Export limit exceeded: 19729 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (19729 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-55586 | 2026-04-15 | 9.8 Critical | ||
| Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method. NOTE: the vendor's position is that this is intended behavior. | ||||
| CVE-2025-48701 | 2026-04-15 | 5.4 Medium | ||
| openDCIM through 23.04 allows SQL injection in people_depts.php because prepared statements are not used. | ||||
| CVE-2024-6527 | 1 Jan Syski | 1 Megabip | 2026-04-15 | N/A |
| SQL Injection vulnerability in parameter "w" in file "druk.php" in MegaBIP software allows unauthorized attacker to disclose the contents of the database and obtain administrator's token to modify the content of pages. This issue affects MegaBIP software versions through 5.13. | ||||
| CVE-2024-6456 | 1 Aveva | 1 Historian | 2026-04-15 | N/A |
| AVEVA Historian Server has a vulnerability, if exploited, could allow a malicious SQL command to execute under the privileges of an interactive Historian REST Interface user who had been socially engineered by a miscreant into opening a specially crafted URL. | ||||
| CVE-2024-55517 | 2026-04-15 | 8.8 High | ||
| An issue was discovered in the Interllect Core Search in Polaris FT Intellect Core Banking 9.5. Input passed through the groupType parameter in /SCGController is mishandled before being used in SQL queries, allowing SQL injection in an authenticated session. | ||||
| CVE-2025-59920 | 1 Systems At Work | 1 Time At Work | 2026-04-15 | N/A |
| When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request is made with the TWAdmin user with the sysadmin role enabled, exploiting the vulnerability will allow commands to be executed on the system; if the user does not belong to the sysadmin role, they will still be able to query data from the database. | ||||
| CVE-2025-22370 | 2026-04-15 | N/A | ||
| Many fields for the web configuration interface of the firmware for Mennekes Smart / Premium Chargingpoints can be abused to execute arbitrary SQL commands because the values are insufficiently neutralized. | ||||
| CVE-2024-3342 | 2026-04-15 | 9.9 Critical | ||
| The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to SQL Injection via the 'events' attribute of the 'mp-timetable' shortcode in all versions up to, and including, 2.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-32786 | 1 Glpi-project | 1 Glpi Inventory | 2026-04-15 | 7.5 High |
| The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1. | ||||
| CVE-2025-4510 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was found in Changjietong UFIDA CRM 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /optnty/optntyday.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59369 | 1 Asus | 1 Router | 2026-04-15 | N/A |
| A SQL injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary SQL queries, leading to unauthorized data access. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | ||||
| CVE-2025-10121 | 1 Dagg | 1 Uverif | 2026-04-15 | 6.3 Medium |
| A flaw has been found in uverif up to 3.2. This affects the function addbatch of the file /admin/kami_list. This manipulation of the argument note causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2025-13395 | 1 Codehub666 | 1 94list | 2026-04-15 | 7.3 High |
| A security flaw has been discovered in codehub666 94list up to 5831c8240e99a72b7d3508c79ef46ae4b96befe8. The impacted element is the function Login of the file /function.php. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | ||||
| CVE-2024-39909 | 2026-04-15 | 6.5 Medium | ||
| KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource `/api/applicationResources` via the following parameter `packageID`. As it can be seen in backend/pkg/database/id_view.go, while building the SQL Query the `fmt.Sprintf` function is used to build the query string without the input having first been subjected to any validation. This vulnerability is fixed in 2.23.1. | ||||
| CVE-2024-13320 | 2 Villatheme, Wordpress | 2 Curcy - Woocommerce Multi Currency - Currency Switcher, Wordpress | 2026-04-15 | 7.5 High |
| The CURCY - WooCommerce Multi Currency - Currency Switcher plugin for WordPress is vulnerable to SQL Injection via the 'wc_filter_price_meta[where]' parameter in all versions up to, and including, 2.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-48813 | 1 Employee Management System Project | 1 Employee Management System | 2026-04-15 | 8.8 High |
| SQL injection vulnerability in employee-management-system-php-and-mysql-free-download.html taskmatic 1.0 allows a remote attacker to execute arbitrary code via the admin_id parameter of the /update-employee.php component. | ||||
| CVE-2025-12197 | 2 Stellarwp, Wordpress | 2 The Events Calendar, Wordpress | 2026-04-15 | 7.5 High |
| The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-27753 | 2026-04-15 | 6.5 Medium | ||
| A SQLi vulnerability in RSMediaGallery component 1.7.4 - 2.1.6 for Joomla was discovered. The vulnerability is due to the use of unescaped user-supplied parameters in SQL queries within the dashboard component. This allows an authenticated attacker to inject malicious SQL code through unsanitized input fields, which are used directly in SQL queries. Exploiting this flaw can lead to unauthorized database access, data leakage, or modification of records. | ||||
| CVE-2025-12807 | 1 Rockwellautomation | 1 Factorytalk Datamosaix Private Cloud | 2026-04-15 | N/A |
| A security issue was discovered in DataMosaix Private Cloud, allowing users with low privilege to perform sensitive database operations through exposed API endpoints. | ||||
| CVE-2025-8324 | 1 Zohocorp | 1 Manageengine Analytics Plus | 2026-04-15 | 9.8 Critical |
| Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration. | ||||