216737 matches found
CVE-2026-31877
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0...
CVE-2019-25486
Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the userid parameter. Attackers can submit POST requests with crafted SQL payloads in the userid field to bypass authentication and extract...
CVE-2026-31896 WeGIA has a Time-Based Blind SQL Injection in remover_produto_ocultar.php
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The removerprodutoocultar.php script uses extract$REQUEST to populate local variables and then directly concatenates these variables into a SQL query...
CVE-2026-31896
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The removerprodutoocultar.php script uses extract$REQUEST to populate local variables and then directly concatenates these variables into a SQL query...
EUVD-2026-11313
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The removerprodutoocultar.php script uses extract$REQUEST to populate local variables and then directly concatenates these variables into a SQL query...
CVE-2026-31896 WeGIA has a Time-Based Blind SQL Injection in remover_produto_ocultar.php
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The removerprodutoocultar.php script uses extract$REQUEST to populate local variables and then directly concatenates these variables into a SQL query...
CVE-2026-31895 WeGIA has a SQL Injection via Direct Query Interpolation in restaurar_produto.php
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA Web gerenciador para instituições assistenciais contains a SQL injection vulnerability in html/matPat/restaurarproduto.php. The idproduto parameter from $GET is directly interpolated into SQL queries without...
CVE-2026-31895 WeGIA has a SQL Injection via Direct Query Interpolation in restaurar_produto.php
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA Web gerenciador para instituições assistenciais contains a SQL injection vulnerability in html/matPat/restaurarproduto.php. The idproduto parameter from $GET is directly interpolated into SQL queries without...
CVE-2026-31895
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA Web gerenciador para instituições assistenciais contains a SQL injection vulnerability in html/matPat/restaurarproduto.php. The idproduto parameter from $GET is directly interpolated into SQL queries without...
CVE-2026-31895
CVE-2026-31895 affects WeGIA (Web gerenciador para instituições assistenciais). Before version 3.6.6, the file html/matPat/restaurar_produto.php is vulnerable to SQL injection because the id_produto parameter from $_GET is directly interpolated into SQL queries without parameterization or sanitiz...
CVE-2026-31895 WeGIA has a SQL Injection via Direct Query Interpolation in restaurar_produto.php
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, WeGIA Web gerenciador para instituições assistenciais contains a SQL injection vulnerability in html/matPat/restaurarproduto.php. The idproduto parameter from $GET is directly interpolated into SQL queries without...
CVE-2026-31877
Frappe (full-stack web framework) contains a SQL injection vulnerability prior to versions 15.84.0 and 14.99.0, exploitable via a specially crafted request to a certain endpoint. The issue can lead to information disclosure with high impact to confidentiality and integrity. The vulnerability is f...
EUVD-2026-11288
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0...
CVE-2026-31877 Frappe SQL Injection due to improper field sanitization
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0...
CVE-2026-31877 Frappe SQL Injection due to improper field sanitization
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0...
CVE-2019-25486
CVE-2019-25486 is described as a SQL injection in Varient 1.6.1. An unauthenticated attacker can inject SQL via the user_id parameter in POST requests, bypass authentication, and potentially extract sensitive data. The description does not specify affected products/vendors beyond “Varient 1.6.1,”...
CVE-2019-25486
Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the userid parameter. Attackers can submit POST requests with crafted SQL payloads in the userid field to bypass authentication and extract...
CVE-2026-31858
Craft is a content management system CMS. The ElementSearchController::actionSearch endpoint is missing the unset protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability including criteriaorderBy, the original advisory vector works on th...
CVE-2026-31856
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is...
CVE-2026-31871
Parse Server has a SQL injection vulnerability in the PostgreSQL storage adapter during Increment operations on nested object fields (dot notation, e.g., stats.counter). The sub-key name is interpolated into SQL literals without escaping, enabling an attacker who can submit REST API write request...