CVE-2026-33643

CVE-2026-33643 affects SchemaHero 0.23.0 with a SQL Injection flaw in the MySQL plugin path: the column.go processing in plugins/mysql/lib/column.go improperly handles the column parameter, allowing malicious input to alter table schema. Connected sources also describe similar risks in the Postgr...

PT-2026-29101

A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This affects an unknown part of the file /admin-api/system/tenant/get-by-website. The manipulation of the argument Website results in sql injection. It is possible to launch the attack remotely. The exploit has been released...

CVE-2026-33643

SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the mysqlColumnAsInsert function in file plugins/mysql/lib/column.go...

CVE-2026-29953

SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the columnAsInsert function in file plugins/postgres/lib/column.go...

yudao-cloud SQL注入漏洞

Yudao-Cloud is a backend management system developed by YunaiV as an individual developer. Versions of Yudao-Cloud prior to 2026.01 contained a SQL injection vulnerability. This vulnerability stemmed from incorrect handling of parameters in files such as admin-api/system/mail-log/page, where the...

CVE-2026-29953

SQL Injection vulnerability in SchemaHero 0.23.0 via the column parameter to the columnAsInsert function in file plugins/postgres/lib/column.go...

Code-Projects Accounting System SQL注入漏洞

Code-Projects Accounting System is an accounting system open sourced by Code-Projects. Version 1.0 of Code-Projects Accounting System has a SQL injection vulnerability. This vulnerability stems from incorrect handling of the parameter cosid in the file/viewincostumer.php of the Component Paramete...

Tautulli SQL注入漏洞

Tautulli is an open-source application developed by Tautulli for monitoring Plex Media Server. Versions of Tautulli from 2.14.2 to 2.17.0 had a SQL injection vulnerability. This vulnerability stemmed from the /api/v2?cmd=gethomestats endpoint not properly parameterizing its parameters, which coul...

Spring AI 1.0.x < 1.0.4 / 1.1.x < 1.1.3 Multiple Vulnerabilities

The version of Spring AI installed on the remote host is 1.0.x prior to 1.0.4 or 1.1.x prior to 1.1.3. It is, therefore, affected by multiple vulnerabilities: - A JSONPath injection vulnerability in AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access...

CVE-2026-5018

A weakness has been identified in code-projects Simple Food Order System 1.0. Affected is an unknown function of the file register-router.php of the component Parameter Handler. Executing a manipulation of the argument Name can lead to sql injection. The attack can be launched remotely. The explo...

Exploit for SQL Injection in Ghost

CVE-2026-26980 👻 Ghost CMS Unauthenticated SQLi via Content...

ANT-2026-H5T8XKWR · TryGhost/Ghost · sql-injection

sql-injection critical GHSA-w52v-v783-gw97 Severity Claude critical · Security research firm - · Maintainer critical Discovered by Claude Mythos Preview REPORT The report below was sent to the maintainer and sealed at approval. ANT-2026-H5T8XKWR: SQL injection in Content API The Ghost Content API...

CVE-2026-4996

A vulnerability was identified in Sinaptik AI PandasAI up to 0.1.4. Affected by this issue is the function deletequestionandanswers/deletedocs/updatequestionanswer/updatedocs/getrelevantquestionanswersbyid/getrelevantdocsbyid of the file extensions/ee/vectorstores/lancedb/pandasailancedb/lancedb....

Prototype Pollution

Overview @mikro-orm/core is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript. Affected versions of this package are vulnerable to Prototype Pollution via the...

GHSA-QPFV-44F3-QQX6 MikroORM has Prototype Pollution in Utils.merge

A prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as proto, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when...

SQL Injection

Overview @mikro-orm/mariadb is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript. Affected versions of this package are vulnerable to SQL Injection via the...

GHSA-GWHV-J974-6FXM MikroORM is vulnerable to SQL Injection via specially crafted object

Summary MikroORM versions = 6.6.9 and = 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments. Impact If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead ...

CVE-2026-5035

A vulnerability has been found in code-projects Accounting System 1.0. This affects an unknown part of the file /viewwork.php of the component Parameter Handler. Such manipulation of the argument enid leads to sql injection. It is possible to launch the attack remotely. The exploit has been...

CVE-2026-5035 code-projects Accounting System Parameter view_work.php sql injection

A vulnerability has been found in code-projects Accounting System 1.0. This affects an unknown part of the file /viewwork.php of the component Parameter Handler. Such manipulation of the argument enid leads to sql injection. It is possible to launch the attack remotely. The exploit has been...

CVE-2026-5035

A vulnerability has been found in code-projects Accounting System 1.0. This affects an unknown part of the file /viewwork.php of the component Parameter Handler. Such manipulation of the argument enid leads to sql injection. It is possible to launch the attack remotely. The exploit has been...