Export limit exceeded: 19618 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (19618 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-39438 | 2 Emraan Cheema, Wordpress | 2 Listingpro, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in ListingPro <= 2.9.10 versions. | ||||
| CVE-2026-49080 | 2 Tms, Wordpress | 2 Wpdatatables, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions. | ||||
| CVE-2025-69135 | 2 Curlythemes, Wordpress | 2 Events Schedule - Wordpress Events Calendar Plugin, Wordpress | 2026-06-20 | 8.5 High |
| Subscriber SQL Injection in Events Schedule - WordPress Events Calendar Plugin <= 2.7.2 versions. | ||||
| CVE-2026-22335 | 2 Wc Lovers., Wordpress | 2 Woocommerce Frontend Manager – Ultimate, Wordpress | 2026-06-20 | 8.5 High |
| Subscriber SQL Injection in WooCommerce Frontend Manager – Ultimate < 6.7.7 versions. | ||||
| CVE-2026-22340 | 2 Jobster Marketplace, Wordpress | 2 Wpjobster, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in WPJobster <= 6.3.5 versions. | ||||
| CVE-2026-48875 | 2 Jetimpex Inc., Wordpress | 2 Jetsmartfilters, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions. | ||||
| CVE-2026-49076 | 2 Jetimpex Inc., Wordpress | 2 Jetengine, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions. | ||||
| CVE-2026-49079 | 2 Jetimpex Inc., Wordpress | 2 Jetsearch, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions. | ||||
| CVE-2026-49084 | 2 Jetimpex Inc., Wordpress | 2 Jetengine, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions. | ||||
| CVE-2026-54185 | 2 Themeco, Wordpress | 2 Cornerstone, Wordpress | 2026-06-20 | 8.5 High |
| Subscriber SQL Injection in Cornerstone < 7.8.8 versions. | ||||
| CVE-2026-54187 | 2 Jetimpex Inc., Wordpress | 2 Jetengine, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions. | ||||
| CVE-2025-59554 | 2 Advanced Ads Gmbh, Wordpress | 2 Advanced Ads – Tracking, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in Advanced Ads – Tracking < 3.0.7 versions. | ||||
| CVE-2026-54819 | 2 Webilia Inc., Wordpress | 2 Listdom, Wordpress | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Webilia Inc. Listdom allows Blind SQL Injection. This issue affects Listdom: from n/a through 5.4.0. | ||||
| CVE-2026-54815 | 2 Cargo Rd, Wordpress | 2 Cargo Shipping Location For Woocommerce, Wordpress | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection. This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6. | ||||
| CVE-2026-54808 | 2 Wordpress, Wp Travel | 2 Wordpress, Wp Travel Gutenberg Blocks | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel Gutenberg Blocks allows Blind SQL Injection. This issue affects WP Travel Gutenberg Blocks: from n/a through 3.9.4. | ||||
| CVE-2026-54809 | 2 Villatheme, Wordpress | 2 Gift4u, Wordpress | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme GIFT4U allows Blind SQL Injection. This issue affects GIFT4U: from n/a through 1.0.10. | ||||
| CVE-2026-55740 | 1 Nur-alam39 | 1 Bus-ticket | 2026-06-20 | 9.8 Critical |
| Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements. | ||||
| CVE-2026-54419 | 1 Claudiopizzillo | 1 Piaf-hms | 2026-06-20 | 9.8 Critical |
| claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include rooms.php (DELETE FROM Rooms WHERE ID = $_GET['ID'], unquoted numeric context), checkuser.php (WHERE Ext = '$_GET["Ext"]'), ec.php (date/extension parameters in a WHERE), checkin.php and wakeup.php ($_POST values into INSERT statements), bills.php ($_POST fields built into a WHERE clause), and rates.php and checkout.php. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. rooms.php?ID=1 OR 1=1 deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements. | ||||
| CVE-2026-54222 | 1 Ubb Systems | 1 Ubb.threads | 2026-06-20 | N/A |
| UBB.threads is vulnerable to Blind SQL Injection, allowing attackers with access to the Members in Control Panel to interact with the underlying database. Due to insufficient input sanitization, an attacker can extract sensitive information, such as user credentials, by manipulating SQL queries through time-based or boolean-based techniques. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 7.7.5 but may also affect other versions. | ||||
| CVE-2026-38812 | 1 Ruoyi | 1 Ruoyi | 2026-06-19 | 9.8 Critical |
| RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information. | ||||