PT-2026-37210

Name of the Vulnerable Software and Affected Versions Kestra versions prior to 1.3.4 Description SQL Injection occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. This allows attackers to inject...

PT-2026-37237

Name of the Vulnerable Software and Affected Versions Masa CMS versions 7.2.0 through 7.2.9 Masa CMS versions 7.3.0 through 7.3.14 Masa CMS versions 7.4.0 through 7.4.9 Masa CMS versions 7.5.0 through 7.5.2 Description The unauthenticated JSON API accepts an altTable parameter that is stored via...

CVE-2026-38428

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the...

PT-2026-36993

Name of the Vulnerable Software and Affected Versions The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder versions prior to 1.15.43 Description Insufficient escaping of user-supplied parameters and a lack of proper preparation in SQL queries allow unauthenticated attackers ...

PT-2026-37236

Name of the Vulnerable Software and Affected Versions Masa CMS versions 7.2.0 through 7.2.9 Masa CMS versions 7.3.0 through 7.3.14 Masa CMS versions 7.4.0 through 7.4.9 Masa CMS versions 7.5.0 through 7.5.2 Description A SQL injection issue exists in the beanFeed.cfc component within the getQuery...

PT-2026-36980

Name of the Vulnerable Software and Affected Versions WebinarIgnition versions prior to 4.08.253 Description WebinarIgnition contains an issue where improper neutralization of special elements used in an SQL command allows for Blind SQL Injection. Blind SQL Injection is a technique where an...

WordPress plugin Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

CVE-2026-7783

A flaw has been found in CodeCanyon Perfex CRM up to 3.4.1. This vulnerability affects the function AbstractKanban::applySortQuery of the file application/services/AbstractKanban.php of the component Admin Kanban Endpoint. This manipulation of the argument this causes sql injection. It is possibl...

CVE-2026-7783

CodeCanyon Perfex CRM up to v3.4.1 has a SQL injection in AbstractKanban::applySortQuery (Admin Kanban Endpoint: application/services/AbstractKanban.php). Attackers can remotely trigger via the affected function argument manipulation. The exploit has been published and may be used. Affected compo...

CVE-2026-7697

A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected is an unknown function of the file /manager/card/cardhandsubmit.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly...

CVE-2026-7699

A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The...

CVE-2026-7612

A vulnerability was determined in itsourcecode Courier Management System 1.0. Affected is an unknown function of the file /edituser.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may ...

CVE-2026-7410

A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=addtocart. The manipulation of the argument pid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to...

CVE-2026-7632

A vulnerability was determined in code-projects Online Hospital Management System 1.0. This affects an unknown function of the file /viewappointment.php. This manipulation of the argument delid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly...

CVE-2026-7549

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts an unknown function of the file /ajax.php?action=deletecustomer. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been...

CVE-2026-6457

The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geomashupnullfields' parameter in all versions up to, and including, 1.13.19 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

CVE-2026-7435

SSCMS v7.4.0 contains a SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. Attackers can craft encrypted payloads submitted to the /api/stl/actions/dynamic endpoint to execute...

CVE-2026-7649

The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.0.60 due to insufficient escaping on the user supplied paramete...

CVE-2026-7489

CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents...

CVE-2026-4060

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The escsql functi...