Lucene search
+L

191 matches found

NVD
NVD
added 2026/07/09 11:17 p.m.5 views

CVE-2026-59834

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the block search endpoint POST /api/search/fullTextSearchBlock concatenates attacker-controlled paths values into SQL predicates used by non-SQL search modes, allowing an unauthenticated publish visitor to inject a UNI...

7.5CVSS0.0038EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/09 10:15 p.m.7 views

CVE-2026-59834

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the block search endpoint POST /api/search/fullTextSearchBlock concatenates attacker-controlled paths values into SQL predicates used by non-SQL search modes, allowing an unauthenticated publish visitor to inject a UNI...

7.5CVSS6AI score0.0038EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/07/09 10:15 p.m.36 views

CVE-2026-59834 SiYuan: SQL Query in Block Search Exposes Hidden Published Document Content

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the block search endpoint POST /api/search/fullTextSearchBlock concatenates attacker-controlled paths values into SQL predicates used by non-SQL search modes, allowing an unauthenticated publish visitor to inject a UNI...

7.5CVSS0.0038EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/29 12:29 p.m.8 views

EUVD-2026-40081

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM0 POST parameter. Attackers can supply malicious SQL syntax through the...

7.1CVSS6AI score0.00148EPSS
Exploits0References4
OSV
OSV
added 2026/06/29 12:29 p.m.4 views

CVE-2026-40522 FrontAccounting < 2.4.20 SQL Injection via rep601.php

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM0 POST parameter. Attackers can supply malicious SQL syntax through the...

7.1CVSS6.2AI score0.00148EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/19 5:8 p.m.8 views

EUVD-2019-20186

Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hotelid parameter. Attackers can send POST requests to the search-hotels endpoint with crafted S...

8.8CVSS6.3AI score0.00366EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/19 5:8 p.m.17 views

CVE-2019-25750 Joomla J-MultipleHotelReservation 6.0.7 SQL Injection

Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hotelid parameter. Attackers can send POST requests to the search-hotels endpoint with crafted S...

8.8CVSS0.00366EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.13 views

PT-2026-35643

Name of the Vulnerable Software and Affected Versions LiteLLM versions 1.81.16 through 1.83.6 Description An unauthenticated pre-auth SQL injection exists in the proxy API key verification process. The issue occurs because a database query mixes caller-supplied values directly into the query text...

9.8CVSS6.2AI score0.86607EPSS
Exploits7References218
OSV
OSV
added 2026/04/21 7:12 p.m.5 views

CVE-2026-40871 mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API

mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantinecategory field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantinecategory without validation or sanitizatio...

7.2CVSS6.3AI score0.09874EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/24 7:23 p.m.21 views

MobSF has SQL Injection in its SQLite Database Viewer Utils

Description MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst uses MobSF to analyze a malicious mobile application containing a craft...

6.5CVSS6.2AI score0.00276EPSS
Exploits1References5Affected Software1
EUVD
EUVD
added 2026/03/06 3:31 p.m.9 views

EUVD-2018-21616

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. Attackers can submit crafted SQL statements...

8.8CVSS6.1AI score0.00225EPSS
Exploits0References3
NVD
NVD
added 2026/03/06 1:15 p.m.8 views

CVE-2018-25161

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. Attackers can submit crafted SQL statements...

8.8CVSS0.00225EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/06 12:18 p.m.3 views

CVE-2018-25163

BitZoom 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rollno and username parameters in forgot.php and login.php. Attackers can submit crafted POST requests with SQL UNION statements to...

8.8CVSS6.1AI score0.00245EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/06 12:18 p.m.32 views

CVE-2018-25161 Warranty Tracking System 11.06.3 SQL Injection via SearchCustomer.php

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. Attackers can submit crafted SQL statements...

8.8CVSS0.00225EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.12 views

PT-2026-23673

Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. Attackers can submit crafted SQL statements...

8.8CVSS6.1AI score0.00225EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/02/05 11:48 a.m.156 views

sql-injection

SQL Injection Payloads List SQL Injection Payloads List...

5.7AI score
Exploits0
OSV
OSV
added 2026/02/03 10:16 p.m.9 views

CVE-2020-37076

Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted UNION SELECT payloads to extract database information through boolean-based,...

8.2CVSS5.9AI score0.00365EPSS
Exploits1References3
NVD
NVD
added 2026/02/03 10:16 p.m.8 views

CVE-2020-37076

Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted UNION SELECT payloads to extract database information through boolean-based,...

8.8CVSS0.00365EPSS
Exploits1References3
CVE
CVE
added 2026/02/03 10:1 p.m.18 views

CVE-2020-37076

Victor CMS 1.0 is affected by a SQL injection in the post parameter of post.php. The vulnerability allows remote attackers to manipulate database queries using crafted UNION SELECT payloads to extract information via boolean-based, error-based, and time-based techniques. Reported across multiple ...

8.8CVSS5.8AI score0.00365EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/03 10:1 p.m.5 views

CVE-2020-37076

Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted UNION SELECT payloads to extract database information through boolean-based,...

8.8CVSS5.8AI score0.00365EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder