Export limit exceeded: 363855 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 19729 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (19729 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-0579 1 Opencart 1 Opencart 2026-04-15 7.3 High
A vulnerability was found in Shiprocket Module 3/4 on OpenCart. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /index.php?route=extension/shiprocket/module/restapi of the component REST API Module. The manipulation of the argument x-username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-12197 2 Stellarwp, Wordpress 2 The Events Calendar, Wordpress 2026-04-15 7.5 High
The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-32786 1 Glpi-project 1 Glpi Inventory 2026-04-15 7.5 High
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1.
CVE-2024-2831 2 Kieranoshea, Wordpress 2 Calendar, Wordpress 2026-04-15 8.8 High
The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-55586 2026-04-15 9.8 Critical
Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method. NOTE: the vendor's position is that this is intended behavior.
CVE-2025-2358 2026-04-15 6.3 Medium
A vulnerability was found in Shenzhen Mingyuan Cloud Technology Mingyuan Real Estate ERP System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /Kfxt/Service.asmx of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-40498 1 Puneethreddyhc 1 Online Shopping System Advanced 2026-04-15 9.8 Critical
SQL Injection vulnerability in PuneethReddyHC Online Shopping sysstem advanced v.1.0 allows an attacker to execute arbitrary code via the register.php
CVE-2025-69306 2 Teconcetheme, Wordpress 2 Electio Core, Wordpress 2026-04-15 9.3 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Electio Core electio-core allows Blind SQL Injection.This issue affects Electio Core: from n/a through <= 1.4.
CVE-2014-125123 1 Lxcenter 1 Kloxo 2026-04-15 N/A
An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version 6.1.12. The flaw resides in the login-name parameter passed to lbin/webcommand.php, which fails to properly sanitize input, allowing an attacker to extract the administrator’s password from the backend database. After recovering valid credentials, the attacker can authenticate to the Kloxo control panel and leverage the Command Center feature (display.php) to execute arbitrary operating system commands as root on the underlying host system. This vulnerability was reported to be exploited in the wild in January 2014.
CVE-2024-48813 1 Employee Management System Project 1 Employee Management System 2026-04-15 8.8 High
SQL injection vulnerability in employee-management-system-php-and-mysql-free-download.html taskmatic 1.0 allows a remote attacker to execute arbitrary code via the admin_id parameter of the /update-employee.php component.
CVE-2024-6456 1 Aveva 1 Historian 2026-04-15 N/A
AVEVA Historian Server has a vulnerability, if exploited, could allow a malicious SQL command to execute under the privileges of an interactive Historian REST Interface user who had been socially engineered by a miscreant into opening a specially crafted URL.
CVE-2025-4665 2 Arshid, Wordpress 2 Wordpress Contact Form Cfdb7, Wordpress 2026-04-15 9.6 Critical
WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization (PHP Object Injection). The weakness arises due to insufficient validation of user input in plugin endpoints, allowing crafted input to influence backend queries in unexpected ways. Using specially crafted payloads, this can escalate into unsafe deserialization, enabling arbitrary object injection in PHP. Although the issue is remotely exploitable without authentication, it does require a crafted interaction with the affected endpoint in order to trigger successfully.
CVE-2024-22856 1 Axefinance 1 Axe Credit Portal 2026-04-15 5.4 Medium
A SQL injection vulnerability via the Save Favorite Search function in Axefinance Axe Credit Portal >= v.3.0 allows authenticated attackers to execute unintended queries and disclose sensitive information from DB tables via crafted requests.
CVE-2025-50868 2026-04-15 6.5 Medium
A SQL Injection vulnerability exists in the takeassessment2.php file of CloudClassroom-PHP-Project 1.0. The Q4 POST parameter is not properly sanitized before being used in SQL queries.
CVE-2025-8536 1 Studio Fabryka 1 Dobrycms 2026-04-15 N/A
A SQL injection vulnerability has been identified in DobryCMS. Improper neutralization of input provided by user into language functionality allows for SQL Injection attacks. This issue affects older branches of this software.
CVE-2024-5827 1 Vanna-ai 1 Vanna 2026-04-15 N/A
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `<?php system($_GET[0]); ?>`. This can lead to command execution or the creation of backdoors.
CVE-2024-51482 1 Zoneminder 1 Zoneminder 2026-04-15 10 Critical
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65.
CVE-2025-69305 2 Teconcetheme, Wordpress 2 Crete Core, Wordpress 2026-04-15 9.3 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Crete Core crete-core allows Blind SQL Injection.This issue affects Crete Core: from n/a through <= 1.4.3.
CVE-2025-34136 1 Commvault 1 Commvault 2026-04-15 N/A
An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected.
CVE-2024-33485 1 Casap Automated Enrollment System Project 1 Casap Automated Enrollment System 2026-04-15 9.8 Critical
SQL Injection vulnerability in CASAP Automated Enrollment System using PHP/MySQLi with Source Code V1.0 allows a remote attacker to obtain sensitive information via a crafted payload to the login.php component