Total
18739 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-29234 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-08-04 | 5.4 Medium |
| Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Group.Save webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors. | ||||
| CVE-2024-29235 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-08-04 | 5.4 Medium |
| Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in IOModule.EnumLog webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors. | ||||
| CVE-2024-29236 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-08-04 | 5.4 Medium |
| Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in AudioPattern.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors. | ||||
| CVE-2024-29237 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-08-04 | 5.4 Medium |
| Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in ActionRule.Delete webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors. | ||||
| CVE-2024-29238 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-08-04 | 5.4 Medium |
| Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors. | ||||
| CVE-2024-29239 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-08-04 | 5.4 Medium |
| Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors. | ||||
| CVE-2025-53515 | 1 Advantech | 1 Iview | 2025-08-01 | 8.8 High |
| A vulnerability exists in Advantech iView that allows for SQL injection and remote code execution through NetworkServlet.archiveTrap(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account. | ||||
| CVE-2025-30217 | 1 Frappe | 1 Frappe | 2025-08-01 | 7.5 High |
| Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for the issue. No known workarounds are available. | ||||
| CVE-2025-30212 | 1 Frappe | 1 Frappe | 2025-08-01 | 7.5 High |
| Frappe is a full-stack web application framework. An SQL Injection vulnerability has been identified in Frappe Framework prior to versions 14.89.0 and 15.51.0 which could allow a malicious actor to access sensitive information. Versions 14.89.0 and 15.51.0 fix the issue. Upgrading is required; no other workaround is present. | ||||
| CVE-2023-37847 | 1 Xxyopen | 1 Novel-plus | 2025-08-01 | 9.8 Critical |
| novel-plus v3.6.2 was discovered to contain a SQL injection vulnerability. | ||||
| CVE-2024-1251 | 1 Tongda2000 | 1 Office Anywhere | 2025-08-01 | 5.5 Medium |
| A vulnerability classified as critical has been found in Tongda OA 2017 up to 11.10. Affected is an unknown function of the file /general/email/outbox/delete.php. The manipulation of the argument DELETE_STR leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-252990 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-7021 | 1 Tongda2000 | 1 Office Anywhere | 2025-08-01 | 6.3 Medium |
| A vulnerability was found in Tongda OA 2017 up to 11.9. It has been classified as critical. Affected is an unknown function of the file general/vehicle/checkup/delete_search.php. The manipulation of the argument VU_ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-248568. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-24813 | 1 Frappe | 1 Frappe | 2025-07-31 | 7.5 High |
| Frappe is a full-stack web application framework. Prior to versions 14.64.0 and 15.0.0, SQL injection from a particular whitelisted method can result in access to data which the user doesn't have permission to access. Versions 14.64.0 and 15.0.0 contain a patch for this issue. No known workarounds are available. | ||||
| CVE-2025-21619 | 1 Glpi-project | 1 Glpi | 2025-07-31 | 9.8 Critical |
| GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18. | ||||
| CVE-2025-24799 | 1 Glpi-project | 1 Glpi | 2025-07-31 | 7.5 High |
| GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18. | ||||
| CVE-2025-8254 | 1 Campcodes | 1 Courier Management System | 2025-07-31 | 6.3 Medium |
| A vulnerability was found in Campcodes Courier Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /view_parcel.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-8252 | 1 Code-projects | 1 Exam Form Submission | 2025-07-31 | 7.3 High |
| A vulnerability was found in code-projects Exam Form Submission 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete_s5.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-8253 | 1 Code-projects | 1 Exam Form Submission | 2025-07-31 | 7.3 High |
| A vulnerability was found in code-projects Exam Form Submission 1.0. It has been classified as critical. This affects an unknown part of the file /admin/delete_s6.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-39753 | 1 Trendmicro | 1 Apex One | 2025-07-31 | 7.5 High |
| An modOSCE SQL Injection vulnerability in Trend Micro Apex One could allow a remote attacker to execute arbitrary code on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | ||||
| CVE-2025-1750 | 1 Llamaindex | 1 Llamaindex | 2025-07-31 | N/A |
| An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. This vulnerability allows an attacker to manipulate the ref_doc_id parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code execution (RCE). | ||||