CVE-2026-4778

SourceCodester Sales and Inventory System 1.0 contains a SQL injection in update_category.php via manipulation of the HTTP GET parameter sid. This affects the code path handling the sid in update_category.php, enabling remote exploitation. The vulnerability is exploitable remotely with public PoC...

CVE-2026-4778 SourceCodester Sales and Inventory System HTTP GET Parameter update_category.php sql injection

A weakness has been identified in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file updatecategory.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is...

CVE-2026-4777

A security flaw has been discovered in SourceCodester Sales and Inventory System 1.0. This affects an unknown part of the file viewsupplier.php of the component POST Parameter Handler. The manipulation of the argument searchtxt results in sql injection. The attack may be launched remotely. The...

CVE-2026-4777

A security flaw has been discovered in SourceCodester Sales and Inventory System 1.0. This affects an unknown part of the file viewsupplier.php of the component POST Parameter Handler. The manipulation of the argument searchtxt results in sql injection. The attack may be launched remotely. The...

CVE-2026-4777

CVE-2026-4777 affects SourceCodester Sales and Inventory System 1.0, specifically the POST Parameter Handler’s file view_supplier.php. The vulnerability arises from manipulating the searchtxt argument, enabling SQL injection. The issue can be exploited remotely and, according to the sources, the ...

CVE-2026-23921

A flaw was found in Zabbix. A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in the API service. This vulnerability allows an attacker to execute arbitrary SQL selects and exfiltrate sensitive database data through time-based techniques. This could...

SQL Injection

Overview mobsf is a Mobile Security Framework MobSF is an automated, all-in-one mobile application Android/iOS/Windows pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to SQL Injecti...

GHSA-HQJR-43R5-9Q58 MobSF has SQL Injection in its SQLite Database Viewer Utils

Description MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst uses MobSF to analyze a malicious mobile application containing a craft...

CVE-2026-33539

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name...

UBUNTU-CVE-2026-23921

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data...

EUVD-2026-14976

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter...

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

Impact An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-lev...

GHSA-P2W6-RMH7-W8Q3 Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

Impact An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-lev...

CVE-2026-23921 Blind, read-only SQL injection in Zabbix API via sortfield parameter

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data...

CVE-2026-23921 Blind, read-only SQL injection in Zabbix API via sortfield parameter

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data...

CVE-2026-33539 Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name...

CVE-2026-33539

Parse Server SQL injection vulnerability in PostgreSQL adapter (CVE-2026-33539). An attacker with master key access can inject SQL metacharacters into field name parameters of the aggregate $group stage or the distinct operation, enabling arbitrary SQL execution on PostgreSQL and privilege escala...

CVE-2026-33539

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name...

CVE-2026-33539 Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name...

WordPress WP Job Portal plugin <= 2.4.8 - Unauthenticated SQL Injection via 'radius' Parameter vulnerability

Unauthenticated SQL Injection via 'radius' Parameter vulnerability discovered by Leonid Semenenko lsemenenko in WordPress Plugin WP Job Portal versions = 2.4.8...