PT-2026-26672

A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of the file /api/v1/editor/ of the component Incomplete Fix. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. Th...

PbootCMS SQL注入漏洞

PbootCMS is an open-source enterprise website content management system developed using the PHP language. Versions of PbootCMS 3.2.12 and earlier have a SQL injection vulnerability. This vulnerability stems from incorrect handling of the parameter Username in the checkUsername function within the...

PT-2026-26557

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a critical SQL Injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that enables Remote Code Execution RCE, allowing any authenticated user even the...

PT-2026-26690

Name of the Vulnerable Software and Affected Versions PbootCMS versions prior to 3.2.12 Description A flaw exists in PbootCMS up to version 3.2.12 related to the manipulation of the Username argument within the checkUsername function located in the file apps/home/controller/MemberController.php o...

Frappe SQL注入漏洞

Frappe is a web development framework based on Python and Mariadb, with integrated front-end pages, developed by the Indian company Frappe. Versions of Frappe prior to 16.8.0 and 15.100.0 have a SQL injection vulnerability. This vulnerability stems from insufficient parameter validation, which ma...

PT-2026-26685

A vulnerability was determined in Mindinventory MindSQL up to 0.2.1. The affected element is the function ask db of the file mindsql/core/mindsql core.py. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be...

WeGIA 安全漏洞

WeGIA is a network manager for a welfare organization developed by Nilson Lazarin. Versions of WeGIA prior to 3.6.5 contained security vulnerabilities. These vulnerabilities stemmed from SQL injections in the html/matPat/restaurarProduto.php endpoint, which could lead to a complete database breac...

itsourcecode Online Doctor Appointment System SQL注入漏洞

itsourcecode Online Doctor Appointment System is an open-source online doctor appointment system developed by itsourcecode. Version 1.0 of the system has a SQL injection vulnerability. This vulnerability arises from incorrect handling of the appointmentid parameter in the file...

PT-2026-26562

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $ POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real escape string was applied, it only escapes...

itsourcecode Online Frozen Foods Ordering System SQL注入漏洞

itsourcecode Online Frozen Foods Ordering System is an open-source online frozen food ordering system developed by itsourcecode. Version 1.0 of the system has a SQL injection vulnerability, which arises from incorrect handling of the parameter productname in the file admin/admin/editmenuaction.ph...

AVideo SQL注入漏洞

AVideo is an open-source broadcast network creation tool developed by the World Wide Broadcast Network. Versions of AVideo prior to 8.0 contained a SQL injection vulnerability. This vulnerability stemmed from the use of POST sort array key values as direct SQL column identifiers, which could lead...

QNAP Systems QHora SQL注入漏洞

QNAP Systems QHora is a router product of QNAP Systems, a company based in Taiwan, China. The QNAP Systems QHora device has a SQL injection vulnerability. This vulnerability arises from SQL injections, which may allow local attackers to obtain administrator accounts and execute unauthorized code ...

PT-2026-26559

A vulnerability was identified in itsourcecode Online Frozen Foods Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin edit menu action.php. Such manipulation of the argument product name leads to sql injection. The attack may be performed from...

PT-2026-26789

Name of the Vulnerable Software and Affected Versions Ory Keto affected versions not specified Description The GetRelationships API in Ory Keto is susceptible to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in...

PT-2026-26787

Name of the Vulnerable Software and Affected Versions Ory Kratos affected versions not specified Description The ListCourierMessages Admin API in Ory Kratos is susceptible to SQL injection because of issues in its pagination implementation. Pagination tokens are encrypted using a secret configure...

PT-2026-26566

A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.0. This issue affects some unknown processing of the file /admin/appointment action.php. The manipulation of the argument appointment id results in sql injection. The attack can be launched remotely. The exploit is no...

Cockpit < 2.13.5 SQLi (GHSA-7x5c-vfhj-9628)

The version of Cockpit CMS running on the remote web server is prior to 2.13.5. It is, therefore, affected by a SQL injection vulnerability in the MongoLite Aggregation Optimizer. - An unsanitized field name in the toJsonExtractRaw method in lib/MongoLite/Aggregation/Optimizer.php allows an...

DB-GPT SQL注入漏洞

DB-GPT is an open-source development framework for AI-native data applications based on AWEL and proxies, developed by eosphoros. Versions of DB-GPT 0.7.5 and earlier contain a SQL injection vulnerability. This vulnerability stems from unknown code in the /file/api/v1/editor/ section, which may...

CVE-2026-29099

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, the retrieve function in include/OutboundEmail/OutboundEmail.php fails to properly neutralize the user controlled $id parameter. It is assumed that the...

CVE-2026-32763

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...