29 matches found
CVE-2026-37505
Vulnerability summary: CVE-2026-37505 affects V2Board up to 1.7.4. In app/Http/Controllers/Admin/UserController.php, the sort parameter from user input is passed directly to User::orderBy($sort, $sortType) without validation. An authenticated admin can sort users by any database column, including...
EUVD-2026-8996
A security flaw has been discovered in youlaitech youlai-mall 2.0.0. This affects the function listPagedSpuForApp of the file mall-pms/pms-boot/src/main/java/com/youlai/mall/pms/controller/app/SpuController.java of the component App-side Product Pagination Endpoint. Performing a manipulation of t...
Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting
Summary This advisory addresses a SQL Injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validate...
CVE-2026-3105
CVE-2026-3105 — Mautic is affected by a SQL injection vulnerability in the API endpoint that retrieves Contact Activity data. The root cause is improper validation of the sort direction parameter in the query construction for the Contact Activity timeline, allowing an authenticated user to inject...
CVE-2026-25513
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The...
CVE-2026-25513
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The...
EUVD-2026-5359
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The...
CVE-2026-25513
CVE-2026-25513 – FacturaScripts SQL Injection in API ORDER BY . The issue exists in FacturaScripts prior to version 2025.81, where the REST API sorts results using user-supplied values in ModelClass::getOrderBy(), directly concatenating them into the ORDER BY clause. This allows authenticated API...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection via the sorting parameter. An attacker can execute arbitrary code and insert malicious database content by manipulating crafted URLs. Remediation Upgrade oxid-esales/oxideshop-ce to version 6.3.4 or higher. References -...
CVE-2019-25260
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute...
CVE-2019-25260
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute...
CVE-2019-25260
OXID eShop 6.x prior to 6.3.4 is affected by a SQL injection in the sorting parameter, which can allow an attacker to alter the database content and, per the sources, execute arbitrary code via crafted URLs. The issue is confirmed across CVE-2019-25260 entries and corroborated by Snyk and CVE rec...
CVE-2019-25260 OXID eShop 6.3.4 - 'sorting' SQL Injection
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute...
EUVD-2019-19383
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute...
CVE-2019-25260 OXID eShop 6.3.4 - 'sorting' SQL Injection
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute...
OXID eShop SQL注入漏洞
OXID eShop is an online e-commerce platform provided by the German company OXID. Versions of OXID eShop prior to 6.3.4 had a SQL injection vulnerability. This vulnerability stemmed from the sorting parameter, which was vulnerable to SQL injection attacks, potentially allowing for the execution of...
PT-2026-5797
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute...
PT-2026-6305
Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to 2025.81 Description FacturaScripts, an open-source enterprise resource planning and accounting software, contains a critical SQL injection issue in its REST API. Authenticated API users can execute arbitrary SQ...
CVE-2023-22378
A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting parameter, allows an authenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application. Authenticated users may be able to extract arbitrary...
company-financial-management 注入漏洞
company-financial-management is a company financial management system by the individual developer KenjFrog. An injection vulnerability exists in company-financial-management version 1.0, which stems from an incorrect operation of the parameter sort that can lead to SQL injection...