Export limit exceeded: 19721 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (19721 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-4466 2026-04-15 9.8 Critical
SQL injection vulnerability in Gescen on the centrosdigitales.net platform. This vulnerability allows an attacker to send a specially crafted SQL query to the pass parameter and retrieve all the data stored in the database.
CVE-2024-7827 1 Wpeasycart 1 Shopping Cart \& Ecommerce Store 2026-04-15 8.8 High
The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to boolean-based SQL Injection via the ‘model_number’ parameter in all versions up to, and including, 5.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2024-34993 2026-04-15 6.3 Medium
In the module "Bulk Export products to Google Merchant-Google Shopping" (bagoogleshopping) up to version 1.0.26 from Buy Addons for PrestaShop, a guest can perform SQL injection via`GenerateCategories::renderCategories().
CVE-2024-34994 2026-04-15 9.8 Critical
In the module "Channable" (channable) up to version 3.2.1 from Channable for PrestaShop, a guest can perform SQL injection via `ChannableFeedModuleFrontController::postProcess()`.
CVE-2025-41028 1 Grupo Castilla 1 Epsilon Rh 2026-04-15 N/A
A SQL Injection vulnerability has been found in Epsilon RH by Grupo Castilla. This vulnerability allows an attacker to retrieve, create, update and delete database via sending a POST request using the parameter ‘sEstadoUsr’ in ‘/epsilonnetws/WSAvisos.asmx’.
CVE-2025-41002 1 Manantial De Ideas 1 Infoticketing 2026-04-15 N/A
SQL injection vulnerability in Infoticketing. This vulnerability allows an unauthenticated attacker to retrieve, create, update, and delete the database by sending a POST request using the 'code' parameter in '/components/cart/cartApplyDiscount.php'.
CVE-2024-45600 2026-04-15 7.7 High
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to 1.21.13, an authenticated user can perform a SQL injection when the plugin is active. The vulnerability is fixed in 1.21.13.
CVE-2023-53734 1 Mayurik 1 Best Pharmacy Billing Software 2026-04-15 N/A
dawa-pharma-1.0 allows unauthenticated attackers to execute SQL queries on the server, allowing them to access sensitive information and potentially gain administrative access.
CVE-2024-28816 1 Aaravrajsingh 1 Chatbot 2026-04-15 7.1 High
Student Information Chatbot a0196ab allows SQL injection via the username to the login function in index.php.
CVE-2024-29732 2026-04-15 9.8 Critical
A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete all the information of database. This vulnerability was found on login page via "user" parameter.
CVE-2024-5753 1 Vanna-ai 1 Vanna 2026-04-15 N/A
vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by exploiting the exposed SQL queries via a Python Flask API.
CVE-2025-9238 2026-04-15 7.3 High
A vulnerability was determined in Swatadru Exam-Seating-Arrangement up to 97335ccebf95468d92525f4255a2241d2b0b002f. Affected is an unknown function of the file /student.php of the component Student Login. Executing manipulation of the argument email can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-14259 1 Jihai 1 Jshop Miniprogram Mall System 2026-04-15 6.3 Medium
A vulnerability was found in Jihai Jshop MiniProgram Mall System 2.9.0. Affected by this issue is some unknown functionality of the file /index.php/api.html. The manipulation of the argument cat_id results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-32872 2026-04-15 5.5 Medium
Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue.
CVE-2024-5771 2026-04-15 6.3 Medium
A vulnerability classified as critical was found in LabVantage LIMS 2017. This vulnerability affects unknown code of the file /labvantage/rc?command=page&page=SampleList&_iframename=list of the component POST Request Handler. The manipulation of the argument param1 leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-267454 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-33269 1 Communitydeveloper 1 Prestaddons Flashsales 2026-04-15 9.8 Critical
SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method.
CVE-2024-33272 1 Prestashop 1 Prestashop 2026-04-15 6.8 Medium
SQL injection vulnerability in KnowBand for PrestaShop autosuggest before 2.0.0 allows an attacker to run arbitrary SQL commands via the AutosuggestSearchModuleFrontController::initContent(), and AutosuggestSearchModuleFrontController::getKbProducts() components.
CVE-2024-33273 2026-04-15 9.8 Critical
SQL injection vulnerability in shipup before v.3.3.0 allows a remote attacker to escalate privileges via the getShopID function.
CVE-2024-33275 1 Webbax 1 Supernewsletter 2026-04-15 9.8 Critical
SQL injection vulnerability in Webbax supernewsletter v.1.4.21 and before allows a remote attacker to escalate privileges via the Super Newsletter module in the product_search.php components.
CVE-2024-33276 1 Prestashop 1 Prestashop 2026-04-15 9.8 Critical
SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method.