CVE-2026-4317

SQL inyection SQLi vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by includin...

CVE-2026-34220 MikroORM is vulnerable to SQL Injection via specially crafted object

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6....

CVE-2026-4317

SQL inyection SQLi vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by includin...

CVE-2026-4317 SQL inyection in Umami Software application

SQL inyection SQLi vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by includin...

CVE-2026-4317

SQL inyection SQLi vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by includin...

MikroORM SQL注入漏洞

MikroORM is an open-source framework from MikroORM that supports type-safe object-relational mapping for multiple databases. Versions of MikroORM prior to 6.6.10 and 7.0.6 contained a SQL injection vulnerability. This vulnerability arises from the interpretation of specially crafted objects as ra...

GHSA-PCWC-3FW3-8CQV WeKnora vulnerable to SQL Injection

Summary After WeKnora enables its Agent service, it allows users to call database query tools. Due to lax code backend verification, attackers can use prompts to bypass query restrictions and obtain sensitive information from the target server and database. Details Source - File:...

WeKnora vulnerable to SQL Injection

Summary After WeKnora enables its Agent service, it allows users to call database query tools. Due to lax code backend verification, attackers can use prompts to bypass query restrictions and obtain sensitive information from the target server and database. Details Source - File:...

Vvveb SQL注入漏洞

Vvveb is a powerful and easy-to-use CMS from Givan Individual Developers for building websites, blogs or e-commerce stores. A SQL injection vulnerability exists in Vvveb 1.0.7.3 and earlier versions, which stems from a SQL injection vulnerability in the Import function of the Raw SQL Handler...

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details - base64 encoded content of non-allowed files is exposed using ?inline&import originally...

GHSA-X574-M823-4X7W Vite bypasses server.fs.deny when using ?raw??

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or...

Incorrect Authorization

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Incorrect Authorization due to missing checks in transformMiddleware which ignore certain query parameters. An attacker can access unauthorized files by including a ?raw?? ...

CVE-2024-4890

The CVE-2024-4890 entry applies to the berriai/litellm project. A blind SQL injection exists in the /team/update flow due to improper handling of the user_id parameter in the raw SQL used to delete users, with affected version 1.27.14. Exploitation could yield unauthorized access to sensitive dat...

BIT-GOLANG-2022-2880 Incorrect sanitization of forwarded query parameters in net/http/httputil

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the quer...

PT-2022-15928 · Xmpie · Xmpie Ustore

Name of the Vulnerable Software and Affected Versions: XMPie uStore version 12.3.7244.0 Description: The issue allows administrators to generate reports based on raw SQL queries. Since the application ships with default administrative credentials, an attacker may authenticate into the application...