CVE-2026-47181 PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a...

CVE-2026-11945 PostgreSQL Anonymizer: SQL injection in the rules import functions

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the importdatabaserules or importrolesrules functions, the malicious code is executed with...

CVE-2026-11945 PostgreSQL Anonymizer: SQL injection in the rules import functions

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the importdatabaserules or importrolesrules functions, the malicious code is executed with...

CVE-2026-11945

CVE-2026-11945 affects PostgreSQL Anonymizer. A local user who can create JSON documents can embed malicious code in a specific key–value pair, which is executed with superuser privileges if a superuser invokes import_database_rules() or import_roles_rules(). This leads to privilege escalation/po...

network-intrusion-detector

network-intrusion-detector A Python tool that analyses web se...

CVE-2026-52758

Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user-supplied values directly into SQL queries without escaping or parameterization. Remote attackers can inject arbitrary SQL via the BSim network query protocol to read, modify, or delete data in the...

WordPress WP Photo Album Plus plugin < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' Parameter vulnerability

Unauthenticated SQL Injection via 'wppa-supersearch' Parameter vulnerability discovered by Daniel Púa - devploit in WordPress Plugin WP Photo Album Plus versions 9.1.11.001...

CVE-2026-3018

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriberid’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

WordPress XStore theme < 9.7.3 - Unauthenticated SQLi vulnerability

Unauthenticated SQLi vulnerability discovered by Ahmed Makawi in WordPress Theme XStore versions 9.7.3...

Exploit for SQL Injection in Cmsmadesimple Cms_Made_Simple

poc-CVE-2019-9053 PoC didático em Python 3 para a CVE-2...

CVE-2026-38581

SQL Injection vulnerability in damasac thaipalliativelte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php line 14 and the id parameter line 49. The parameters are concatenated directly into SQL queries without...

PT-2026-48664

SQL Injection vulnerability in damasac thaipalliative lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php line 14 and the id parameter line 49. The parameters are concatenated directly into SQL queries without...

EUVD-2026-36241

SQL Injection vulnerability in damasac thaipalliativelte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php line 14 and the id parameter line 49. The parameters are concatenated directly into SQL queries without...

CVE-2026-38581

CVE-2026-38581 affects damasac thaipalliative_lte up to version 3.0. The flaw is an SQL Injection in /substudy/ezform.php (idFormMain, id parameters) where user input is concatenated into SQL without sanitization or parameterization. This enables remote attackers to execute arbitrary SQL commands...

PT-2026-48791

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - 129, the actions/progress video.php endpoint is vulnerable to blind SQL injection. Any unauthenticated user can exploit the ids parameter to execute SQL queries and exfiltrate sensitive data. This issue has been...

WordPress plugin JoomSport SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

PostgreSQL Anonymizer SQL注入漏洞

PostgreSQL Anonymizer is an open-source extension developed by DALIBO in France, designed to mask or replace personally identifiable information PII or commercially sensitive data in PostgreSQL databases. PostgreSQL Anonymizer has a SQL injection vulnerability. This vulnerability arises from...

VulnCheck KEV: CVE-2026-39494

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter by WBW: from n/a through 3.1.2...

Thai Palliative SQL注入漏洞

Thai Palliative is a modified version of the PHP framework developed by DAMASAC KKU. Versions of Thai Palliative 3.0 and earlier have a SQL injection vulnerability. This vulnerability arises from the lack of cleaning or parameterization of the idFormMain parameter and the id parameter, which may...

ClipBucket V5 SQL注入漏洞

ClipBucket V5 is a video hosting platform developed by MacWarrior’s individual developers. Versions of ClipBucket V5 prior to 5.5.3 – including version 132 – contained an SQL injection vulnerability. This vulnerability stemmed from the number parameter in the POST /actions/subtitleedit.php reques...