Export limit exceeded: 18621 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (18621 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-4445 | 1 Armandofiore | 1 Fl3r Feelbox | 2025-10-07 | 9.8 Critical |
| The FL3R FeelBox WordPress plugin through 8.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. | ||||
| CVE-2024-56804 | 1 Qnap | 1 Video Station | 2025-10-07 | 8.8 High |
| An SQL injection vulnerability has been reported to affect Video Station. If a remote attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Video Station 5.8.4 and later | ||||
| CVE-2025-8806 | 1 Zhilink | 2 Adp Application Developer Platform, Application Developer Platform | 2025-10-06 | 6.3 Medium |
| A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. It has been classified as critical. This affects an unknown part of the file /adpweb/a/sys/office/treeData. The manipulation of the argument extId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11319 | 1 Nahiduddinahammed | 1 Hospital Management System | 2025-10-06 | 6.3 Medium |
| A weakness has been identified in nahiduddinahammed Hospital-Management-System-Website up to e6562429e14b2f88bd2139cae16e87b965024097. This issue affects some unknown processing of the file /delete.php. This manipulation of the argument ai causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-9410 | 2 Lostvip, Ruoyi | 2 Ruoyi-go, Ruoyi | 2025-10-06 | 6.3 Medium |
| A weakness has been identified in lostvip-com ruoyi-go up to 2.1. The affected element is the function SelectListByPage of the file modules/system/dao/GenTableDao.go. Executing manipulation of the argument isAsc/orderByColumn can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-56407 | 2 Huangdou, Utcms Project | 2 Utcms, Utcms | 2025-10-06 | 8.8 High |
| A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. This vulnerability affects the function RunSql of the file app/modules/ut-data/admin/mysql.php. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-59939 | 1 Wegia | 1 Wegia | 2025-10-06 | 8.8 High |
| WeGIA is a Web manager for charitable institutions. Prior to version 3.5.0, WeGIA is vulnerable to SQL Injection attacks in the control.php endpoint with the following parameters: nomeClasse=ProdutoControle&metodo=excluir&id_produto=[malicious command]. It is necessary to apply prepared statements methods, sanitization, and validations on theid_produto parameter. This issue has been patched in version 3.5.0. | ||||
| CVE-2025-40636 | 1 Joomla | 3 Joomla, Joomla!, Mod Vvisit Counter | 2025-10-06 | N/A |
| SQL injection vulnerability in Joomla module mod_vvisit_counter v2.0.4j3. This vulnerability allows an attacker to retrieve database content via the ‘cip_vvisitcounter’ cookie at all endpoints where the plugin counts visits. | ||||
| CVE-2025-10692 | 1 Opensupports | 1 Opensupports | 2025-10-06 | N/A |
| The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user (level ≥ 1) can inject SQL to alter the filter logic, effectively bypassing department scoping and disclosing tickets beyond their intended access.This issue affects OpenSupports: 4.11.0. | ||||
| CVE-2025-26390 | 1 Siemens | 4 Ozw672, Ozw672 Firmware, Ozw772 and 1 more | 2025-10-03 | 9.8 Critical |
| A vulnerability has been identified in OZW672 (All versions < V6.0), OZW772 (All versions < V6.0). The web service of affected devices is vulnerable to SQL injection when checking authentication data. This could allow an unauthenticated remote attacker to bypass the check and authenticate as Administrator user. | ||||
| CVE-2025-11053 | 1 Phpgurukul | 1 Small Crm | 2025-10-03 | 7.3 High |
| A weakness has been identified in PHPGurukul Small CRM 4.0. This affects an unknown function of the file /forgot-password.php. Executing manipulation of the argument email can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2023-42807 | 1 Frappe | 1 Learning | 2025-10-03 | 6.3 Medium |
| Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app. | ||||
| CVE-2014-2351 | 1 Controlsystemworks | 1 Csworks | 2025-10-03 | N/A |
| SQL injection vulnerability in the LiveData service in CSWorks before 2.5.5233.0 allows remote attackers to execute arbitrary SQL commands via vectors related to pathnames contained in web API requests. | ||||
| CVE-2025-52043 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company parameter. | ||||
| CVE-2025-52047 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter. | ||||
| CVE-2025-52049 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter. | ||||
| CVE-2025-52050 | 1 Frappe | 1 Erpnext | 2025-10-03 | 6.5 Medium |
| In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the expiry_date parameter. | ||||
| CVE-2025-52039 | 1 Frappe | 1 Erpnext | 2025-10-03 | 8.2 High |
| In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter. | ||||
| CVE-2025-52040 | 1 Frappe | 1 Erpnext | 2025-10-03 | 8.2 High |
| In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter. | ||||
| CVE-2025-52041 | 1 Frappe | 1 Erpnext | 2025-10-03 | 8.2 High |
| In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter. | ||||