Export limit exceeded: 19524 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (19524 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-25446 | 1 Digit-rs | 1 Digit Centris | 2026-04-15 | 8.2 High |
| DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /korisnikinfo.php with malicious SQL syntax in these parameters to extract or modify sensitive database information. | ||||
| CVE-2025-50341 | 1 Axelor | 1 Axelor | 2026-04-15 | 9.8 Critical |
| A Boolean-based SQL injection vulnerability was discovered in Axelor 5.2.4 via the _domain parameter. An attacker can manipulate the SQL query logic and determine true/false conditions, potentially leading to data exposure or further exploitation. | ||||
| CVE-2025-69366 | 2 Teconcetheme, Wordpress | 2 Emerce Core, Wordpress | 2026-04-15 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Emerce Core emerce-core allows Blind SQL Injection.This issue affects Emerce Core: from n/a through <= 1.8. | ||||
| CVE-2025-69365 | 2 Teconcetheme, Wordpress | 2 Uroan Core, Wordpress | 2026-04-15 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Uroan Core uroan-core allows Blind SQL Injection.This issue affects Uroan Core: from n/a through <= 1.4.4. | ||||
| CVE-2025-10692 | 1 Opensupports | 1 Opensupports | 2026-04-15 | N/A |
| The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user (level ≥ 1) can inject SQL to alter the filter logic, effectively bypassing department scoping and disclosing tickets beyond their intended access.This issue affects OpenSupports: 4.11.0. | ||||
| CVE-2024-11504 | 2026-04-15 | N/A | ||
| Input from multiple fields in Streamsoft Prestiż is not sanitized properly, leading to an SQL injection vulnerability, which might be exploited by an authenticated remote attacker. This issue was fixed in 18.1.376.37 version of the software. | ||||
| CVE-2025-12463 | 1 Guetebruck | 1 G-cam | 2026-04-15 | 9.8 Critical |
| An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi` script. This has been confirmed on the EFD-2130 camera running firmware version 1.12.0.19. | ||||
| CVE-2025-29267 | 2026-04-15 | 6.5 Medium | ||
| SQL Injection vulnerability in Abis, Inc Adjutant Core Accounting ERP build v.PreBeta250F allows a remote attacker to obtain a sensitive information via the cid parameter in the GET request. | ||||
| CVE-2025-2928 | 1 Genetec | 1 Security Center | 2026-04-15 | 7.2 High |
| SQL Injection affecting the Archiver role. | ||||
| CVE-2025-10762 | 1 Dootask | 1 Dootask | 2026-04-15 | 6.3 Medium |
| A vulnerability was found in kuaifan DooTask up to 1.2.49. Affected by this vulnerability is an unknown functionality of the file app/Http/Controllers/Api/UsersController.php. The manipulation of the argument keys[department] results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | ||||
| CVE-2025-62658 | 1 Mediawiki | 2 Mediawiki, Watchanalytics | 2026-04-15 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in The Wikimedia Foundation MediaWiki WatchAnalytics extension allows SQL Injection.This issue affects MediaWiki WatchAnalytics extension: 1.43, 1.44. | ||||
| CVE-2024-11437 | 2026-04-15 | 4.9 Medium | ||
| The Timeline Designer plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-23176 | 1 Tecnick | 1 Tcexam | 2026-04-15 | 8.8 High |
| CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | ||||
| CVE-2024-44541 | 1 Evilnapsis | 1 Inventio-lite | 2026-04-15 | 9.8 Critical |
| evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin." | ||||
| CVE-2024-13320 | 2 Villatheme, Wordpress | 2 Curcy - Woocommerce Multi Currency - Currency Switcher, Wordpress | 2026-04-15 | 7.5 High |
| The CURCY - WooCommerce Multi Currency - Currency Switcher plugin for WordPress is vulnerable to SQL Injection via the 'wc_filter_price_meta[where]' parameter in all versions up to, and including, 2.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-12428 | 2026-04-15 | 7.5 High | ||
| The WP Data Access – App, Table, Form and Chart Builder plugin plugin for WordPress is vulnerable to SQL Injection via the 'order[user_login][dir]' parameter in all versions up to, and including, 5.5.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-58780 | 1 Sciencelogic | 1 Sl1 | 2026-04-15 | 7.2 High |
| index.em7 in ScienceLogic SL1 before 12.1.1 allows SQL Injection via a parameter in a request. NOTE: this is disputed by the Supplier because it "inaccurately describes the vulnerability." | ||||
| CVE-2024-12706 | 2026-04-15 | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenText™ Digital Asset Management. T he vulnerability could allow an authenticated user to run arbitrary SQL commands on the underlying database. This issue affects Digital Asset Management.: through 24.4. | ||||
| CVE-2025-62367 | 1 Taiga | 1 Taiga | 2026-04-15 | 4.8 Medium |
| Taiga is an open source project management platform. In versions 6.8.3 and earlier, Taiga API is vulnerable to time-based blind SQL injection allowing sensitive data disclosure via response timing. This issue is fixed in version 6.9.0. | ||||
| CVE-2025-56450 | 1 Log2space | 1 Subscriber Management Software | 2026-04-15 | 6.5 Medium |
| Log2Space Subscriber Management Software 1.1 is vulnerable to unauthenticated SQL injection via the `lead_id` parameter in the `/l2s/api/selfcareLeadHistory` endpoint. A remote attacker can exploit this by sending a specially crafted POST request, resulting in the execution of arbitrary SQL queries. The backend fails to sanitize the user input, allowing enumeration of database schemas, table names, and potentially leading to full database compromise. | ||||