CVE-2026-43937

YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and...

CVE-2026-43937

Summary: CVE-2026-43937 affects YetAnotherForum.NET (YAF.NET) prior to 4.0.5. An admin handler (OnPost… in /Admin/RunSql) can bypass authorization due to PageSecurityCheckAttribute executing after the handler, allowing arbitrary SQL execution via IDbAccess.RunSql when a low-privileged user posts ...

CVE-2026-4231

A vulnerability was found in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the function updatesql/runsql of the file src/vanna/legacy/flask/init.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack may be initiated remotely. Th...

CVE-2026-4231 vanna-ai vanna Endpoint __init__.py run_sql server-side request forgery

A vulnerability was found in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the function updatesql/runsql of the file src/vanna/legacy/flask/init.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack may be initiated remotely. Th...

CVE-2026-4231 vanna-ai vanna Endpoint __init__.py run_sql server-side request forgery

A vulnerability was found in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is the function updatesql/runsql of the file src/vanna/legacy/flask/init.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack may be initiated remotely. Th...

CVE-2021-47748

Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...

EUVD-2025-28990

Malicious code in bioql PyPI...

CVE-2025-56556

An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel - to gain escalated privileges in the context of the SQL query tool...

CVE-2025-56556

An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel - to gain escalated privileges in the context of the SQL query tool...

CVE-2025-56556

An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel - to gain escalated privileges in the context of the SQL query tool...

CVE-2025-56556

Subrion CMS 4.2.1 is affected. The issue arises from the Run SQL Query tool in the SQL Tool admin panel, where authenticated administrators or moderators can gain escalated privileges due to insufficient privilege checks in the SQL query context. The vulnerability affects the Run SQL Query functi...

CVE-2025-56407

A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. This vulnerability affects the function RunSql of the file app/modules/ut-data/admin/mysql.php. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. The exploit has been...

CVE-2025-56407

The CVE-2025-56407 entry affects HuangDou UTCMS V9, specifically the RunSql function in app/modules/ut-data/admin/mysql.php. The root cause is manipulation of the sql argument that enables SQL injection, with remote exploitation and publicly disclosed exploit capabilities. Public sources consiste...

CVE-2025-56407

A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. This vulnerability affects the function RunSql of the file app/modules/ut-data/admin/mysql.php. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. The exploit has been...

CVE-2025-52914

A vulnerability in the Suite Applications Services component of Mitel MiCollab 10.0 through SP1 FP1 10.0.1.101 could allow an authenticated attacker to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary SQ...

Cross-site Request Forgery (CSRF)

Overview vanna is a Generate SQL queries from natural language Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the runsql function, accessible via the /api/v0/runsql endpoint. An attacker can alter or delete but not read data by sending requests that include...