Export limit exceeded: 19010 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (19010 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13676 | 2026-04-15 | 6.5 Medium | ||
| The Categorized Gallery Plugin plugin for WordPress is vulnerable to SQL Injection via the 'field' attribute of the 'image_gallery' shortcode in all versions up to, and including, 2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-13320 | 2 Villatheme, Wordpress | 2 Curcy - Woocommerce Multi Currency - Currency Switcher, Wordpress | 2026-04-15 | 7.5 High |
| The CURCY - WooCommerce Multi Currency - Currency Switcher plugin for WordPress is vulnerable to SQL Injection via the 'wc_filter_price_meta[where]' parameter in all versions up to, and including, 2.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-13152 | 2026-04-15 | 10 Critical | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSS Software Mobuy Online Machinery Monitoring Panel allows SQL Injection.This issue affects Mobuy Online Machinery Monitoring Panel: before 2.0. | ||||
| CVE-2024-13184 | 2026-04-15 | 7.5 High | ||
| The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to time-based SQL Injection via the Login Attempts module in all versions up to, and including, 3.0.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-0214 | 1 Opencart | 1 Opencart | 2026-04-15 | 4.1 Medium |
| A vulnerability was found in TMD Custom Header Menu 4.0.0.1 on OpenCart. It has been rated as problematic. This issue affects some unknown processing of the file /admin/index.php. The manipulation of the argument headermenu_id leads to sql injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
| CVE-2025-10967 | 2026-04-15 | 7.3 High | ||
| A vulnerability was detected in MuFen-mker PHP-Usermm up to 37f2d24e51b04346dfc565b93fc2fc6b37bdaea9. This affects an unknown part of the file /chkuser.php. Performing manipulation of the argument Username results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-41009 | 1 Disenno De Recursos Educativos | 1 Virtual Campus Platform | 2026-04-15 | N/A |
| SQL injection vulnerability in the DRED virtual campus platform. This vulnerability allows an attacker to retrieve, create, update, and delete data from the database by sending a POST request using the ‘buscame’ parameter in ‘/catalogo_c/catalogo.php’. | ||||
| CVE-2025-41019 | 1 Sergestec | 1 Systick | 2026-04-15 | N/A |
| SQL injection in Sergestec's SISTICK v7.2. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'id' parameter in '/index.php?view=ticket_detail'. | ||||
| CVE-2025-11020 | 3 Linux, Markany, Microsoft | 3 Linux, Safepc Enterprise, Windows | 2026-04-15 | 8.8 High |
| An attacker can obtain server information using Path Traversal vulnerability to conduct SQL Injection, which possibly exploits Unrestricted Upload of File with Dangerous Type vulnerability in MarkAny SafePC Enterprise on Windows, Linux.This issue affects SafePC Enterprise: V7.0.* (V7.0.YYYY.MM.DD) before V7.0.1, and V5.*.*. | ||||
| CVE-2024-8161 | 1 Ciges | 1 Cigesv2 | 2026-04-15 | 9.8 Critical |
| SQL injection vulnerability in ATISolutions CIGES affecting versions lower than 2.15.5. This vulnerability allows a remote attacker to send a specially crafted SQL query to the /modules/ajaxServiciosCentro.php point in the idCentro parameter and retrieve all the information stored in the database. | ||||
| CVE-2025-41028 | 1 Grupo Castilla | 1 Epsilon Rh | 2026-04-15 | N/A |
| A SQL Injection vulnerability has been found in Epsilon RH by Grupo Castilla. This vulnerability allows an attacker to retrieve, create, update and delete database via sending a POST request using the parameter ‘sEstadoUsr’ in ‘/epsilonnetws/WSAvisos.asmx’. | ||||
| CVE-2025-15439 | 1 Daptin | 1 Daptin | 2026-04-15 | 6.3 Medium |
| A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-1537 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability was found in Harpia DiagSystem 12. It has been rated as critical. This issue affects some unknown processing of the file /diagsystem/PACS/atualatendimento_jpeg.php. The manipulation of the argument codexame leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3096 | 2026-04-15 | N/A | ||
| Clinic’s Patient Management System versions 2.0 suffers from a SQL injection vulnerability in the login page. | ||||
| CVE-2025-1535 | 2026-04-15 | 7.3 High | ||
| A vulnerability was found in Baiyi Cloud Asset Management System 8.142.100.161. It has been classified as critical. This affects an unknown part of the file /wuser/admin.ticket.close.php. The manipulation of the argument ticket_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-14568 | 1 Stock Management System Project | 1 Stock Management System | 2026-04-15 | 6.3 Medium |
| A security vulnerability has been detected in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This impacts an unknown function of the file model/User.php. The manipulation of the argument employee_id/id/admin leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-8055 | 1 Vanna-ai | 1 Vanna | 2026-04-15 | N/A |
| Vanna v0.6.3 is vulnerable to SQL injection via Snowflake database in its file staging operations using the `PUT` and `COPY` commands. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, such as `/etc/passwd`, by exploiting the exposed SQL queries through a Python Flask API. | ||||
| CVE-2024-7837 | 1 Firmanet | 1 Erp | 2026-04-15 | 8.2 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Firmanet Software ERP allows SQL Injection.This issue affects ERP: through 22.11.2024. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-7827 | 1 Wpeasycart | 1 Shopping Cart \& Ecommerce Store | 2026-04-15 | 8.8 High |
| The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to boolean-based SQL Injection via the ‘model_number’ parameter in all versions up to, and including, 5.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-4686 | 1 Kodmatic | 1 Online Exam And Assessment | 2026-04-15 | 8.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection.This issue affects Online Exam and Assessment: through 30012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||