Export limit exceeded: 18532 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (18532 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0702 | 2 Wordpress, Wpcreatix | 2 Wordpress, Vidshop – Shoppable Videos For Woo Commerce | 2026-01-29 | 7.5 High |
| The VidShop – Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2020-36951 | 1 Geraked | 1 Phpscript-sgh | 2026-01-29 | 8.2 High |
| Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays, enabling them to extract sensitive database information through conditional sleep techniques. | ||||
| CVE-2025-59379 | 1 Dwyeromega | 2 Isensix Advanced Remote Monitoring System, Isensix Advanced Remote Monitoring System Firmware | 2026-01-29 | 7.5 High |
| DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 allows an attacker to retrieve sensitive information from the underlying SQL database via Blind SQL Injection through the user parameter in the login page. This allows an attacker to steal credentials, which may be cleartext, from existing users (and admins) and use them to authenticate to the application. | ||||
| CVE-2025-34038 | 2 Weaver, Weiphp | 2 E-cology, Weiphp | 2026-01-27 | 7.5 High |
| A SQL injection vulnerability exists in Weaver E-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC. | ||||
| CVE-2025-67146 | 1 Abhishekmali21 | 1 Gym Management System | 2026-01-27 | 9.4 Critical |
| Multiple SQL Injection vulnerabilities exist in AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 via the 'name' parameter in (1) member_search.php, (2) trainer_search.php, and (3) gym_search.php, and via the 'id' parameter in (4) payment_search.php. An unauthenticated remote attacker can exploit these issues to inject malicious SQL commands, leading to unauthorized data extraction, authentication bypass, or modification of database contents. | ||||
| CVE-2026-21875 | 2 Clipbucket, Oxygenz | 2 Clipbucket, Clipbucket | 2026-01-27 | 9.8 Critical |
| ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication. | ||||
| CVE-2024-25220 | 1 Code-projects | 1 Task Manager | 2026-01-27 | 9.8 Critical |
| Task Manager App v1.0 was discovered to contain a SQL injection vulnerability via the taskID parameter at /TaskManager/EditTask.php. | ||||
| CVE-2024-25222 | 2 Code-projects, Task Manager In Php With Source Code Project | 2 Task Manager, Task Manager In Php With Source Code | 2026-01-27 | 9.8 Critical |
| Task Manager App v1.0 was discovered to contain a SQL injection vulnerability via the projectID parameter at /TaskManager/EditProject.php. | ||||
| CVE-2025-14973 | 1 Wordpress | 1 Wordpress | 2026-01-27 | 6.8 Medium |
| The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. | ||||
| CVE-2025-12514 | 1 Centreon | 2 Centreon, Open Tickets | 2026-01-26 | 7.2 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows SQL Injection to user with elevated privileges.This issue affects Infra Monitoring - Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. | ||||
| CVE-2026-0806 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 4.9 Medium |
| The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-15029 | 1 Centreon | 2 Awie, Centreon | 2026-01-26 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring (Awie export modules) allows SQL Injection to unauthenticated user. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. | ||||
| CVE-2025-12984 | 2 Monetizemore, Wordpress | 2 Advanced Ads, Wordpress | 2026-01-26 | 4.9 Medium |
| The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-52694 | 1 Advantech | 7 Iot Edge Linux Docker, Iot Edge Products, Iot Edge Windows and 4 more | 2026-01-26 | 10 Critical |
| Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet, potentially affecting data confidentiality, integrity, and availability. Users and administrators of affected product versions are advised to update to the latest versions immediately. | ||||
| CVE-2025-0103 | 1 Paloaltonetworks | 1 Expedition | 2026-01-23 | 8.8 High |
| An SQL injection vulnerability in Palo Alto Networks Expedition enables an authenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. This vulnerability also enables attackers to create and read arbitrary files on the Expedition system. | ||||
| CVE-2024-7930 | 2 Oretnom23, Sourcecodester | 2 Clinic\'s Patient Management System, Clinics Patient Management System | 2026-01-23 | 6.3 Medium |
| A vulnerability has been found in SourceCodester Clinics Patient Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /pms/ajax/get_packings.php. The manipulation of the argument medicine_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-7871 | 2 Easytest, Huaju | 2 Easytest Online Test Platform, Easytest Online Learning Test Platform | 2026-01-23 | 8.8 High |
| SQL Injection in online dictionary function of Easytest Online Test Platform ver.24E01 and earlier allow remote authenticated users to execute arbitrary SQL commands via the word parameter. | ||||
| CVE-2023-7123 | 1 Oretnom23 | 1 Medicine Tracker System | 2026-01-23 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in SourceCodester Medicine Tracking System 1.0. This issue affects some unknown processing of the file /classes/Master.php? f=save_medicine. The manipulation of the argument id/name/description leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249095. | ||||
| CVE-2022-47151 | 2 Joomsky, Wordpress | 2 Js Help Desk, Wordpress | 2026-01-23 | 8.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1. | ||||
| CVE-2020-25760 | 1 Projectworlds | 1 Visitor Management System | 2026-01-23 | 8.8 High |
| Projectworlds Visitor Management System in PHP 1.0 allows SQL Injection. The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the input to extract sensitive information from the database. | ||||