Export limit exceeded: 347453 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 347453 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (18853 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10546 | 1 Shanghai Gedan Network Technology | 1 Teaching | 2026-04-15 | 6.3 Medium |
| A vulnerability classified as critical was found in open-scratch Teaching 在线教学平台 up to 2.7. This vulnerability affects unknown code of the file /api/sys/ng-alain/getDictItemsByTable/ of the component URL Handler. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-10244 | 2026-04-15 | 9.8 Critical | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ISDO Software Web Software allows SQL Injection.This issue affects Web Software: before 3.6. | ||||
| CVE-2024-3720 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability has been found in Tianwell Fire Intelligent Command Platform 1.1.1.1 and classified as critical. This vulnerability affects unknown code of the file /mfsNotice/page of the component API Interface. The manipulation of the argument gsdwid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-260572. | ||||
| CVE-2024-46542 | 1 Veritas | 1 Data Insight | 2026-04-15 | 6.5 Medium |
| Veritas / Arctera Data Insight before 7.1.1 allows Application Administrators to conduct SQL injection attacks. | ||||
| CVE-2024-7882 | 1 Special Minds | 1 E-commerce | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Special Minds Design and Software e-Commerce allows SQL Injection.This issue affects e-Commerce: before 22.11.2024. | ||||
| CVE-2025-10712 | 1 07fly | 3 07fly-cms, 07flycms, 07flycrm | 2026-04-15 | 7.3 High |
| A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This issue affects some unknown processing of the file /index.php/Login/login. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-11009 | 2026-04-15 | 4.9 Medium | ||
| The Internal Linking for SEO traffic & Ranking – Auto internal links (100% automatic) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘post_id’ parameter in all versions up to, and including, 1.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2019-25260 | 1 Oxid-esales | 1 Eshop | 2026-04-15 | 8.2 High |
| OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs. | ||||
| CVE-2024-41944 | 2026-04-15 | 6.5 Medium | ||
| Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `report/data/proofofplayReport` API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `sortBy` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue. | ||||
| CVE-2021-47708 | 1 Commax | 1 Smart Home System | 2026-04-15 | N/A |
| COMMAX Smart Home System CDP-1020n contains an SQL injection vulnerability that allows attackers to bypass authentication by injecting arbitrary SQL code through the 'id' parameter in 'loginstart.asp'. Attackers can exploit this by sending a POST request with malicious 'id' values to manipulate database queries and gain unauthorized access. | ||||
| CVE-2025-10197 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was found in HJSoft HCM Human Resources Management System up to 20250822. Affected by this vulnerability is an unknown functionality of the file /templates/attestation/../../selfservice/lawresource/downlawbase. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-43207 | 2026-04-15 | 8.5 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Valiano Unite Gallery Lite.This issue affects Unite Gallery Lite: from n/a through 1.7.62. | ||||
| CVE-2024-12918 | 2026-04-15 | 8.8 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agito Computer Health4All allows SQL Injection.This issue affects Health4All: before 10.01.2025. | ||||
| CVE-2024-36039 | 1 Redhat | 1 Enterprise Linux | 2026-04-15 | 6.3 Medium |
| PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict. | ||||
| CVE-2025-14091 | 2026-04-15 | 7.3 High | ||
| A weakness has been identified in TrippWasTaken PHP-Guitar-Shop up to 6ce0868889617c1975982aae6df8e49555d0d555. This vulnerability affects unknown code of the file /product.php of the component Product Details Page. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-12157 | 2026-04-15 | 7.5 High | ||
| The Popup – MailChimp, GetResponse and ActiveCampaign Intergrations plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'upc_delete_db_record' AJAX action in all versions up to, and including, 3.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-0851 | 2026-04-15 | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Grup Arge Energy and Control Systems Smartpower allows SQL Injection.This issue affects Smartpower: through V24.05.27. | ||||
| CVE-2018-25128 | 2026-04-15 | 8.2 High | ||
| SOCA Access Control System 180612 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through unvalidated POST parameters. Attackers can bypass authentication, retrieve password hashes, and gain administrative access with full system privileges by exploiting injection flaws in Login.php and Card_Edit_GetJson.php. | ||||
| CVE-2024-49588 | 1 Oracle | 1 Oracle-sidecar | 2026-04-15 | 6.8 Medium |
| Multiple endpoints in `oracle-sidecar` in versions 0.347.0 to 0.543.0 were found to be vulnerable to SQL injections. | ||||
| CVE-2025-12914 | 1 Aapanel | 1 Baota | 2026-04-15 | 4.7 Medium |
| A vulnerability has been found in aaPanel BaoTa up to 11.2.x. This vulnerability affects unknown code of the file /database?action=GetDatabaseAccess of the component Backend. The manipulation of the argument Name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 11.3.0 is able to resolve this issue. It is recommended to upgrade the affected component. | ||||