CVE-2026-5147

A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This affects an unknown part of the file /admin-api/system/tenant/get-by-website. The manipulation of the argument Website results in sql injection. It is possible to launch the attack remotely. The exploit has been released...

CVE-2026-5147

CVE-2026-5147 affects YunaiV yudao-cloud (up to 2026.01). Affected component: part of the file path /admin-api/system/tenant/get-by-website where manipulating the Website argument yields an SQL injection. Exploitation can be performed remotely and publicly released exploit exists. Severity is ind...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection through the column.go processing in the PostgreSQL and MySQL table schema components. An attacker can tamper with the database table structure and potentially leak data by creating a malicious Table CRD with crafted column...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection through the column.go processing in the PostgreSQL and MySQL table schema components. An attacker can tamper with the database table structure and potentially leak data by creating a malicious Table CRD with crafted column...

CVE-2026-29953

SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the columnAsInsert function in file plugins/postgres/lib/column.go...

org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive informatio...

CVE-2026-5034

A flaw has been found in code-projects Accounting System 1.0. Affected by this issue is some unknown functionality of the file /editcostumer.php of the component Parameter Handler. This manipulation of the argument cosid causes sql injection. It is possible to initiate the attack remotely. The...

CVE-2026-5035

A vulnerability has been found in code-projects Accounting System 1.0. This affects an unknown part of the file /viewwork.php of the component Parameter Handler. Such manipulation of the argument enid leads to sql injection. It is possible to launch the attack remotely. The exploit has been...

WordPress JS Help Desk - AI-Powered Support & Ticketing System plugin <= 3.0.4 - Unauthenticated SQL Injection via 'multiformid' Parameter vulnerability

WordPress JS Help Desk - AI-Powered Support & Ticketing System plugin = 3.0.4 - Unauthenticated SQL Injection via 'multiformid' Parameter vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin JS Help Desk versions = 3.0.4...

tudo-exploits-oswe-prep

tudo-exploits-oswe-prep A project contains all exploits of vul...

CVE-2026-5019

A security vulnerability has been detected in code-projects Simple Food Order System 1.0. Affected by this vulnerability is an unknown functionality of the file all-orders.php of the component Parameter Handler. The manipulation of the argument Status leads to sql injection. The attack may be...

(Pwn2Own) QNAP QHora-322 qvpn_db_mgr username SQL Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of QNAP QHora-322 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the qvpndbmgr module...

CVE-2026-29953

SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the columnAsInsert function in file plugins/postgres/lib/column.go...

CVE-2026-33643

SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the mysqlColumnAsInsert function in file plugins/mysql/lib/column.go...

PT-2026-29052

SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the columnAsInsert function in file plugins/postgres/lib/column.go...

PT-2026-29112

A security vulnerability has been detected in code-projects Accounting System 1.0. This issue affects some unknown processing of the file /viewin costumer.php of the component Parameter Handler. Such manipulation of the argument cos id leads to sql injection. The attack can be launched remotely...

📄 Ghost CMS 6.19.0 SQL Injection

Ghost CMS versions 3.24.0 through 6.19.0 suffer from a remote SQL injection vulnerability via the content API. Exploit Title: Ghost CMS Unauthenticated SQLi via Content API Date: 2026-03-30 Exploit Author: Maksim Rogov Exploit Licence: GPL-3.0 Software Link: https://ghost.org/ Version: Ghost =...

PT-2026-29111

A weakness has been identified in YunaiV yudao-cloud up to 2026.01. This vulnerability affects unknown code of the file /admin-api/system/mail-log/page. This manipulation of the argument toMail causes sql injection. The attack can be initiated remotely. The exploit has been made available to the...

CVE-2026-33643

SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the mysqlColumnAsInsert function in file plugins/mysql/lib/column.go...

CVE-2026-33643

CVE-2026-33643 affects SchemaHero 0.23.0 with a SQL Injection flaw in the MySQL plugin path: the column.go processing in plugins/mysql/lib/column.go improperly handles the column parameter, allowing malicious input to alter table schema. Connected sources also describe similar risks in the Postgr...