudents.php sql injection

A vulnerability was detected in CodeAstro Student Attendance Management System 1.0. Impacted is an unknown function of the file /attendance-php/Admin/createStudents.php. Performing a manipulation of the argument admissionNumber results in sql injection. Remote exploitation of the attack is...

5.8CVSS5.1AI score0.00214EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/13 4:34 p.m.31 views

CVE-2026-6428

SQL Injection in reports/catalogueout.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary da...

7.6CVSS0.00244EPSS
Exploits0References3
OSV
OSV
added 2026/06/13 8:45 a.m.9 views

BIT-MONGODB-2026-9751 Sensitive data could be written to mongod.log

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

6.8CVSS5.2AI score0.00109EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/13 2:29 a.m.30 views

CVE-2026-9848 WP Ticket <= 6.0.4 - Unauthenticated SQL Injection via WordPress Search 's' Parameter

The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter s in versions up to, and including, 6.0.4 The plugin hooks WordPress's postsrequest filter with wpticketcompostsrequest, which calls emdauthorsearchresults when the current request is an...

7.5CVSS0.0051EPSS
Exploits0References7
Fedora
Fedora
added 2026/06/13 1:13 a.m.23 views

[SECURITY] Fedora 44 Update: vmod-querystring-2.0.3-13.fc44

The purpose of this module is to give you a fine-grained control over a URL's query-string in Varnish Cache. It's possible to remove the query-string, clean it, sort its parameters or filter it to only keep a subset of them. This can greatly improve your hit ratio and efficiency with Varnish,...

5.3AI score
Exploits0
NVD
NVD
added 2026/06/12 9:16 p.m.12 views

CVE-2026-54362

An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or...

5.3CVSS0.00207EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 9:15 p.m.17 views

CVE-2026-12131

CVE-2026-12131 affects CodeAstro Human Resource Management System 1.0, specifically the Payroll Invoice Module. The vulnerability exists in the Invoice function of the file \application\controllers\Payroll.php, where manipulation of the argument ID leads to SQL injection. Exploitation is possible...

6.5CVSS6.5AI score0.0025EPSS
Exploits0References6
CVE
CVE
added 2026/06/12 8:7 p.m.23 views

CVE-2026-54057

Kitty (cross-platform GPU-based terminal) is affected in versions prior to 0.47.3. The issue arises in the OSC 21 (color-control) query reply, which may reflect attacker-controlled bytes—including newlines—into the shell input without sanitization. This can enable local command injection or input...

7.8CVSS5.3AI score0.00166EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/12 8:7 p.m.7 views

CVE-2026-54057 Kitty vulnerable to command injection via unsanitized OSC 21 query reply

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 color-control query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue...

7.3CVSS5.2AI score0.00166EPSS
Exploits1References1
OSV
OSV
added 2026/06/12 7:32 p.m.13 views

GHSA-HWVQ-2W67-RVXP TYPO3 CMS has Broken Access Control in its Form Framework

Problem Backend users with file write permissions were able to upload form definition files with mixed-case extensions e.g., .FORM.YAML to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers ...

7.6CVSS6.1AI score0.00253EPSS
Exploits0References7
NVD
NVD
added 2026/06/12 7:16 p.m.15 views

CVE-2026-53726

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting clie...

6.9CVSS0.00276EPSS
Exploits0References3
Rows per page
Query Builder