CVE-2018-25394 Kados R10 GreenBee SQL Injection via update_release.php

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the releaseid parameter of boardsbuttons/updaterelease.php. The releaseid value is concatenated directly into SQL statements withou...

CVE-2018-25392

MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability exploitable by authenticated users through the log_activity function. The flaw occurs in /index.php/user/log_activity where parameters nomor, user, and jenis can be tainted with arbitrary SQL. Successful exploitation can enumerate...

CVE-2026-45582 n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry...

CVE-2026-44238 FreePBX: Authenticated SQL Injection via ORDER BY in CDR Reports

FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges ar...

CVE-2026-10078

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

Improper Neutralization of Special Elements in Data Query Logic

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic in the EntitySearchUtil::addSearchClause function in the autocomplete endpoint. The endpoint constructs SQL query with LIKE expression without escaping the SQL LIKE wildcar...

CVE-2026-10078

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

CVE-2026-10078

The CVE-2026-10078 entry concerns Quay config-tool’s GitLab OAuth validator. The vulnerability causes client_id and client_secret to be sent in plaintext via URL query parameters during POST requests to the GitLab endpoint, enabling potential exposure of credentials in logs (server access logs, r...

CVE-2026-10078 Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

CVE-2026-10078 Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

CVE-2026-10078

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

CVE-2026-4776

An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands...

EUVD-2026-33259

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

CVE-2026-10039

The CVE-2026-10039 entry concerns the WordPress plugin Frontend Admin by DynamiApps. Affected versions up to and including 3.28.28 are vulnerable to a generic SQL Injection via the 'order' parameter due to insufficient escaping of user input and inadequate preparation of the existing SQL query. A...

EUVD-2026-33256

An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands...

CVE-2026-4776

An SQL injection in Mautic’s API contact filtering was reported. The flaw arises from insufficient recursive sanitization of nested query parameters, allowing an authenticated API user to bypass input filtering and inject arbitrary SQL commands. Documents do not specify affected versions, exact v...

CVE-2026-41075

A flaw was found in RT, an open-source issue and ticket tracking system. An authenticated user can exploit an SQL injection vulnerability by crafting malicious input. This input is then incorporated into database queries without proper validation, potentially allowing the attacker to read or modi...

CVE-2026-9493

CVE-2026-9493 concerns BankPro E-Service Technology’s Service Center, which contains an Insecure Direct Object Reference vulnerability. Authenticated remote attackers can alter a parameter in a specific query function to access other users’ EC order details. The issue exposes sensitive confidenti...

MGASA-2026-0163 Updated bind packages fix security vulnerabilities

Updated bind package fixes security vulnerabilities: BIND 9 server memory exhaustion during GSS-API TKEY negotiation CVE-2026-3039 Amplification vulnerabilities via self-pointed glue records CVE-2026-3592 Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation CVE-2026-3593...

PT-2026-44868

HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter sent to lap-peserta-perdesa-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and...