CVE-2026-7672 youlaitech youlai-boot Users Endpoint UserController.java getUserList sql injection

A security vulnerability has been detected in youlaitech youlai-boot up to 2.21.1. This affects the function getUserList of the file src/main/java/com/youlai/boot/system/controller/UserController.java of the component Users Endpoint. Such manipulation of the argument order leads to sql injection...

youlai-boot 注入漏洞

Youlai-Boot is a permission management system open source by Youlaiorg in China. Versions of Youlai-Boot 2.21.1 and earlier had a injection vulnerability. This vulnerability originated from the function getUserList in the Users Endpoint component’s file...

Dolibarr ERP CRM 注入漏洞

Dolibarr ERP CRM is an open-source enterprise and sales management system developed by Dolibarr. Versions of Dolibarr ERP CRM 23.0.2 and earlier had a injection vulnerability. This vulnerability stemmed from the operation of the fields parameter in the checkValForAPI function of the Shipments API...

Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 注入漏洞

Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System is a microgrid energy efficiency management system developed by Acrel Corporation. Version 1.3.0 of the Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System contains a SQL injection...

Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 注入漏洞

Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform is a power operation and maintenance cloud platform developed by Acrel Corporation. Version 1.3.0 of the Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform contains a SQL injection...

PT-2026-36642

Name of the Vulnerable Software and Affected Versions youlaitech youlai-boot versions prior to 2.21.2 Description A SQL injection issue exists in the Users Endpoint. The flaw is located in the getUserList function within the src/main/java/com/youlai/boot/system/controller/UserController.java file...

PT-2026-36697

A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. The impacted element is an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a manipulation of the argument fCircuitids can lead to sql injection. The...

PT-2026-36702

A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The...

PT-2026-36679

Name of the Vulnerable Software and Affected Versions YunaiV yudao-cloud versions prior to 2026.01 Description A SQL injection issue exists in the getDataBySQL function within the file yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java. This flaw...

CVE-2026-7670 Jinher OA UserSel.aspx sql injection

A flaw has been found in Jinher OA 1.0. The affected element is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/UserSel.aspx. This manipulation of the argument DeptIDList causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may b...

CVE-2026-7670

A flaw has been found in Jinher OA 1.0. The affected element is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/UserSel.aspx. This manipulation of the argument DeptIDList causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may b...

clan-nxt-toolkit

🔴 CLAN NXT Toolkit ██████╗██╗ █████╗ ███╗ ██╗...

CVE-2026-7632 code-projects Online Hospital Management System viewappointment.php sql injection

A vulnerability was determined in code-projects Online Hospital Management System 1.0. This affects an unknown function of the file /viewappointment.php. This manipulation of the argument delid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly...

CVE-2026-7632

A vulnerability was determined in code-projects Online Hospital Management System 1.0. This affects an unknown function of the file /viewappointment.php. This manipulation of the argument delid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly...

Exploit for CVE-2026-42167

Description This repository contains a functional exploit for...

CVE-2026-4061

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'mapposttype' parameter in all versions up to, and including, 1.13.18. This is due to the SearchResults hook explicitly calling stripslashesdeep$POST which removes WordPress magic quotes protection, followed by...

CVE-2026-4062

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'objectids' and 'excludeobjectids' parameters in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existin...

CVE-2026-4061 Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'map_post_type' Parameter

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'mapposttype' parameter in all versions up to, and including, 1.13.18. This is due to the SearchResults hook explicitly calling stripslashesdeep$POST which removes WordPress magic quotes protection, followed by...

CVE-2026-4061

The CVE concerns the WordPress plugin Geo Mashup (Geo Mashup) up to version 1.13.18, where a Time-Based SQL Injection exists via the map_post_type parameter. The vulnerability stems from the SearchResults hook calling stripslashes_deep($_POST), removing protection, and then concatenating the unsa...

EUVD-2026-26779

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'mapposttype' parameter in all versions up to, and including, 1.13.18. This is due to the SearchResults hook explicitly calling stripslashesdeep$POST which removes WordPress magic quotes protection, followed by...