Total
17681 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1176 | 1 Itsourcecode | 1 School Management System | 2026-02-02 | 7.5 HIGH | 7.3 HIGH |
| A security flaw has been discovered in itsourcecode School Management System 1.0. Affected is an unknown function of the file /subject/index.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2020-36947 | 1 Librenms | 1 Librenms | 2026-02-02 | N/A | 7.1 HIGH |
| LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection. | |||||
| CVE-2026-1545 | 1 Angeljudesuarez | 1 School Management System | 2026-02-02 | 7.5 HIGH | 7.3 HIGH |
| A weakness has been identified in itsourcecode School Management System 1.0. The affected element is an unknown function of the file /course/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-1551 | 1 Angeljudesuarez | 1 School Management System | 2026-02-02 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/course/controller.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-1589 | 1 Angeljudesuarez | 1 School Management System | 2026-02-02 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/inquiry/index.php. This manipulation of the argument txtsearch causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-1590 | 1 Angeljudesuarez | 1 School Management System | 2026-02-02 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was identified in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/faculty/index.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | |||||
| CVE-2021-47811 | 1 Grocerycrud | 1 Grocery Crud | 2026-02-02 | N/A | 9.1 CRITICAL |
| Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list endpoint to potentially extract or modify database information. | |||||
| CVE-2025-41375 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint. | |||||
| CVE-2024-6933 | 1 Limesurvey | 1 Limesurvey | 2026-01-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler. This manipulation of the argument Language causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 6.6.2+240827 can resolve this issue. Patch name: d656d2c7980b7642560977f4780e64533a68e13d. You should upgrade the affected component. | |||||
| CVE-2025-13001 | 1 Kieranoshea | 1 Donations | 2026-01-30 | N/A | 4.1 MEDIUM |
| The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks | |||||
| CVE-2025-13000 | 1 Jimbob1953 | 1 Db-access | 2026-01-30 | N/A | 7.7 HIGH |
| The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks | |||||
| CVE-2022-3689 | 1 Linksoftwarellc | 1 Html Forms | 2026-01-30 | N/A | 7.2 HIGH |
| The HTML Forms WordPress plugin before 1.3.25 does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users | |||||
| CVE-2025-69662 | 2026-01-30 | N/A | 8.6 HIGH | ||
| SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. | |||||
| CVE-2025-67261 | 1 Abacre | 1 Retail Point Of Sale | 2026-01-30 | N/A | 6.5 MEDIUM |
| Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. | |||||
| CVE-2026-23723 | 1 Wegia | 1 Wegia | 2026-01-30 | N/A | 7.2 HIGH |
| WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2. | |||||
| CVE-2026-1701 | 2026-01-30 | 7.5 HIGH | 7.3 HIGH | ||
| A security vulnerability has been detected in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2023-26813 | 1 Wang.market | 1 Wangmarket | 2026-01-30 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in com.xnx3.wangmarket.plugin.dataDictionary.controller.DataDictionaryPluginController.java in wangmarket CMS 4.10 allows remote attackers to run arbitrary SQL commands via the TableName parameter to /plugin/dataDictionary/tableView.do. | |||||
| CVE-2026-24854 | 2026-01-30 | N/A | 8.8 HIGH | ||
| ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue. | |||||
| CVE-2026-1688 | 2026-01-30 | 7.5 HIGH | 7.3 HIGH | ||
| A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-4686 | 2026-01-30 | N/A | 8.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection.This issue affects Online Exam and Assessment: through 30012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||