Total
18782 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67281 | 1 Tim-solutions | 1 Tim Flow | 2026-01-22 | 5.4 Medium |
| In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple SQL injection vulnerabilities exists which allow a low privileged and administrative user to access the database and its content. | ||||
| CVE-2025-59389 | 1 Qnap | 1 Hyper Data Protector | 2026-01-22 | 9.8 Critical |
| An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: Hyper Data Protector 2.2.4.1 and later | ||||
| CVE-2025-67082 | 1 Invoiceplane | 1 Invoiceplane | 2026-01-22 | 6.5 Medium |
| An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes. | ||||
| CVE-2025-70892 | 1 Phpgurukul | 1 Cyber Cafe Management System | 2026-01-22 | 9.8 Critical |
| Phpgurukul Cyber Cafe Management System v1.0 contains a SQL Injection vulnerability in the user management module. The application fails to properly validate user-supplied input in the username parameter of the add-users.php endpoint. | ||||
| CVE-2025-70893 | 1 Phpgurukul | 1 Cyber Cafe Management System | 2026-01-22 | 8.8 High |
| A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. The application fails to properly sanitize user-supplied input provided via the adminname parameter, allowing authenticated attackers to inject arbitrary SQL expressions. | ||||
| CVE-2025-61943 | 1 Aveva | 2 Historian, Process Optimization | 2026-01-22 | 8.4 High |
| The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Standard User) to tamper with queries in Captive Historian and achieve code execution under SQL Server administrative privileges, potentially resulting in complete compromise of the SQL Server. | ||||
| CVE-2024-51539 | 1 Dell | 1 Secure Connect Gateway | 2026-01-21 | 2.3 Low |
| The Dell Secure Connect Gateway (SCG) Application and Appliance, versions prior to 5.28, contains a SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. This vulnerability can only be exploited locally on the affected system. A high-privilege attacker with access to the system could potentially exploit this vulnerability, leading to the disclosure of non-sensitive information that does not include any customer data. | ||||
| CVE-2023-39309 | 2 Avada, Wordpress | 2 Fusion Builder, Wordpress | 2026-01-21 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeFusion Fusion Builder.This issue affects Fusion Builder: from n/a through 3.11.1. | ||||
| CVE-2025-14227 | 1 Philipinho | 1 Simple-php-blog | 2026-01-21 | 6.3 Medium |
| A security flaw has been discovered in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. This issue affects some unknown processing of the file /edit.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-66417 | 1 Glpi-project | 1 Glpi | 2026-01-21 | 7.5 High |
| GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3. | ||||
| CVE-2025-15238 | 2 Quanta Computer, Quantatw | 2 Qoca Aim Ai Medical Cloud Platform, Qoca Aim | 2026-01-20 | 6.5 Medium |
| QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | ||||
| CVE-2025-15239 | 2 Quanta Computer, Quantatw | 2 Qoca Aim Ai Medical Cloud Platform, Qoca Aim | 2026-01-20 | 6.5 Medium |
| QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | ||||
| CVE-2025-37181 | 2 Arubanetworks, Hpe | 2 Edgeconnect Sd-wan Orchestrator, Edgeconnect Sd-wan Orchestrator | 2026-01-20 | 7.2 High |
| Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | ||||
| CVE-2025-37182 | 2 Arubanetworks, Hpe | 2 Edgeconnect Sd-wan Orchestrator, Edgeconnect Sd-wan Orchestrator | 2026-01-20 | 7.2 High |
| Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | ||||
| CVE-2025-37183 | 2 Arubanetworks, Hpe | 2 Edgeconnect Sd-wan Orchestrator, Edgeconnect Sd-wan Orchestrator | 2026-01-20 | 7.2 High |
| Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | ||||
| CVE-2025-61246 | 1 Indieka900 | 2 Online-shopping-system-php, Online Shopping System | 2026-01-16 | 9.8 Critical |
| indieka900 online-shopping-system-php 1.0 is vulnerable to SQL Injection in master/review_action.php via the proId parameter. | ||||
| CVE-2021-24863 | 1 Billminozzi | 1 Stop Bad Bots | 2026-01-16 | 9.8 Critical |
| The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection | ||||
| CVE-2021-24727 | 1 Billminozzi | 1 Stop Bad Bots | 2026-01-16 | 8.8 High |
| The StopBadBots WordPress plugin before 6.60 did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections | ||||
| CVE-2023-54163 | 3 Google, Nlb, Nlb Banka Ad Skopje | 3 Android, Mklik Makedonija, Nlb Mklik Makedonija | 2026-01-16 | 7.5 High |
| NLB mKlik Macedonia 3.3.12 contains a SQL injection vulnerability in international transfer parameters that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through unsanitized input to potentially disclose sensitive information from the mobile banking application. | ||||
| CVE-2023-53960 | 1 Sound4 | 18 Big Voice2, Big Voice2 Firmware, Big Voice4 and 15 more | 2026-01-16 | 9.8 Critical |
| SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x contains an SQL injection vulnerability in the 'index.php' authentication mechanism that allows attackers to manipulate login credentials. Attackers can inject malicious SQL code through the 'password' POST parameter to bypass authentication and potentially gain unauthorized access to the system. | ||||