Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4151 | 1 Contest-gallery | 1 Contest Gallery | 2025-04-14 | N/A | 6.5 MEDIUM |
| The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. | |||||
| CVE-2022-45889 | 1 Planetestream | 1 Planet Estream | 2025-04-14 | N/A | 7.2 HIGH |
| Planet eStream before 6.72.10.07 allows a remote attacker (who is a publisher or admin) to obtain access to all records stored in the database, and achieve the ability to execute arbitrary SQL commands, via Search (the StatisticsResults.aspx flt parameter). | |||||
| CVE-2020-24600 | 1 Capexweb Project | 1 Capexweb | 2025-04-14 | N/A | 9.8 CRITICAL |
| Shilpi CAPExWeb 1.1 allows SQL injection via a servlet/capexweb.cap_sendMail GET request. | |||||
| CVE-2025-2927 | 1 Esafenet | 1 Cdg | 2025-04-14 | N/A | 9.8 CRITICAL |
| A vulnerability was found in ESAFENET CDG 5.6.3.154.205. It has been classified as critical. Affected is an unknown function of the file /parameter/getFileTypeList.jsp. The manipulation of the argument typename leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-4161 | 1 Contest-gallery | 1 Contest Gallery | 2025-04-14 | N/A | 6.5 MEDIUM |
| The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_start POST parameter before concatenating it to an SQL query in copy-gallery-images.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. | |||||
| CVE-2025-3559 | 2025-04-14 | N/A | 6.3 MEDIUM | ||
| A vulnerability has been found in ghostxbh uzy-ssm-mall 1.0.0 and classified as critical. This vulnerability affects the function ForeProductListController of the file /mall/product/0/20. The manipulation of the argument orderBy leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3553 | 2025-04-14 | N/A | 6.3 MEDIUM | ||
| A vulnerability was found in phpshe 1.8. It has been declared as critical. This vulnerability affects the function pe_delete of the file /admin.php?mod=brand&act=del. The manipulation of the argument brand_id[] leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3534 | 2025-04-13 | N/A | 6.3 MEDIUM | ||
| A vulnerability, which was classified as critical, was found in PowerCreator CMS 1.0. Affected is an unknown function of the file /OpenPublicCourse.aspx. The manipulation of the argument cid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-44137 | 1 Sanitization Management System Project | 1 Sanitization Management System | 2025-04-11 | N/A | 7.2 HIGH |
| SourceCodester Sanitization Management System 1.0 is vulnerable to SQL Injection. | |||||
| CVE-2022-46763 | 2 Microsoft, Trueconf | 2 Windows, Server | 2025-04-11 | N/A | 8.8 HIGH |
| A SQL injection issue in a database stored function in TrueConf Server 5.2.0.10225 allows a low-privileged database user to execute arbitrary SQL commands as the database administrator, resulting in execution of arbitrary code. | |||||
| CVE-2025-1381 | 1 Code-projects | 1 Real Estate Property Management System | 2025-04-11 | N/A | 7.5 HIGH |
| A vulnerability was found in code-projects Real Estate Property Management System 1.0. It has been classified as critical. This affects an unknown part of the file /ajax_city.php. The manipulation of the argument CityName leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-46764 | 2 Microsoft, Trueconf | 2 Windows, Server | 2025-04-11 | N/A | 9.8 CRITICAL |
| A SQL injection issue in the web API in TrueConf Server 5.2.0.10225 allows remote unauthenticated attackers to execute arbitrary SQL commands, ultimately leading to remote code execution. | |||||
| CVE-2025-2831 | 1 Mingyuefusu | 1 Library Management System | 2025-04-11 | N/A | 9.8 CRITICAL |
| A vulnerability has been found in mingyuefusu ???? tushuguanlixitong ?????? up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694 and classified as critical. This vulnerability affects the function getBookList of the file /admin/bookList?page=1&limit=10. The manipulation of the argument condition leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-46442 | 1 Dedecms | 1 Dedecms | 2025-04-11 | N/A | 9.8 CRITICAL |
| dedecms <=V5.7.102 is vulnerable to SQL Injection. In sys_ sql_ n query.php there are no restrictions on the sql query. | |||||
| CVE-2024-20360 | 1 Cisco | 1 Secure Firewall Management Center | 2025-04-11 | N/A | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials. | |||||
| CVE-2023-28424 | 1 Gentoo | 1 Soko | 2025-04-11 | N/A | 9.8 CRITICAL |
| Soko if the code that powers packages.gentoo.org. Prior to version 1.0.2, the two package search handlers, `Search` and `SearchFeed`, implemented in `pkg/app/handler/packages/search.go`, are affected by a SQL injection via the `q` parameter. As a result, unauthenticated attackers can execute arbitrary SQL queries on `https://packages.gentoo.org/`. It was also demonstrated that primitive was enough to gain code execution in the context of the PostgreSQL container. The issue was addressed in commit `4fa6e4b619c0362728955b6ec56eab0e0cbf1e23y` of version 1.0.2 using prepared statements to interpolate user-controlled data in SQL queries. | |||||
| CVE-2024-2586 | 1 Amss\+\+ Project | 1 Amss\+\+ | 2025-04-11 | N/A | 7.5 HIGH |
| Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/index.php, in the 'username' parameter. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB. | |||||
| CVE-2024-2584 | 1 Amss\+\+ Project | 1 Amss\+\+ | 2025-04-11 | N/A | 7.5 HIGH |
| Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/modules/book/main/select_send.php, in the 'sd_index' parameter. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB. | |||||
| CVE-2022-34324 | 1 Sage | 1 Sage Xrt Business Exchange | 2025-04-11 | N/A | 8.8 HIGH |
| Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History. | |||||
| CVE-2025-2128 | 2025-04-11 | N/A | 6.5 MEDIUM | ||
| The Cost Calculator Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_ids’ parameter in all versions up to, and including, 3.2.67 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||