216689 matches found
CVE-2026-31891
Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...
CVE-2026-31891 Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...
CVE-2026-31891
CVE-2026-31891 affects Cockpit CMS 2.13.4 and earlier with API access enabled. A SQL injection in the MongoLite Aggregation Optimizer allows an attacker with a valid read-only API key to inject arbitrary SQL via unsanitized field names in aggregation queries (toJsonExtractRaw()), bypassing the pu...
CVE-2026-31891 Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...
CVE-2026-26001
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6...
PT-2026-26156
OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query...
GLPI Inventory Plugin SQL注入漏洞
GLPI Inventory Plugin is an open-source plugin developed by French company GLPI. It is used to process various types of tasks for the GLPI agent. Versions of the GLPI Inventory Plugin prior to 1.6.6 contained a SQL injection vulnerability, which stems from improper handling of user input,...
Mura 安全漏洞
Mura is a content management system developed by Mura Corporation. Versions of Mura prior to 10.1.14 contained security vulnerabilities, which were caused by SQL injection attacks in the getQuery and sortby parameters of the beanFeed.cfc file...
PT-2026-26155
ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 80 within the actions/ajax.php endpoint. Due to insufficient input sanitization of the userid parameter, an authenticated attacker can execute...
ClipBucket SQL注入漏洞
ClipBucket is an open-source PHP script developed by MacWarrior. It is available for free download and used to host video websites. Versions of ClipBucket prior to 5.5.3 80 contained a SQL injection vulnerability. This vulnerability stemmed from insufficient cleaning of the userid parameter input...
CVE-2025-67829
Mura before 10.1.14 allows beanFeed.cfc getQuery sortDirection SQL injection...
OpenProject SQL注入漏洞
OpenProject is an open-source web-based project management software. Versions of OpenProject prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 have a SQL injection vulnerability. This vulnerability arises from custom field names not being properly cleaned in SQL queries, which can allow SQL injection...
CVE-2025-67830
Mura CMS vulnerable before 10.1.14 due to beanFeed.cfc getQuery sortby SQL injection. Root cause is improper handling of sortby in the getQuery path, enabling SQL injection with high impact to confidentiality, integrity, and availability (CVSS 9.8). Mitigation: upgrade to version 10.1.14 or apply...
CVE-2025-67829
CVE-2025-67829 affects Mura prior to 10.1.14. The issue is a SQL injection in beanFeed.cfc getQuery sortDirection, enabling high-severity (CVSS 9.8) impact with network attack vector and no user interaction. Affected component: Mura CMS (beanFeed.cfc). Root cause: improper handling of sortDirecti...
glances 安全漏洞
Glances is a system monitoring tool developed by Nicolas Hennion. Versions of Glances prior to 4.5.3 contained security vulnerabilities. These vulnerabilities stemmed from the DuckDB export module, where table names and column names were directly inserted into SQL statements, potentially leading ...
CVE-2026-26001
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6...
CVE-2026-26001
CVE-2026-26001 affects the GLPI Inventory Plugin. The vulnerability is an SQL injection in the dropdown_calendar report, caused by non-sanitized user input prior to version 1.6.6. The issue allows an attacker with adequate rights to influence the database query (impacting confidentiality; integri...
CVE-2026-26001 GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6...
UBUNTU-CVE-2026-25936
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue...
CVE-2026-25936
CVE-2026-25936 affects GLPI: versions 11.0.0–11.0.5 are vulnerable to an authenticated SQL injection, with the issue fixed in 11.0.6. The vulnerability is linked to authenticated user input that leads to SQL injection; exact vectors are not detailed in the provided documents. Impact indicators de...