CVE-2026-49772 WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2...

WordPress WP Review Slider Pro plugin <= 12.6.8 - Authenticated (Subscriber+) SQL Injection vulnerability

Authenticated Subscriber+ SQL Injection vulnerability discovered by h0xilo in WordPress Plugin WP Review Slider Pro versions = 12.6.8...

NocoBase - SQL Injection

NocoBase versions prior to 2.0.39 contain a SQL injection vulnerability in the @nocobase/database package. The queryParentSQL function in eager-loading-tree.ts constructs a recursive CTE query by directly concatenating user-controlled primary key values into the SQL WHERE IN clause without...

EUVD-2026-36960

Unauthenticated SQL Injection in SpeakOut! Email Petitions = 4.6.5 versions...

CVE-2026-49067

Unauthenticated SQL Injection in Advanced 301 and 302 Redirect = 1.6.9 versions...

CVE-2026-39492

Unauthenticated SQL Injection in WP Maps = 4.9.1 versions...

EUVD-2026-36874

Unauthenticated SQL Injection in Advanced 301 and 302 Redirect = 1.6.9 versions...

CVE-2026-48882 WordPress WP Time Slots Booking Form plugin <= 1.2.50 - SQL Injection vulnerability

Subscriber SQL Injection in WP Time Slots Booking Form = 1.2.50 versions...

CVE-2026-42665 WordPress WP Data Access plugin <= 5.5.70 - SQL Injection vulnerability

Unauthenticated SQL Injection in WP Data Access = 5.5.70 versions...

CVE-2026-50890

Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement...

PT-2026-49441

Unauthenticated SQL Injection in GD Rating System = 3.6.2 versions...

PT-2026-49210

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL...

CVE-2026-36670

A Time-Based Blind SQL Injection vulnerability in the aliasmanagement module of OpenSIPS Control Panel opensips-cp prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in aliasmanagement.php...

CVE-2026-12131

CVE-2026-12131 affects CodeAstro Human Resource Management System 1.0, specifically the Payroll Invoice Module. The vulnerability exists in the Invoice function of the file \application\controllers\Payroll.php, where manipulation of the argument ID leads to SQL injection. Exploitation is possible...

GHSA-HWVQ-2W67-RVXP TYPO3 CMS has Broken Access Control in its Form Framework

Problem Backend users with file write permissions were able to upload form definition files with mixed-case extensions e.g., .FORM.YAML to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers ...

EUVD-2026-36453

Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via getbloglist. This issue has been patched in versions 15.106.0 and 16.16.0...

EUVD-2026-36382

SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated ...

PT-2026-48828

SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated ...

CVE-2026-38581

SQL Injection vulnerability in damasac thaipalliativelte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php line 14 and the id parameter line 49. The parameters are concatenated directly into SQL queries without...

CVE-2026-8335 Missing authentication in Aix-DB

A missing authentication check on the Aix‑DB "/llm/processllmout" endpoint allows unauthenticated clients to execute arbitrary "SELECT" SQL queries and retrieve database data, as the endpoint lacks the token validation enforced on all other application endpoints. All releases up to 1.2.4 are...