CVE-2026-53474 Migration-planner: second-order sql injection via rvtools upload

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL...

EUVD-2026-36030

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL...

CVE-2026-53474

Migration-planner is affected by a second-order SQL injection via uploads of RVTools .xlsx files. The flaw arises from improper input sanitization and causes malicious SQL embedded in a spreadsheet cell to execute when cluster names are processed, enabling arbitrary file reading on the host (pote...

CVE-2026-53474

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL...

CVE-2026-52758 Ghidra < 12.1 - SQL Injection via Unescaped Filter Values in BSim Search

Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user-supplied values directly into SQL queries without escaping or parameterization. Remote attackers can inject arbitrary SQL via the BSim network query protocol to read, modify, or delete data in the...

EUVD-2026-36007

Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in...

CVE-2026-49498

Ghidra 11.0 before 12.1 is affected by a SQL injection in PostgresFunctionDatabase.changePassword(), which fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can craft username parameters in PasswordChange network messages to inject SQL com...

Exploit for SQL Injection in Glpi-Project Glpi

CVE-2023-36808 - GLPI Unauthenticated SQL Injection Vulner...

WordPress WCMultiShipping plugin <= 3.0.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by ParkHyunWoo in WordPress Plugin WCMultiShipping versions = 3.0.2...

CVE-2026-10731

SQL injection in the ‘twostepsauthcode’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication 2FA functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queri...

CVE-2026-3018 Newsletters <= 4.13 - Unauthenticated SQL Injection via wpmlsubscriber_id Parameter

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriberid’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2026-3018 Newsletters <= 4.13 - Unauthenticated SQL Injection via wpmlsubscriber_id Parameter

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriberid’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2026-3018

The WordPress Newsletters plugin (versions

CVE-2026-3326

The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...

CVE-2026-3326 XStore < 9.7.3 - Unauthenticated SQLi

The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...

CVE-2026-3326

The CVE-2026-3326 entry concerns the XStore WordPress theme (versions before 9.7.3). An unsanitised/Unescaped parameter is used in a SQL statement via an AJAX action that is accessible to unauthenticated users, leading to a SQL injection. This is described across multiple sources in the connected...

CVE-2026-44744

SAP S/4HANAOn-Premise contains SQL injection vulnerability in a remote-enabled function module component that could be exploited by an authenticated attacker to potentially execute unauthorized database queries.This flaw exposes sensitive information to which they should not otherwise have access...

VulnCheck KEV: CVE-2026-3018

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriberid’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

Migration Planner UI SQL注入漏洞

The Migration Planner UI is an open-source migration planning front-end tool developed by KubeV2V. The Migration Planner UI has a SQL injection vulnerability. This vulnerability arises when a remotely authenticated attacker uploads a specially crafted RVTools .xlsx file. Due to improper input...

PT-2026-48398

Name of the Vulnerable Software and Affected Versions Newsletters plugin for WordPress versions prior to 4.14 Description The plugin is susceptible to time-based SQL Injection, a technique where an attacker sends queries that force the database to wait a specific amount of time before responding,...