Total
17576 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-41006 | 1 Imaster | 1 Mems Events Crm | 2026-01-13 | N/A |
| Imaster's MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’. | ||||
| CVE-2025-41005 | 1 Imaster | 1 Mems Events Crm | 2026-01-13 | N/A |
| Imaster's MEMS Events CRM contains an SQL injection vulnerability in‘keyword’ parameter in ‘/memsdemo/exchange_offers.php’. | ||||
| CVE-2026-22687 | 1 Tencent | 1 Weknora | 2026-01-13 | 8.1 High |
| WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5. | ||||
| CVE-2025-65091 | 1 Xwiki | 1 Xwiki | 2026-01-13 | 10 Critical |
| XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5. | ||||
| CVE-2026-0843 | 2026-01-13 | 6.3 Medium | ||
| A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-41004 | 1 Imaster | 1 Patient Record Management System | 2026-01-13 | N/A |
| Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter. | ||||
| CVE-2023-33945 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-13 | 6.4 Medium |
| SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded. | ||||
| CVE-2019-25221 | 1 I13websolution | 1 Responsive Filterable Portfolio | 2026-01-12 | 6.5 Medium |
| The Responsive Filterable Portfolio plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-63724 | 2 Meeco, Radioinorr | 2 Svx Portal, Svx Portal | 2026-01-12 | 6 Medium |
| SQL injection (SQL-i) vulnerability in SVX Portal 2.7A via crafted POST request to admin/update_setings.php. | ||||
| CVE-2026-0699 | 2 Carmelo, Code-projects | 2 Intern Membership Management System, Intern Membership Management System | 2026-01-12 | 4.7 Medium |
| A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | ||||
| CVE-2026-0700 | 2 Carmelo, Code-projects | 2 Intern Membership Management System, Intern Membership Management System | 2026-01-12 | 7.3 High |
| A vulnerability was determined in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /intern/admin/check_admin.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-22242 | 1 Coreshop | 1 Coreshop | 2026-01-12 | 4.9 Medium |
| CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8. | ||||
| CVE-2026-0607 | 2 Code-projects, Fabian | 2 Online Music Site, Online Music Site | 2026-01-12 | 7.3 High |
| A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminViewSongs.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | ||||
| CVE-2026-0606 | 2 Code-projects, Fabian | 2 Online Music Site, Online Music Site | 2026-01-12 | 7.3 High |
| A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | ||||
| CVE-2026-0605 | 2 Code-projects, Fabian | 2 Online Music Site, Online Music Site | 2026-01-12 | 7.3 High |
| A security vulnerability has been detected in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Such manipulation of the argument username/password leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-65125 | 1 Gosaliajainam | 1 Online-movie-booking | 2026-01-12 | 9.8 Critical |
| SQL injection in gosaliajainam/online-movie-booking 5.5 in movie_details.php allows attackers to gain sensitive information. | ||||
| CVE-2024-56158 | 1 Xwiki | 2 Xwiki, Xwiki-platform | 2026-01-12 | 9.8 Critical |
| XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16. | ||||
| CVE-2023-34976 | 1 Qnap | 1 Video Station | 2026-01-12 | 10 Critical |
| A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.7.0 ( 2023/07/27 ) and later | ||||
| CVE-2023-34975 | 1 Qnap | 1 Video Station | 2026-01-12 | 6.6 Medium |
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. QuTScloud is not affected. We have already fixed the vulnerability in the following versions: QuTS hero h4.5.4.2626 build 20231225 and later QTS 4.5.4.2627 build 20231225 and later | ||||
| CVE-2026-0568 | 2 Code-projects, Fabian | 2 Online Music Site, Online Music Site | 2026-01-09 | 7.3 High |
| A flaw has been found in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Frontend/ViewSongs.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | ||||