Lucene search
K

216689 matches found

ATTACKERKB
ATTACKERKB
added 2026/03/20 5:2 a.m.2 views

CVE-2026-33025

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although realescapestring was applied, it only escapes...

8.6CVSS5.9AI score0.00398EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/03/20 5:2 a.m.10 views

CVE-2026-33025

AVideo versions before 8.0 are affected by a SQL injection in getSqlFromPost() in Object.php, where $_POST['sort'] keys are used directly as ORDER BY identifiers. Although real_escape_string() is applied, it only escapes string-context chars and does not protect SQL identifiers. The issue is fixe...

8.8CVSS5.9AI score0.00398EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/20 5:2 a.m.2 views

CVE-2026-33025 AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although realescapestring was applied, it only escapes...

8.6CVSS5.9AI score0.00398EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/20 4:32 a.m.3 views

CVE-2026-4470 itsourcecode Online Frozen Foods Ordering System admin_edit_menu.php sql injection

A security flaw has been discovered in itsourcecode Online Frozen Foods Ordering System 1.0. Affected by this issue is some unknown functionality of the file /admin/admineditmenu.php. Performing a manipulation of the argument productname results in sql injection. It is possible to initiate the...

5.8CVSS5.7AI score0.00327EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/03/20 4:30 a.m.19 views

CVE-2026-32954 ERP has a possibility SQL Injection vulnerability due to missing validation

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue h...

7.1CVSS0.00314EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/20 4:14 a.m.6 views

CVE-2026-32950

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a critical SQL Injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that enables Remote Code Execution RCE, allowing any authenticated user even the...

8.6CVSS6.3AI score0.00878EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/03/20 4:14 a.m.9 views

CVE-2026-32950

CVE-2026-32950 affects SQLBot prior to 1.7.0, where an authenticated user can trigger a critical SQL Injection in the /api/v1/datasource/uploadExcel endpoint. The root cause is unsanitized Excel sheet names concatenated into PostgreSQL table names and embedded into COPY statements via f-strings i...

8.8CVSS6.3AI score0.00878EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/20 4:14 a.m.2 views

CVE-2026-32950 SQLBot: RCE via SQL Injection in Excel Upload Endpoint

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a critical SQL Injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that enables Remote Code Execution RCE, allowing any authenticated user even the...

8.6CVSS6.2AI score0.00878EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/20 4:14 a.m.2 views

EUVD-2026-13543

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a critical SQL Injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that enables Remote Code Execution RCE, allowing any authenticated user even the...

8.6CVSS6.3AI score0.00878EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/20 4:2 a.m.3 views

CVE-2026-4469

A vulnerability was identified in itsourcecode Online Frozen Foods Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admineditmenuaction.php. Such manipulation of the argument productname leads to sql injection. The attack may be performed from...

5.8CVSS5.7AI score0.00327EPSS
Exploits1References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/20 2:14 a.m.4 views

CVE-2026-32888 Open Source Point of Sale is Vulnerable to SQL Injection Through its Item Search Functionality

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled searchcustom filter, user-supplied input from the search GET...

8.8CVSS6.2AI score0.00316EPSS
Exploits1References1
CVE
CVE
added 2026/03/20 2:14 a.m.16 views

CVE-2026-32888

CVE-2026-32888 affects Open Source Point of Sale (PHP, CodeIgniter). A SQL Injection exists in the Items search functionality when the custom attribute search feature (search_custom) is enabled: user input from the search GET parameter is interpolated directly into a HAVING clause without paramet...

8.8CVSS6.2AI score0.00316EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/03/20 2:14 a.m.18 views

CVE-2026-32888 Open Source Point of Sale is Vulnerable to SQL Injection Through its Item Search Functionality

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled searchcustom filter, user-supplied input from the search GET...

8.8CVSS0.00316EPSS
Exploits1References1
OSV
OSV
added 2026/03/20 2:14 a.m.5 views

CVE-2026-32888 Open Source Point of Sale is Vulnerable to SQL Injection Through its Item Search Functionality

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled searchcustom filter, user-supplied input from the search GET...

8.8CVSS6.2AI score0.00316EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/20 2:9 a.m.3 views

CVE-2026-32813 Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)

Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort...

8CVSS6AI score0.00279EPSS
Exploits1References2
CVE
CVE
added 2026/03/20 2:9 a.m.12 views

CVE-2026-32813

Admidio CVE-2026-32813 describes a second-order SQL injection in the MyList configuration feature. Versions 5.0.6 and earlier store user-supplied column names, sort directions, and filter conditions in adm_list_columns via prepared statements (safe write), but read these values back and interpola...

8CVSS6AI score0.00279EPSS
Exploits1References2Affected Software1
Snyk
Snyk
added 2026/03/20 12:40 a.m.2 views

SQL Injection

Overview kysely is a Type safe SQL query builder Affected versions of this package are vulnerable to SQL Injection via the visitJSONPathLeg function, which appends user-controlled values from .key and .at directly into single-quoted JSON path string literals without proper escaping. An attacker c...

8.8CVSS6.1AI score0.00419EPSS
Exploits1References2
SUSE CVE
SUSE CVE
added 2026/03/20 12:24 a.m.3 views

SUSE CVE-2026-32611

Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix commit 39161f0 addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and psycopg.sql composable objects. However, the DuckDB export module...

9.1CVSS5.8AI score0.00325EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.4 views

PT-2026-26772

Summary The RTMP on publish callback at plugin/Live/on publish.php is accessible without authentication. The $ POST'name' parameter stream key is interpolated directly into SQL queries in two locations — LiveTransmitionHistory::getLatest and LiveTransmition::keyExists — without parameterized...

7.5CVSS6AI score0.00468EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.5 views

PT-2026-26672

A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of the file /api/v1/editor/ of the component Incomplete Fix. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. Th...

7.5CVSS6.7AI score0.00254EPSS
Exploits0References7
Rows per page
Query Builder