Export limit exceeded: 16342 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (18617 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9410 | 2 Lostvip, Ruoyi | 2 Ruoyi-go, Ruoyi | 2025-10-06 | 6.3 Medium |
| A weakness has been identified in lostvip-com ruoyi-go up to 2.1. The affected element is the function SelectListByPage of the file modules/system/dao/GenTableDao.go. Executing manipulation of the argument isAsc/orderByColumn can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-56407 | 2 Huangdou, Utcms Project | 2 Utcms, Utcms | 2025-10-06 | 8.8 High |
| A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. This vulnerability affects the function RunSql of the file app/modules/ut-data/admin/mysql.php. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-59939 | 1 Wegia | 1 Wegia | 2025-10-06 | 8.8 High |
| WeGIA is a Web manager for charitable institutions. Prior to version 3.5.0, WeGIA is vulnerable to SQL Injection attacks in the control.php endpoint with the following parameters: nomeClasse=ProdutoControle&metodo=excluir&id_produto=[malicious command]. It is necessary to apply prepared statements methods, sanitization, and validations on theid_produto parameter. This issue has been patched in version 3.5.0. | ||||
| CVE-2025-40636 | 1 Joomla | 3 Joomla, Joomla!, Mod Vvisit Counter | 2025-10-06 | N/A |
| SQL injection vulnerability in Joomla module mod_vvisit_counter v2.0.4j3. This vulnerability allows an attacker to retrieve database content via the ‘cip_vvisitcounter’ cookie at all endpoints where the plugin counts visits. | ||||
| CVE-2025-10692 | 1 Opensupports | 1 Opensupports | 2025-10-06 | N/A |
| The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user (level ≥ 1) can inject SQL to alter the filter logic, effectively bypassing department scoping and disclosing tickets beyond their intended access.This issue affects OpenSupports: 4.11.0. | ||||
| CVE-2025-26390 | 1 Siemens | 4 Ozw672, Ozw672 Firmware, Ozw772 and 1 more | 2025-10-03 | 9.8 Critical |
| A vulnerability has been identified in OZW672 (All versions < V6.0), OZW772 (All versions < V6.0). The web service of affected devices is vulnerable to SQL injection when checking authentication data. This could allow an unauthenticated remote attacker to bypass the check and authenticate as Administrator user. | ||||
| CVE-2025-11053 | 1 Phpgurukul | 1 Small Crm | 2025-10-03 | 7.3 High |
| A weakness has been identified in PHPGurukul Small CRM 4.0. This affects an unknown function of the file /forgot-password.php. Executing manipulation of the argument email can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2023-42807 | 1 Frappe | 1 Learning | 2025-10-03 | 6.3 Medium |
| Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app. | ||||
| CVE-2014-2351 | 1 Controlsystemworks | 1 Csworks | 2025-10-03 | N/A |
| SQL injection vulnerability in the LiveData service in CSWorks before 2.5.5233.0 allows remote attackers to execute arbitrary SQL commands via vectors related to pathnames contained in web API requests. | ||||
| CVE-2025-52043 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company parameter. | ||||
| CVE-2025-52047 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter. | ||||
| CVE-2025-52049 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter. | ||||
| CVE-2025-52050 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the expiry_date parameter. | ||||
| CVE-2025-52039 | 1 Frappe | 1 Erpnext | 2025-10-03 | 8.2 High |
| In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter. | ||||
| CVE-2025-52040 | 1 Frappe | 1 Erpnext | 2025-10-03 | 8.2 High |
| In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter. | ||||
| CVE-2025-52041 | 1 Frappe | 1 Erpnext | 2025-10-03 | 8.2 High |
| In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter. | ||||
| CVE-2025-52042 | 1 Frappe | 1 Erpnext | 2025-10-03 | 8.2 High |
| In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter. | ||||
| CVE-2025-56380 | 1 Frappe | 2 Erpnext, Frappe | 2025-10-03 | 6.5 Medium |
| Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter | ||||
| CVE-2025-56381 | 2 Erpnext, Frappe | 3 Erpnext, Erpnext, Frappe | 2025-10-03 | 6.5 Medium |
| ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters. | ||||
| CVE-2025-11066 | 2 Code-projects, Fabian | 2 Online Bidding System, Online Bidding System | 2025-10-03 | 7.3 High |
| A flaw has been found in code-projects Online Bidding System 1.0. This impacts an unknown function of the file /administrator/bidlist.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | ||||