Export limit exceeded: 18353 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (18353 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-29081 | 1 Frappe | 1 Frappe | 2026-03-09 | 6.5 Medium |
| Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100.0. | ||||
| CVE-2026-30860 | 1 Tencent | 1 Weknora | 2026-03-09 | 10 Critical |
| WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a remote code execution (RCE) vulnerability exists in the application's database query functionality. The validation system fails to recursively inspect child nodes within PostgreSQL array expressions and row expressions, allowing attackers to bypass SQL injection protections. By smuggling dangerous PostgreSQL functions inside these expressions and chaining them with large object operations and library loading capabilities, an unauthenticated attacker can achieve arbitrary code execution on the database server with database user privileges. This issue has been patched in version 0.2.12. | ||||
| CVE-2026-27373 | 2 Essekia, Wordpress | 2 Tablesome, Wordpress | 2026-03-09 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Essekia Tablesome tablesome allows Blind SQL Injection.This issue affects Tablesome: from n/a through <= 1.2.3. | ||||
| CVE-2018-25192 | 1 Sourceforge | 1 Gps Tracking System | 2026-03-09 | 8.2 High |
| GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit crafted POST requests to the login.php endpoint with SQL injection payloads in the username field to gain unauthorized access without valid credentials. | ||||
| CVE-2019-25503 | 1 Blondish | 1 Phpads | 2026-03-09 | 7.1 High |
| PHPads 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bannerID parameter in click.php3. Attackers can submit crafted bannerID values using SQL comment syntax and functions like extractvalue to extract sensitive database information such as the current database name. | ||||
| CVE-2018-25191 | 1 Obedalvarado | 1 Facturation System | 2026-03-09 | 7.1 High |
| Facturation System 1.0 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'mod_id' parameter. Attackers can send POST requests to the editar_producto.php endpoint with crafted SQL payloads in the mod_id parameter to extract sensitive database information including usernames, database names, and version details. | ||||
| CVE-2019-25505 | 1 Bdtask | 1 Tradebox | 2026-03-09 | 7.1 High |
| Tradebox 5.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the symbol parameter. Attackers can send POST requests to the monthly_deposit endpoint with malicious symbol values using boolean-based blind, time-based blind, error-based, or union-based SQL injection techniques to extract sensitive database information. | ||||
| CVE-2018-25197 | 1 Playjoom | 1 Playjoom | 2026-03-09 | 8.2 High |
| PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with option=com_playjoom&view=genre&catid=[SQL] to extract sensitive database information including usernames, databases, and version details. | ||||
| CVE-2018-25196 | 1 Serverzilla | 1 Serverzilla | 2026-03-09 | 8.2 High |
| ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to reset.php with malicious email values containing SQL operators to bypass authentication and extract sensitive database information. | ||||
| CVE-2019-25506 | 2 Freesms, Freesms Project | 2 Freesms, Freesms | 2026-03-09 | 8.2 High |
| FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function. | ||||
| CVE-2025-66678 | 1 Faintsnow | 2 Hardware Read \& Write Utility, Nil Hardware Editor Hardware Read & Write Utility | 2026-03-09 | 9.8 Critical |
| An issue in the HwRwDrv.sys component of Nil Hardware Editor Hardware Read & Write Utility v1.25.11.26 and earlier allows attackers to execute arbitrary read and write operations via a crafted request. | ||||
| CVE-2025-66944 | 2 Databasir, Vran-dev | 2 Databasir, Databaseir | 2026-03-09 | 9.8 Critical |
| SQL Injection vulnerability in vran-dev databaseir v.1.0.7 and before allows a remote attacker to execute arbitrary code via the query parameter in the search API endpoint | ||||
| CVE-2026-3616 | 1 Defaultfuction | 1 Jeson Customer Relationship Management System | 2026-03-09 | 6.3 Medium |
| A vulnerability was detected in DefaultFuction Jeson Customer Relationship Management System 1.0.0. Impacted is an unknown function of the file /modules/customers/edit.php. Performing a manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. The patch is named f0e991870e9d33701cca3a1d0fd4eec135af01a6. It is suggested to install a patch to address this issue. | ||||
| CVE-2018-25161 | 1 Warrantytrack | 1 Warranty Tracking System | 2026-03-09 | 8.2 High |
| Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to execute arbitrary SQL queries by injecting malicious code through the txtCustomerCode, txtCustomerName, and txtPhone POST parameters in SearchCustomer.php. Attackers can submit crafted SQL statements using UNION SELECT to extract sensitive database information including usernames, database names, and version details. | ||||
| CVE-2018-25173 | 1 Sms | 1 Rmedia Sms | 2026-03-09 | 8.2 High |
| Rmedia SMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the gid parameter. Attackers can send GET requests to editgrp.php with malicious gid values using EXTRACTVALUE and CONCAT functions to retrieve schema names and sensitive database data. | ||||
| CVE-2018-25175 | 1 Alienor | 1 Alienor Web Libre | 2026-03-09 | 8.2 High |
| Alienor Web Libre 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the identifiant parameter. Attackers can submit crafted POST requests to index.php with SQL injection payloads in the identifiant field to extract sensitive database information including usernames, databases, and version details. | ||||
| CVE-2026-27428 | 2 Eagle-themes, Wordpress | 2 Eagle Booking, Wordpress | 2026-03-09 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eagle-Themes Eagle Booking eagle-booking allows SQL Injection.This issue affects Eagle Booking: from n/a through <= 1.3.4.3. | ||||
| CVE-2025-15344 | 1 Tanium | 2 Asset, Service Asset | 2026-03-09 | 6.3 Medium |
| Tanium addressed a SQL injection vulnerability in Asset. | ||||
| CVE-2025-7631 | 1 Tumeva Internet Technologies Software Information Advertising And Consulting Services Trade Ltd. Co. | 1 Tumeva News Software | 2026-03-09 | 8.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. Co. Tumeva Prime News Software allows SQL Injection.This issue affects Tumeva Prime News Software: from v.1.0.1 before v1.0.2. | ||||
| CVE-2025-15127 | 1 Fantasticlbp | 1 Hotels Server | 2026-03-08 | 7.3 High |
| A security vulnerability has been detected in FantasticLBP Hotels_Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. Affected by this issue is some unknown functionality of the file /controller/api/Room.php. Such manipulation of the argument hotelId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The vendor was contacted early about this disclosure but did not respond in any way. | ||||