Export limit exceeded: 19729 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (19729 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2018-25192 1 Sourceforge 1 Gps Tracking System 2026-04-15 8.2 High
GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit crafted POST requests to the login.php endpoint with SQL injection payloads in the username field to gain unauthorized access without valid credentials.
CVE-2018-25173 1 Sms 1 Rmedia Sms 2026-04-15 8.2 High
Rmedia SMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the gid parameter. Attackers can send GET requests to editgrp.php with malicious gid values using EXTRACTVALUE and CONCAT functions to retrieve schema names and sensitive database data.
CVE-2018-25191 1 Obedalvarado 1 Facturation System 2026-04-15 7.1 High
Facturation System 1.0 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'mod_id' parameter. Attackers can send POST requests to the editar_producto.php endpoint with crafted SQL payloads in the mod_id parameter to extract sensitive database information including usernames, database names, and version details.
CVE-2018-25172 1 Obedalvarado 1 Pedidos 2026-04-15 8.2 High
Pedidos 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to the ajax/load_proveedores.php endpoint with crafted SQL payloads to extract sensitive database information including schema names and table structures.
CVE-2018-25180 1 Salzertechnologies 1 Maitra 2026-04-15 7.1 High
Maitra 1.7.2 contains an sql injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the mailid parameter in outmail and inmail modules. Attackers can also download the SQLite database file directly from the application directory to extract sensitive mail tracking data and credentials.
CVE-2019-25507 1 Ashopsoftware 1 Ashop Shopping Cart Software 2026-04-15 8.2 High
Ashop Shopping Cart Software contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'shop' parameter. Attackers can send GET requests to index.php with malicious 'shop' values using UNION-based SQL injection to extract sensitive database information.
CVE-2019-25504 1 Ncrypted 1 Ncrypted Jobgator 2026-04-15 8.2 High
NCrypted Jobgator contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the experience parameter. Attackers can send POST requests to the agents Find-Jobs endpoint with malicious experience values to extract sensitive database information.
CVE-2018-25182 1 Snowhall 1 Silurus Classifieds Script 2026-04-15 8.2 High
Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. Attackers can send GET requests to wcategory.php with crafted SQL payloads in the ID parameter to extract database table names and sensitive information from the database.
CVE-2018-25167 1 Net-billetterie 1 Billetterie 2026-04-15 8.2 High
Net-Billetterie 2.9 contains an SQL injection vulnerability in the login parameter of login.inc.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit malicious SQL code through the login POST parameter to extract database information including usernames, passwords, and system credentials.
CVE-2018-25161 1 Warrantytrack 1 Warranty Tracking System 2026-04-15 8.2 High
Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. Attackers can submit crafted SQL statements using UNION SELECT to extract sensitive database information including usernames, database names, and version details.
CVE-2018-25166 1 Sourceforge 1 Meneame English Pligg 2026-04-15 8.2 High
Meneame English Pligg 5.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Attackers can send GET requests to index.php with crafted SQL payloads in the search parameter to extract sensitive database information including usernames, database names, and version details.
CVE-2018-25165 1 Galaxy 1 Galaxy Forces Mmorpg 2026-04-15 7.1 High
Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'type' parameter. Attackers can send POST requests to ads.php with crafted SQL payloads in the type parameter to extract sensitive database information including usernames, databases, and version details.
CVE-2018-25188 3 Github, Webiness Inventory Project, Webiness Project 3 Webiness Inventory, Webiness Inventory, Webiness Inventory 2026-04-15 8.2 High
Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. Attackers can send POST requests to the WsModelGrid.php endpoint with crafted SQL payloads to extract sensitive database information including usernames, databases, and version details.
CVE-2018-25175 1 Alienor 1 Alienor Web Libre 2026-04-15 8.2 High
Alienor Web Libre 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the identifiant parameter. Attackers can submit crafted POST requests to index.php with SQL injection payloads in the identifiant field to extract sensitive database information including usernames, databases, and version details.
CVE-2018-25189 1 Sourceforge 1 Data Center Audit 2026-04-15 8.2 High
Data Center Audit 2.6.2 contains an SQL injection vulnerability in the username parameter of dca_login.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted SQL payloads through POST requests to extract sensitive database information including usernames, database names, and version details.
CVE-2026-34455 2 Hi.events, Hieventsdev 2 Hi.events, Hi.events 2026-04-15 8.8 High
Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta.
CVE-2025-1116 2026-04-15 7.3 High
A vulnerability, which was classified as critical, has been found in Dreamvention Live AJAX Search Free up to 1.0.6 on OpenCart. Affected by this issue is the function searchresults/search of the file /?route=extension/live_search/module/live_search.searchresults. The manipulation of the argument keyword leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-13750 2026-04-15 6.5 Medium
The Multilevel Referral Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-4665 2 Arshid, Wordpress 2 Wordpress Contact Form Cfdb7, Wordpress 2026-04-15 9.6 Critical
WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization (PHP Object Injection). The weakness arises due to insufficient validation of user input in plugin endpoints, allowing crafted input to influence backend queries in unexpected ways. Using specially crafted payloads, this can escalate into unsafe deserialization, enabling arbitrary object injection in PHP. Although the issue is remotely exploitable without authentication, it does require a crafted interaction with the affected endpoint in order to trigger successfully.
CVE-2024-3211 1 Wp Easycart 1 Shopping Cart And Ecommerce Store 2026-04-15 8.8 High
The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to SQL Injection via the 'productid' attribute of the ec_addtocart shortcode in all versions up to, and including, 5.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.