Export limit exceeded: 18421 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (18421 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14770 | 1 Wordpress | 1 Wordpress | 2026-01-15 | 7.5 High |
| The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-67255 | 1 Nagios | 2 Nagios Xi, Xi | 2026-01-15 | 8.8 High |
| In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability. | ||||
| CVE-2025-14254 | 2 Galaxy Software Services Corporation, Gss | 2 Vitals Esp, Vitalsesp | 2026-01-15 | 6.5 Medium |
| Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | ||||
| CVE-2025-14255 | 2 Galaxy Software Services Corporation, Gss | 2 Vitals Esp, Vitalsesp | 2026-01-15 | 6.5 Medium |
| Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | ||||
| CVE-2025-59922 | 1 Fortinet | 1 Forticlientems | 2026-01-14 | 6.8 Medium |
| An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiClientEMS 7.4.3 through 7.4.4, FortiClientEMS 7.4.0 through 7.4.1, FortiClientEMS 7.2.0 through 7.2.10, FortiClientEMS 7.0 all versions may allow an authenticated attacker with at least read-only admin permission to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. | ||||
| CVE-2025-15392 | 2 Kodicms-kohana, Kohana | 2 Kodicms, Kodicms | 2026-01-14 | 6.3 Medium |
| A weakness has been identified in Kohana KodiCMS up to 13.82.135. This affects the function like of the file cms/modules/pages/classes/kodicms/model/page.php of the component Search API Endpoint. Executing manipulation of the argument keyword can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-54340 | 1 Workorder | 1 Workorder Cms | 2026-01-14 | 8.2 High |
| WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. Attackers can inject malicious SQL queries using techniques like OR '1'='1' and stacked queries to access database information or execute administrative commands. | ||||
| CVE-2024-54026 | 1 Fortinet | 3 Fortisandbox, Fortisandbox Cloud, Fortisandboxcloud | 2026-01-14 | 4.1 Medium |
| An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox Cloud 24.1 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | ||||
| CVE-2025-67147 | 2026-01-13 | 9.8 Critical | ||
| Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the 'name', 'email', and 'comment' parameters in (1) submit_contact.php, the 'username' and 'pass_key' parameters in (2) secure_login.php, and the 'login_id', 'pwfield', and 'login_key' parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level. | ||||
| CVE-2025-41006 | 1 Imaster | 1 Mems Events Crm | 2026-01-13 | N/A |
| Imaster's MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’. | ||||
| CVE-2025-41004 | 1 Imaster | 1 Patient Record Management System | 2026-01-13 | N/A |
| Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter. | ||||
| CVE-2025-41005 | 1 Imaster | 1 Mems Events Crm | 2026-01-13 | N/A |
| Imaster's MEMS Events CRM contains an SQL injection vulnerability in‘keyword’ parameter in ‘/memsdemo/exchange_offers.php’. | ||||
| CVE-2023-33945 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-13 | 6.4 Medium |
| SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded. | ||||
| CVE-2019-25221 | 1 I13websolution | 1 Responsive Filterable Portfolio | 2026-01-12 | 6.5 Medium |
| The Responsive Filterable Portfolio plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-63724 | 2 Meeco, Radioinorr | 2 Svx Portal, Svx Portal | 2026-01-12 | 6 Medium |
| SQL injection (SQL-i) vulnerability in SVX Portal 2.7A via crafted POST request to admin/update_setings.php. | ||||
| CVE-2026-22242 | 1 Coreshop | 1 Coreshop | 2026-01-12 | 4.9 Medium |
| CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8. | ||||
| CVE-2025-65125 | 1 Gosaliajainam | 1 Online-movie-booking | 2026-01-12 | 9.8 Critical |
| SQL injection in gosaliajainam/online-movie-booking 5.5 in movie_details.php allows attackers to gain sensitive information. | ||||
| CVE-2024-56158 | 1 Xwiki | 2 Xwiki, Xwiki-platform | 2026-01-12 | 9.8 Critical |
| XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16. | ||||
| CVE-2023-34976 | 1 Qnap | 1 Video Station | 2026-01-12 | 10 Critical |
| A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.7.0 ( 2023/07/27 ) and later | ||||
| CVE-2023-34975 | 1 Qnap | 1 Video Station | 2026-01-12 | 6.6 Medium |
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. QuTScloud is not affected. We have already fixed the vulnerability in the following versions: QuTS hero h4.5.4.2626 build 20231225 and later QTS 4.5.4.2627 build 20231225 and later | ||||