SUSE CVE-2025-14179

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat, which stops at...

CVE-2026-7815

The CVE-2026-7815 issue affects pgAdmin 4 maintenance tooling. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated into VACUUM/ANALYZE/REINDEX commands and passed to psql --command. An authenticated user with tools_maint...

CVE-2026-7815 pgAdmin 4: SQL injection in Maintenance tool option values leading to remote code execution

SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields bufferusagelimit, vacuumparallel, vacuumindexcleanup, reindextablespace were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with th...

CVE-2026-7816 pgAdmin 4: OS command injection in Import/Export query export via psql metacommand breakout

OS command injection CWE-78 vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject " TO PROGRAM 'cmd'" to break out of the \copy ... context and achieve...

CVE-2026-6093 Corteza 2024.9.8 - SQL Injection in MSSQL JSON-path meta filter via incorrect T-SQL string escaping

Corteza contains a SQL injection vulnerability in its Microsoft SQL Server MSSQL backend when filtering Compose records by the meta field.This issue affects corteza: 2024.9.8...

WordPress SureTriggers plugin < 1.1.23 - Unauthenticated SQLi vulnerability

Unauthenticated SQLi vulnerability discovered by mcdruid in WordPress Plugin OttoKit versions 1.1.23...

vulnerabilities handled in LiteLLM by BerriAI

BerriAI has addressed vulnerabilities in LiteLLM, specifically in versions 1.74.2 to 1.83.6. LiteLLM is a widely used proxy for managing APIs to a large number of LLM systems in a centralized manner. The first vulnerability involves an SQL injection in the proxy API key verification mechanism,...

CVE-2026-6433 Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection to RCE

The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval, allowing unauthenticated users to execute arbitrary PHP code on the server...

CVE-2026-6433

Summary (CVE-2026-6433) : The Custom css-js-php WordPress plugin is vulnerable through versions up to 2.0.7 where unsanitized user input is used in a SQL query and the result is passed to eval(), enabling unauthenticated remote command execution (RCE). Exploitation and impact are stated across mu...

CVE-2026-38567

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username e.g. admin'-- or extract the full content...

PT-2026-39655

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username e.g. admin'-- or extract the full content...

CVE-2026-38567

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username e.g. admin'-- or extract the full content...

CVE-2026-36962

SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the...

CVE-2026-36962

SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the...

CVE-2026-36962

CVE-2026-36962 affects MuuCMF T6, version 1.9.4.20260115. The issue is a SQL Injection in the /index/controller/Search.php endpoint via the keyword parameter, leading to unauthenticated access that can compromise the entire database and grant unauthorized administrative privileges, with potential...

PT-2026-39625

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions prior to 9.15 Description An SQL injection exists in the Maintenance Tool where four user-supplied JSON fields—buffer usage limit, vacuum parallel, vacuum index cleanup, and reindex tablespace—are concatenated directly into...

pgAdmin SQL注入漏洞

pgAdmin is an open-source management and development platform for the open-source database PostgreSQL. Versions of pgAdmin prior to 4.9.15 had a SQL injection vulnerability. This vulnerability allows authenticated users to inject arbitrary SQL statements in VACUUM/ANALYZE/REINDEX commands,...

Unity Linux 20.1070e Security Update: mysql (UTSA-2026-017672)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017672 advisory. Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Stored Procedure. Supported versions that are affected are 8.0.23 and prior. Easily...

Unity Linux 20.1070e Security Update: postgresql (UTSA-2026-017752)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017752 advisory. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-sqlalchemy (UTSA-2026-017470)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017470 advisory. SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the orderby parameter. Tenable has extracted the preceding description block directly fr...