Export limit exceeded: 19840 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (19840 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9339 | 1 Simple Sa | 1 Simple.erp | 2026-04-15 | N/A |
| SQL injection vulnerability in the fields of warehouse document filtering form in SIMPLE.ERP software allows logged-in user a malicious query injection. Potential exploitation is limited by the 20-character limit in form fields. Identified use case allows to delete tables with a name of maximum 6 characters. We weren't able to identify a way to exfiltrate data within query character limit. This issue affects SIMPLE.ERP in versions before 6.30@a04.3. | ||||
| CVE-2024-5827 | 1 Vanna-ai | 1 Vanna | 2026-04-15 | N/A |
| Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `<?php system($_GET[0]); ?>`. This can lead to command execution or the creation of backdoors. | ||||
| CVE-2024-33292 | 1 Realisation | 1 Mgsd | 2026-04-15 | 8.2 High |
| SQL Injection vulnerability in Realisation MGSD v.1.0 allows a remote attacker to obtain sensitive information via the id parameter. | ||||
| CVE-2025-62173 | 1 Freepbx | 1 Freepbx | 2026-04-15 | N/A |
| ## Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API | ||||
| CVE-2025-1156 | 2026-04-15 | 7.3 High | ||
| A vulnerability has been found in Pix Software Vivaz 6.0.10 and classified as critical. This vulnerability affects unknown code of the file /servlet?act=login. The manipulation of the argument usuario leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4510 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was found in Changjietong UFIDA CRM 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /optnty/optntyday.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-41618 | 1 Moneymanagerex | 1 Money Manager Ex Webapp | 2026-04-15 | 9.8 Critical |
| Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to SQL Injection in the `transaction_delete_group` function. The vulnerability is due to improper sanitization of user input in the `TrDeleteArr` parameter, which is directly incorporated into an SQL query. | ||||
| CVE-2020-37035 | 1 Amitkolloldey | 1 E-learning Script | 2026-04-15 | 8.2 High |
| e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. Attackers can inject malicious SQL code in the 'search' parameter to potentially extract, modify, or access sensitive database information. | ||||
| CVE-2025-59920 | 1 Systems At Work | 1 Time At Work | 2026-04-15 | N/A |
| When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request is made with the TWAdmin user with the sysadmin role enabled, exploiting the vulnerability will allow commands to be executed on the system; if the user does not belong to the sysadmin role, they will still be able to query data from the database. | ||||
| CVE-2024-1711 | 1 Mediavine | 1 Create | 2026-04-15 | 9.8 Critical |
| The Create by Mediavine plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.9.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-43415 | 1 Decidim International Community Environment | 1 Decidim-module-decidim Awesome | 2026-04-15 | 9 Critical |
| An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries to disclose information, read and write files or execute commands. | ||||
| CVE-2024-48465 | 1 Mrbs | 1 Mrbs | 2026-04-15 | 9.8 Critical |
| The MRBS version 1.5.0 has an SQL injection vulnerability in the edit_entry_handler.php file, specifically in the rooms%5B%5D parameter | ||||
| CVE-2024-36039 | 1 Redhat | 1 Enterprise Linux | 2026-04-15 | 6.3 Medium |
| PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict. | ||||
| CVE-2024-33272 | 1 Prestashop | 1 Prestashop | 2026-04-15 | 6.8 Medium |
| SQL injection vulnerability in KnowBand for PrestaShop autosuggest before 2.0.0 allows an attacker to run arbitrary SQL commands via the AutosuggestSearchModuleFrontController::initContent(), and AutosuggestSearchModuleFrontController::getKbProducts() components. | ||||
| CVE-2025-41009 | 1 Disenno De Recursos Educativos | 1 Virtual Campus Platform | 2026-04-15 | N/A |
| SQL injection vulnerability in the DRED virtual campus platform. This vulnerability allows an attacker to retrieve, create, update, and delete data from the database by sending a POST request using the ‘buscame’ parameter in ‘/catalogo_c/catalogo.php’. | ||||
| CVE-2024-3342 | 2026-04-15 | 9.9 Critical | ||
| The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to SQL Injection via the 'events' attribute of the 'mp-timetable' shortcode in all versions up to, and including, 2.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-2831 | 2 Kieranoshea, Wordpress | 2 Calendar, Wordpress | 2026-04-15 | 8.8 High |
| The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-6748 | 2026-04-15 | 8.3 High | ||
| Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are vulnerable to authenticated SQL injection in the URL monitoring. | ||||
| CVE-2023-45256 | 1 Prestashop | 1 Prestashop | 2026-04-15 | 5.4 Medium |
| Multiple SQL injection vulnerabilities in the EuroInformation MoneticoPaiement module before 1.1.1 for PrestaShop allow remote attackers to execute arbitrary SQL commands via the TPE, societe, MAC, reference, or aliascb parameter to transaction.php, validation.php, or callback.php. | ||||
| CVE-2024-28297 | 1 Azursoft | 1 Myhorus | 2026-04-15 | 7.5 High |
| SQL injection vulnerability in AzureSoft MyHorus 4.3.5 allows authenticated users to execute arbitrary SQL commands via unspecified vectors. | ||||