Total
18542 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6933 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | 6.3 Medium |
| A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler. This manipulation of the argument Language causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 6.6.2+240827 can resolve this issue. Patch name: d656d2c7980b7642560977f4780e64533a68e13d. You should upgrade the affected component. | ||||
| CVE-2022-3689 | 1 Linksoftwarellc | 1 Html Forms | 2026-01-30 | 7.2 High |
| The HTML Forms WordPress plugin before 1.3.25 does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users | ||||
| CVE-2025-67261 | 1 Abacre | 1 Retail Point Of Sale | 2026-01-30 | 6.5 Medium |
| Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. | ||||
| CVE-2026-23723 | 1 Wegia | 1 Wegia | 2026-01-30 | 7.2 High |
| WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2. | ||||
| CVE-2023-26813 | 1 Wang.market | 1 Wangmarket | 2026-01-30 | 9.8 Critical |
| SQL injection vulnerability in com.xnx3.wangmarket.plugin.dataDictionary.controller.DataDictionaryPluginController.java in wangmarket CMS 4.10 allows remote attackers to run arbitrary SQL commands via the TableName parameter to /plugin/dataDictionary/tableView.do. | ||||
| CVE-2020-37006 | 1 Crm-now | 1 Berlicrm | 2026-01-30 | 8.2 High |
| berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information. | ||||
| CVE-2020-36999 | 1 Elaniin | 1 Cms | 2026-01-30 | 8.2 High |
| Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by sending crafted email and password parameters with '=''or' payload to login.php, granting unauthorized access to the system. | ||||
| CVE-2025-54946 | 1 Sun.net | 1 Ehrd Ctms | 2026-01-30 | 9.8 Critical |
| A SQL injection vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to execute arbitrary SQL commands. | ||||
| CVE-2020-36945 | 1 Webdamn | 1 Webdamn User Registration & Login System With User Panel | 2026-01-29 | 8.2 High |
| WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inject the payload '<email>' OR '1'='1' in both username and password fields to gain unauthorized access to the user panel. | ||||
| CVE-2025-65091 | 1 Xwiki | 2 Full Calendar Macro, Xwiki | 2026-01-29 | 10 Critical |
| XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5. | ||||
| CVE-2025-1708 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-01-29 | 8.6 High |
| The application is vulnerable to SQL injection attacks. An attacker is able to dump the PostgreSQL database and read its content. | ||||
| CVE-2026-0702 | 2 Wordpress, Wpcreatix | 2 Wordpress, Vidshop – Shoppable Videos For Woo Commerce | 2026-01-29 | 7.5 High |
| The VidShop – Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2020-36951 | 1 Geraked | 1 Phpscript-sgh | 2026-01-29 | 8.2 High |
| Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays, enabling them to extract sensitive database information through conditional sleep techniques. | ||||
| CVE-2025-59379 | 1 Dwyeromega | 2 Isensix Advanced Remote Monitoring System, Isensix Advanced Remote Monitoring System Firmware | 2026-01-29 | 7.5 High |
| DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 allows an attacker to retrieve sensitive information from the underlying SQL database via Blind SQL Injection through the user parameter in the login page. This allows an attacker to steal credentials, which may be cleartext, from existing users (and admins) and use them to authenticate to the application. | ||||
| CVE-2025-34038 | 2 Weaver, Weiphp | 2 E-cology, Weiphp | 2026-01-27 | 7.5 High |
| A SQL injection vulnerability exists in Weaver E-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC. | ||||
| CVE-2025-67146 | 1 Abhishekmali21 | 1 Gym Management System | 2026-01-27 | 9.4 Critical |
| Multiple SQL Injection vulnerabilities exist in AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 via the 'name' parameter in (1) member_search.php, (2) trainer_search.php, and (3) gym_search.php, and via the 'id' parameter in (4) payment_search.php. An unauthenticated remote attacker can exploit these issues to inject malicious SQL commands, leading to unauthorized data extraction, authentication bypass, or modification of database contents. | ||||
| CVE-2026-21875 | 2 Clipbucket, Oxygenz | 2 Clipbucket, Clipbucket | 2026-01-27 | 9.8 Critical |
| ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication. | ||||
| CVE-2024-25220 | 1 Code-projects | 1 Task Manager | 2026-01-27 | 9.8 Critical |
| Task Manager App v1.0 was discovered to contain a SQL injection vulnerability via the taskID parameter at /TaskManager/EditTask.php. | ||||
| CVE-2024-25222 | 2 Code-projects, Task Manager In Php With Source Code Project | 2 Task Manager, Task Manager In Php With Source Code | 2026-01-27 | 9.8 Critical |
| Task Manager App v1.0 was discovered to contain a SQL injection vulnerability via the projectID parameter at /TaskManager/EditProject.php. | ||||
| CVE-2025-14973 | 1 Wordpress | 1 Wordpress | 2026-01-27 | 6.8 Medium |
| The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. | ||||