216712 matches found
CVE-2026-34612
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra default docker-compose deployment contains a SQL Injection vulnerability that leads to Remote Code Execution RCE in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated,...
CVE-2026-5368
A vulnerability was determined in projectworlds Car Rental Project 1.0. The affected element is an unknown function of the file /login.php of the component Parameter Handler. This manipulation of the argument uname causes sql injection. Remote exploitation of the attack is possible. The exploit h...
CVE-2026-34934
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the getalluserthreads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via updatethread. When the application loads the thread list, t...
CVE-2026-34612
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra default docker-compose deployment contains a SQL Injection vulnerability that leads to Remote Code Execution RCE in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated,...
CVE-2026-34612 Kestra: Remote Code Execution via SQL Injection
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra default docker-compose deployment contains a SQL Injection vulnerability that leads to Remote Code Execution RCE in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated,...
EUVD-2026-18903
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra default docker-compose deployment contains a SQL Injection vulnerability that leads to Remote Code Execution RCE in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated,...
CVE-2026-34612
Kestra (open-source event-driven orchestration platform) prior to version 1.3.7 contains a SQL Injection that enables Remote Code Execution via the GET /api/v1/main/flows/search endpoint. After authentication, a crafted link can trigger payload execution by PostgreSQL using COPY ... TO PROGRAM .....
CVE-2026-34788 Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters
Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tagmodel.php at line 168. The updateTagName function directly interpolates user input into the SQL query string without using parameterized queries or proper escapin...
CVE-2026-27834
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated...
GHSA-MMM5-3G4X-QW39 OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals
Description Six confrontarighe.php files across different modules in OpenSTAManager fetchArray 'SELECT mgarticolilang.title, mgarticoli.codice, inrigheinterventi. FROM inrigheinterventi INNER JOIN...
CVE-2026-27885 Piwigo: SQL Injection in Activity.getList
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including...
CVE-2026-27885
CVE-2026-27885 affects Piwigo prior to version 16.3.0. A SQL injection vulnerability exists in the Activity.getList/API endpoint, exploitable by an authenticated administrator which can lead to leakage of sensitive data (user credentials, email addresses, and all stored content). The root cause i...
CVE-2026-27834 Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated...
CVE-2026-27834
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated...
CVE-2026-27834
CVE-2026-27834 affects Piwigo prior to 16.3.0, where the pwg.users.getList Web Service API method is vulnerable to SQL Injection. The filter parameter is directly concatenated into a SQL query without proper sanitization, enabling authenticated administrators to execute arbitrary SQL commands. Th...
CVE-2026-27834 Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated...
EUVD-2026-18872
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated...
CVE-2026-27634
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters fmindateavailable, fmaxdateavailable, fmindatecreated, fmaxdatecreated in wsstdimagesqlfilter are concatenated directly into SQL without any escaping or type validation. This...
CVE-2026-27634
CVE-2026-27634 affects Piwigo prior to 16.3.0, where four date-filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated into SQL without escaping or type validation. This allows a pre-auth SQL injection th...
CVE-2026-27634 Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters fmindateavailable, fmaxdateavailable, fmindatecreated, fmaxdatecreated in wsstdimagesqlfilter are concatenated directly into SQL without any escaping or type validation. This...