CVE-2026-6674

The CVE refers to the WordPress plugin “Plugin: CMS für Motorrad Werkstätten”, affected through all versions up to and including 1.0.0. The root cause is insufficient escaping of the user-supplied arthtype parameter and lack of proper SQL query preparation, resulting in SQL Injection. The impact ...

CVE-2026-39946

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...

CVE-2026-39946

OpenBao (open source identity-based secrets manager) before version 2.5.3 is affected. When revoking privileges on a role within the PostgreSQL database secrets engine, OpenBao could fail to properly quote schema names provided by PostgreSQL, potentially leading to role revocation failures and, m...

CVE-2026-39946 OpenBao allows SQL Injection in PostgreSQL database secrets engine

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...

CVE-2026-39946

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation...

JLSEC-2026-174

In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping...

PT-2026-34066

Name of the Vulnerable Software and Affected Versions Genesys Latitude version 25.1.0.420 Description An issue exists where unsanitized user-supplied input is concatenated directly into SQL statements. This allows an authenticated attacker to execute arbitrary SQL queries against the backend...

PT-2026-33884

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.3 Description OpenBao is an open source identity-based secrets management system. In the PostgreSQL database secrets engine, the system fails to use proper database quoting on schema names provided by PostgreSQL...

Zeon Academy Pro SQL注入漏洞

Zeon Academy Pro is an online learning and training management platform developed by the Indian company Zeon. Zeon Academy Pro has a SQL injection vulnerability. This vulnerability stems from the parameter “phonenumber” in the file /private/continue-upload.php, which allows attackers to retrieve,...

PT-2026-33913

The Plugin: CMS für Motorrad Werkstätten plugin for WordPress is vulnerable to SQL Injection via the 'arttype' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

Electric SQL注入漏洞

Electric is an open-source Postgres real-time data synchronization engine developed by Electric. Versions of Electric from 1.1.12 to 1.5.0 contained a SQL injection vulnerability. This vulnerability stemmed from the orderby parameter in the /v1/shape API, which allowed incorrect SQL injections...

PT-2026-34064

Frappe HR is an open-source human resources management solution HRMS. Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and...

PT-2026-33991

SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'...

Vendure SQL注入漏洞

Vendure is an open-source e-commerce framework developed by Vendure. Versions of Vendure from 1.7.4 to 2.3.4, as well as versions before 3.5.7 and 3.6.2, have a SQL injection vulnerability. This vulnerability arises from the fact that user-controlled query string parameters in the Shop API are...

CVE-2025-70420

A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements...

PT-2026-33983

Name of the Vulnerable Software and Affected Versions Custom css-js-php versions prior to 2.0.8 Description The plugin fails to properly sanitize user input before incorporating it into a SQL query. The resulting output is then passed to the eval function, which enables unauthenticated users to...

CVE-2026-6488

A vulnerability was identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This vulnerability affects unknown code of the file admin/editcourse.php of the component GET Request Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be...

CVE-2026-6562

A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is the function getListByPage of the file /index/Search/index.html. Executing a manipulation of the argument keyword can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be use...

CVE-2026-33207

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query string...

CVE-2026-40285

WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpfusuario POST parameter overwrites the session-stored user identity via extract$REQUEST in DespachoControle::verificarDespacho, and the...