CVE-2026-8705

The CVE describes a SQL injection in the ClearSale Total WordPress plugin (versions <= 3.4.2). The vulnerability occurs via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action, which is accessible to unauthenticated users (wp_ajax_nopriv_clearsale_total_push). Although...

CVE-2026-47384

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific...

CVE-2026-47384

CVE-2026-47384 – NocoDB SQL Injection via Column Title in Bulk GroupBy : An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column title to a SQL fragment. The vulnerable code path builds three database-specific knex.raw() aggregations t...

CVE-2026-44792

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator...

CVE-2026-34915

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the...

CVE-2026-52673

SQL Injection vulnerability in Cboard v.0.4.2 and before allows a remote attacker to execute arbitrary code via the getDimensionsValues component...

CVE-2026-34914

This CVE is confirmed: Revive Adserver

CVE-2026-34915

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the...

CVE-2026-44792

n8n has a Source Control Pull SQL Injection vulnerability (CVE-2026-44792) in versions prior to 1.123.43, 2.20.7, and 2.22.1. An attacker with write access to the git repository used by the Source Control feature can commit a crafted Data Table JSON file containing a malicious column name. When a...

EUVD-2026-38486

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator...

CVE-2026-44792 n8n: Source Control Pull SQL Injection

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator...

CVE-2026-44172

A flaw was found in MariaDB server. An application processing non-validated user input, which then uses mysqlrealescapestring and sends data to the database via text protocol with the big5 character set, is vulnerable to SQL injection. This allows a remote attacker to execute malicious SQL...

CVE-2026-8163

The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above...

CVE-2026-7842

The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the importlist, urldetail, and filedetail admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level...

CVE-2026-7842

The CVE concerns the Infility Global WordPress plugin for WordPress (before 2.15.20). In admin callbacks import_list(), url_detail(), and file_detail(), the plugin does not sanitize or validate the orderby and order parameters before using them in SQL queries, enabling time-based blind SQL inject...

EUVD-2026-38416

The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the importlist, urldetail, and filedetail admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level...

CVE-2026-7842 Infility Global < 2.15.20 - Editor+ SQL Injection via orderby Parameter

The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the importlist, urldetail, and filedetail admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level...

74cms - ajax_street.php 'x' SQL Injection

SQL Injection in 74cms 3.2.0 via the x parameter to plus/ajaxstreet.php. id: CVE-2020-22208 info: name: 74cms - ajaxstreet.php 'x' SQL Injection author: ritikchaddha severity: critical description: | SQL Injection in 74cms 3.2.0 via the x parameter to plus/ajaxstreet.php. impact: | Successful...

Youzify < 1.2.0 - Unauthenticated SQLi

The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection id: CVE-2022-1950 info: name: Youzify 1.2.0 - Unauthenticated SQLi author:...

wpDiscuz <= 5.3.5 - SQL Injection

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. id: CVE-2020-13640 info: name: wpDiscuz = 5.3.5 - SQL Injection author: Sourabh-Sahu severity:...