Total
18841 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-29529 | 2026-04-15 | 6.5 Medium | ||
| ITC Systems Multiplan/Matrix OneCard platform v3.7.4.1002 was discovered to contain a SQL injection vulnerability via the component Forgotpassword.aspx. | ||||
| CVE-2025-45065 | 2026-04-15 | 9.8 Critical | ||
| employee record management system in php and mysql v1 was discovered to contain a SQL injection vulnerability via the loginerms.php endpoint. | ||||
| CVE-2025-5329 | 1 Martcode | 1 Delta Course Automation | 2026-04-15 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martcode Software Inc. Delta Course Automation allows SQL Injection.This issue affects Delta Course Automation: through 04022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-27709 | 1 Eskooly | 1 Web Product | 2026-04-15 | 9.8 Critical |
| SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and the id parameter of the requestmanager.php component. | ||||
| CVE-2025-1981 | 2026-04-15 | N/A | ||
| Improper neutralization of input provided by a low-privileged user into a file search functionality in Ready_'s Invoices module allows for SQL Injection attacks. | ||||
| CVE-2025-54475 | 2 Joomla, Joomsky | 3 Joomla, Joomla!, Js Jobs | 2026-04-15 | N/A |
| A SQL injection vulnerability in the JS Jobs plugin versions 1.3.2-1.4.4 for Joomla allows low-privilege users to execute arbitrary SQL commands. | ||||
| CVE-2024-42533 | 2026-04-15 | 9.8 Critical | ||
| SQL injection vulnerability in the authentication module in Convivance StandVoice 4.5 through 6.2 allows remote attackers to execute arbitrary code via the GEST_LOGIN parameter. | ||||
| CVE-2025-9977 | 2026-04-15 | N/A | ||
| Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. SQL injection attacks might also be feasible, although so far creating a working exploit has been prevented probably by backend filtering mechanisms. Additionally, command injection attempts cause the application to return extensive error messages disclosing some information about the internal infrastructure. Patching status is unknown because the vendor has not replied to messages sent by the CNA. | ||||
| CVE-2023-3416 | 1 Tagdiv | 1 Opt In Builder | 2026-04-15 | 7.2 High |
| The tagDiv Opt-In Builder plugin is vulnerable to Blind SQL Injection via the 'subscriptionCouponId' parameter via the 'create_stripe_subscription' REST API endpoint in versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-55586 | 2026-04-15 | 9.8 Critical | ||
| Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method. NOTE: the vendor's position is that this is intended behavior. | ||||
| CVE-2024-13147 | 2026-04-15 | 9.8 Critical | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Merkur Software B2B Login Panel allows SQL Injection.This issue affects B2B Login Panel: before 15.01.2025. | ||||
| CVE-2025-4568 | 2026-04-15 | N/A | ||
| Improper neutralization of input provided by an unauthorized user into changes__reference_id parameter in URL allows for boolean-based Blind SQL Injection attacks. | ||||
| CVE-2020-37035 | 1 Amitkolloldey | 1 E-learning Script | 2026-04-15 | 8.2 High |
| e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. Attackers can inject malicious SQL code in the 'search' parameter to potentially extract, modify, or access sensitive database information. | ||||
| CVE-2025-10095 | 1 Smseagle | 1 Smseagle | 2026-04-15 | N/A |
| A SQL injection vulnerability has been identified in the SMPP server component of the SMSEagle firmware, specifically affecting the handling of certain parameters within the server's database interactions. The vulnerability is isolated to the SMPP server, which operates with its own dedicated database, separate from the main software's database. This isolation limits the scope of the vulnerability to the SMPP server's operations. The vulnerability arises from improper sanitization of user input in the SMPP server's scripts. This issue has been fixed in version 6.11. | ||||
| CVE-2023-2596 | 1 Janobe | 1 Online Reviewer System | 2026-04-14 | 6.3 Medium |
| A vulnerability was found in SourceCodester Online Reviewer System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /reviewer/system/system/admins/manage/users/user-update.php of the component GET Parameter Handler. The manipulation of the argument user_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-228398 is the identifier assigned to this vulnerability. | ||||
| CVE-2021-27130 | 1 Janobe | 1 Online Reviewer System | 2026-04-14 | 9.8 Critical |
| Online Reviewer System 1.0 contains a SQL injection vulnerability through authentication bypass, which may lead to a reverse shell upload. | ||||
| CVE-2025-62846 | 2 Qnap, Qnap Systems | 2 Qurouter, Qurouter | 2026-04-14 | 6.7 Medium |
| An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later | ||||
| CVE-2026-34747 | 1 Payloadcms | 1 Payload | 2026-04-14 | 8.5 High |
| Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1. | ||||
| CVE-2026-34788 | 1 Emlog | 1 Emlog | 2026-04-14 | 6.5 Medium |
| Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized queries or proper escaping ($this->db->escape_string()), making it vulnerable to SQL injection attacks. At time of publication, there are no publicly available patches. | ||||
| CVE-2026-34612 | 2 Kestra, Kestra-io | 2 Kestra, Kestra | 2026-04-14 | 10 Critical |
| Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7. | ||||