CVE-2026-41889 pgx: SQL Injection via placeholder confusion with dollar quoted string literals

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a...

CVE-2026-41889

CVE-2026-41889 affects the pgx PostgreSQL driver for Go. Before version 5.9.2, using the non-default simple protocol with a dollar-quoted string containing text that can be interpreted as a placeholder outside of a string literal allows SQL injection when the placeholder value is attacker-control...

CVE-Disclosures

🛡️ CVE Disclosures 🛡️ Welcome to my CVE disclosures repositor...

CVE-2026-37431

Beauty Parlour Management System v1.1 was discovered to contain a SQL injection vulnerability via the aptnumber parameter in the /appointment-detail.php endpoint. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement...

CVE-2026-44337

PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names...

CVE-2026-44337

PraisionAI across versions 2.4.1–4.6.34 exposes optional SQL/CQL-backed knowledge-store backends that derive table and index identifiers from unvalidated collection names. This can enable SQL/CQL injection when applications pass untrusted collection names into these backends. The issue is fixed i...

CVE-2026-41496 PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)

PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase,...

CVE-2026-41496

CVE-2026-41496 affects PraisonAI’s multi‑agent system where 9 conversation backends (MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB) pass table_prefix directly into SQL, enabling unvalidated injection points (52 total). Root cause mirrors CVE-2026-40315 ...

EUVD-2026-28532

The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks...

CVE-2026-4935

The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks...

picoctf-irish-name-repo-2

picoCTF — Irish-Name-Repo 2 | Field | Details...

EUVD-2024-31033

Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page...

EUVD-2024-31432

SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut...

EUVD-2026-28520

A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the publ...

EUVD-2026-28521

A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txtusername causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be...

EUVD-2026-28518

A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly...

CVE-2024-33288

Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page...

vulnerability-lab

🔐 Vulnerability Lab Buffer Overflow + SQLi ⚠️ FOR EDUCATI...

CVE-2026-4935

CVE-2026-4935 affects the OttoKit: All-in-One Automation Platform WordPress plugin, exposed prior to version 1.1.23. The root cause is improper sanitization of user input used in SQL statements, enabling unauthenticated SQL injection. The CVSS‑3.1 vector is Network, Low complexity, No privileges,...

CVE-2026-4935

The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks...