Total
18435 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2073 | 1 Campcodes | 1 Online Traffic Offense Management System | 2026-03-17 | 7.3 High |
| A vulnerability was found in Campcodes Online Traffic Offense Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /classes/Login.php. The manipulation of the argument password leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-226051. | ||||
| CVE-2023-2074 | 1 Campcodes | 1 Online Traffic Offense Management System | 2026-03-17 | 6.3 Medium |
| A vulnerability was found in Campcodes Online Traffic Offense Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Master.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-226052. | ||||
| CVE-2025-67644 | 2 Langchain, Langchain-ai | 4 Langchain, Langgraph-checkpoint-sqlite, Langchain and 1 more | 2026-03-17 | 7.3 High |
| LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through metadata filter keys, affecting applications that accept untrusted metadata filter keys (not just filter values) in checkpoint search operations. The _metadata_predicate() function constructs SQL queries by interpolating filter keys directly into f-strings without validation. This issue is fixed in version 3.0.1. | ||||
| CVE-2026-30930 | 1 Nicolargo | 1 Glances | 2026-03-17 | 9.8 Critical |
| Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1. | ||||
| CVE-2026-28443 | 1 Openreplay | 1 Openreplay | 2026-03-17 | 9.8 Critical |
| OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0. | ||||
| CVE-2018-25187 | 1 Tina4 | 1 Tina4 Stack | 2026-03-16 | 8.2 High |
| Tina4 Stack 1.0.3 contains multiple vulnerabilities allowing unauthenticated attackers to access sensitive database files and execute SQL injection attacks. Attackers can directly request the kim.db database file to retrieve user credentials and password hashes, or inject SQL code through the menu endpoint to manipulate database queries. | ||||
| CVE-2025-8587 | 2 Akce, Akceyazilim | 2 Skspro, Skspro | 2026-03-16 | 8.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection.This issue affects SKSPro: through 07012026. | ||||
| CVE-2026-28501 | 1 Wwbn | 1 Avideo | 2026-03-16 | 9.8 Critical |
| WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0. | ||||
| CVE-2006-5840 | 1 Abarcar | 1 Abarcar Realty Portal | 2026-03-13 | N/A |
| Multiple SQL injection vulnerabilities in Abarcar Realty Portal allow remote attackers to execute arbitrary SQL commands via the (1) neid parameter to newsdetails.php, or the (2) slid parameter to slistl.php. NOTE: the cat vector is already covered by CVE-2006-2853. NOTE: the vendor has notified CVE that the current version only creates static pages, and that slistl.php/slid never existed in any version | ||||
| CVE-2026-32127 | 2 Open-emr, Openemr | 2 Openemr, Openemr | 2026-03-13 | 8.8 High |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, OpenEMR contains a SQL injection vulnerability in the ajax graphs library that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the ajax graphs library. This vulnerability is fixed in 8.0.0.1. | ||||
| CVE-2019-25494 | 1 Doditsolutions | 2 Airbnb Clone Script, Homey Bnb (airbnb Clone Script) | 2026-03-13 | 8.2 High |
| Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. Attackers can submit SQL operators like '=' 'or' in both credentials to manipulate the authentication query and gain unauthorized access to the admin panel. | ||||
| CVE-2025-49784 | 1 Fortinet | 3 Fortianalyzer, Fortianalyzer-bigdata, Fortianalyzer Big Data | 2026-03-12 | 5.6 Medium |
| An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiAnalyzer-BigData 7.6.0, FortiAnalyzer-BigData 7.4.0 through 7.4.4, FortiAnalyzer-BigData 7.2 all versions, FortiAnalyzer-BigData 7.0 all versions, FortiAnalyzer-BigData 6.4 all versions, FortiAnalyzer-BigData 6.2 all versions may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted requests. | ||||
| CVE-2020-37057 | 2 Nayem-howlader, Sunnygkp10 | 3 Online Exam System, Online-exam-system, Online-exam-system- | 2026-03-12 | 8.2 High |
| Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information. | ||||
| CVE-2020-37051 | 2 Nayem-howlader, Sunnygkp10 | 3 Online Exam System, Online-exam-system, Online-exam-system- | 2026-03-12 | 8.2 High |
| Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate user password characters. | ||||
| CVE-2025-45809 | 1 Litellm | 1 Litellm | 2026-03-12 | 5.4 Medium |
| SQL Injection vulnerability in BerriAI LiteLLM before 1.81.0 allows attackers to execute arbitrary commands via the key parameter to the "/key/block" and "/key/unblock" API endpoints. | ||||
| CVE-2026-3740 | 2 Angeljudesuarez, Itsourcecode | 2 University Management System, University Management System | 2026-03-12 | 7.3 High |
| A weakness has been identified in itsourcecode University Management System 1.0. Impacted is an unknown function of the file /admin_search_student.php. This manipulation of the argument admin_search_student causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2023-39417 | 3 Debian, Postgresql, Redhat | 10 Debian Linux, Postgresql, Advanced Cluster Security and 7 more | 2026-03-12 | 7.5 High |
| IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser. | ||||
| CVE-2026-3730 | 1 Itsourcecode | 1 Free Hotel Reservation System | 2026-03-11 | 7.3 High |
| A security flaw has been discovered in itsourcecode Free Hotel Reservation System 1.0. The affected element is an unknown function of the file /hotel/admin/mod_amenities/index.php?view=edit. Performing a manipulation of the argument amen_id/rmtype_id results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-3736 | 2 Carmelo, Code-projects | 2 Simple Flight Ticket Booking System, Simple Flight Ticket Booking System | 2026-03-11 | 7.3 High |
| A vulnerability was found in code-projects Simple Flight Ticket Booking System 1.0. Affected by this issue is some unknown functionality of the file SearchResultRoundtrip.php. Performing a manipulation of the argument from results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-3735 | 2 Carmelo, Code-projects | 2 Simple Flight Ticket Booking System, Simple Flight Ticket Booking System | 2026-03-11 | 7.3 High |
| A vulnerability has been found in code-projects Simple Flight Ticket Booking System 1.0. Affected by this vulnerability is an unknown functionality of the file SearchResultOneway.php. Such manipulation of the argument from leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||