Total
17576 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-23723 | 1 Wegia | 1 Wegia | 2026-01-19 | 7.2 High |
| WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2. | ||||
| CVE-2025-12984 | 2 Monetizemore, Wordpress | 2 Advanced Ads, Wordpress | 2026-01-19 | 4.9 Medium |
| The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-1059 | 1 Feminor | 1 Wms | 2026-01-19 | 7.3 High |
| A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-1119 | 1 Itsourcecode | 1 Society Management System | 2026-01-19 | 7.3 High |
| A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2026-1118 | 1 Itsourcecode | 1 Society Management System | 2026-01-19 | 6.3 Medium |
| A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | ||||
| CVE-2021-47811 | 1 Grocerycrud | 1 Grocery Crud | 2026-01-16 | 8.2 High |
| Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list endpoint to potentially extract or modify database information. | ||||
| CVE-2025-61246 | 1 Indieka900 | 2 Online-shopping-system-php, Online Shopping System | 2026-01-16 | 9.8 Critical |
| indieka900 online-shopping-system-php 1.0 is vulnerable to SQL Injection in master/review_action.php via the proId parameter. | ||||
| CVE-2021-24863 | 1 Billminozzi | 1 Stop Bad Bots | 2026-01-16 | 9.8 Critical |
| The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection | ||||
| CVE-2021-24727 | 1 Billminozzi | 1 Stop Bad Bots | 2026-01-16 | 8.8 High |
| The StopBadBots WordPress plugin before 6.60 did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections | ||||
| CVE-2023-54163 | 3 Google, Nlb, Nlb Banka Ad Skopje | 3 Android, Mklik Makedonija, Nlb Mklik Makedonija | 2026-01-16 | 7.5 High |
| NLB mKlik Macedonia 3.3.12 contains a SQL injection vulnerability in international transfer parameters that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through unsanitized input to potentially disclose sensitive information from the mobile banking application. | ||||
| CVE-2023-53982 | 1 Sigb | 1 Pmb | 2026-01-16 | 7.5 High |
| PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information or perform time-based blind SQL injection attacks. | ||||
| CVE-2023-53960 | 1 Sound4 | 18 Big Voice2, Big Voice2 Firmware, Big Voice4 and 15 more | 2026-01-16 | 9.8 Critical |
| SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x contains an SQL injection vulnerability in the 'index.php' authentication mechanism that allows attackers to manipulate login credentials. Attackers can inject malicious SQL code through the 'password' POST parameter to bypass authentication and potentially gain unauthorized access to the system. | ||||
| CVE-2022-50694 | 1 Sound4 | 21 Big Voice2, Big Voice2 Firmware, Big Voice4 and 18 more | 2026-01-16 | 9.8 Critical |
| SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an SQL injection vulnerability in the 'username' POST parameter of index.php that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through the username parameter to bypass authentication and potentially access unauthorized database information. | ||||
| CVE-2025-69991 | 1 Phpgurukul | 2 News Portal, News Portal Project | 2026-01-16 | 9.8 Critical |
| phpgurukul News Portal Project V4.1 is vulnerable to SQL Injection in check_availablity.php. | ||||
| CVE-2025-51567 | 2 Jayesh, Kashipara | 2 Online Exam System, Online Exam System | 2026-01-16 | 9.1 Critical |
| A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword parameters in a POST HTTP request. | ||||
| CVE-2025-12166 | 2 Croixhaug, Wordpress | 2 Appointment Booking Calendar, Wordpress | 2026-01-16 | 7.5 High |
| The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-67082 | 1 Invoiceplane | 1 Invoiceplane | 2026-01-16 | 6.5 Medium |
| An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes. | ||||
| CVE-2025-67081 | 1 Itflow | 1 Itflow | 2026-01-16 | 4.9 Medium |
| An SQL injection vulnerability in Itflow through 25.06 has been identified in the "role_id" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing on integer parameter. | ||||
| CVE-2021-47763 | 1 Aimeos | 1 Aimeos Laravel Ecommerce Platform | 2026-01-16 | 8.2 High |
| Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint. | ||||
| CVE-2021-47766 | 1 Levelprograms | 1 Kmaleon | 2026-01-16 | 7.1 High |
| Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information. | ||||