Total
17695 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41004 | 2026-01-13 | N/A | N/A | ||
| Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint ‘/projects/hospital/admin/complaints.php’ through the ‘id’ parameter. | |||||
| CVE-2025-13774 | 2026-01-13 | N/A | 8.8 HIGH | ||
| A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. | |||||
| CVE-2025-41006 | 2026-01-13 | N/A | N/A | ||
| Imaster's MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’. | |||||
| CVE-2026-0501 | 2026-01-13 | N/A | 9.9 CRITICAL | ||
| Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application. | |||||
| CVE-2023-33945 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-13 | N/A | 6.4 MEDIUM |
| SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is only exploitable when chained with other attacks. To exploit this vulnerability, the attacker must modify the database and wait for the application to be upgraded. | |||||
| CVE-2019-25221 | 1 I13websolution | 1 Responsive Filterable Portfolio | 2026-01-12 | N/A | 6.5 MEDIUM |
| The Responsive Filterable Portfolio plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-63724 | 1 Radioinorr | 1 Svx Portal | 2026-01-12 | N/A | 6.0 MEDIUM |
| SQL injection (SQL-i) vulnerability in SVX Portal 2.7A via crafted POST request to admin/update_setings.php. | |||||
| CVE-2026-0699 | 1 Carmelo | 1 Intern Membership Management System | 2026-01-12 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | |||||
| CVE-2026-0700 | 1 Carmelo | 1 Intern Membership Management System | 2026-01-12 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was determined in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /intern/admin/check_admin.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-22242 | 1 Coreshop | 1 Coreshop | 2026-01-12 | N/A | 4.9 MEDIUM |
| CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8. | |||||
| CVE-2026-0607 | 1 Fabian | 1 Online Music Site | 2026-01-12 | 7.5 HIGH | 7.3 HIGH |
| A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminViewSongs.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | |||||
| CVE-2026-0606 | 1 Fabian | 1 Online Music Site | 2026-01-12 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | |||||
| CVE-2026-0605 | 1 Fabian | 1 Online Music Site | 2026-01-12 | 7.5 HIGH | 7.3 HIGH |
| A security vulnerability has been detected in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Such manipulation of the argument username/password leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-65125 | 1 Gosaliajainam | 1 Online-movie-booking | 2026-01-12 | N/A | 9.8 CRITICAL |
| SQL injection in gosaliajainam/online-movie-booking 5.5 in movie_details.php allows attackers to gain sensitive information. | |||||
| CVE-2024-56158 | 1 Xwiki | 1 Xwiki | 2026-01-12 | N/A | 9.8 CRITICAL |
| XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16. | |||||
| CVE-2023-34976 | 1 Qnap | 1 Video Station | 2026-01-12 | N/A | 10.0 CRITICAL |
| A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.7.0 ( 2023/07/27 ) and later | |||||
| CVE-2023-34975 | 1 Qnap | 1 Video Station | 2026-01-12 | N/A | 6.6 MEDIUM |
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. QuTScloud is not affected. We have already fixed the vulnerability in the following versions: QuTS hero h4.5.4.2626 build 20231225 and later QTS 4.5.4.2627 build 20231225 and later | |||||
| CVE-2026-0568 | 1 Fabian | 1 Online Music Site | 2026-01-09 | 7.5 HIGH | 7.3 HIGH |
| A flaw has been found in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Frontend/ViewSongs.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | |||||
| CVE-2026-0569 | 1 Fabian | 1 Online Music Site | 2026-01-09 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown function of the file /Frontend/AlbumByCategory.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-0570 | 1 Fabian | 1 Online Music Site | 2026-01-09 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in code-projects Online Music Site 1.0. This impacts an unknown function of the file /Frontend/Feedback.php. Performing manipulation of the argument fname results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | |||||