Total
17511 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12514 | 1 Centreon | 1 Centreon | 2026-01-05 | 7.2 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows SQL Injection to user with elevated privileges.This issue affects Infra Monitoring - Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. | ||||
| CVE-2025-28949 | 2 Codedraft, Wordpress | 2 Mediabay - Wordpress Media Library Folders, Wordpress | 2026-01-05 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Codedraft Mediabay - WordPress Media Library Folders allows Blind SQL Injection.This issue affects Mediabay - WordPress Media Library Folders: from n/a through 1.4. | ||||
| CVE-2025-30628 | 2 Aa-team, Wordpress | 2 Amazon Affiliates Addon For Wpbakery Page Builder, Wordpress | 2026-01-05 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. | ||||
| CVE-2025-15409 | 1 Code-projects | 1 Online Guitar Store | 2026-01-05 | 7.3 High |
| A vulnerability was determined in code-projects Online Guitar Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/Delete_product.php. Executing manipulation of the argument del_pro can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-15427 | 1 Seeyon | 1 Zhiyuan Oa Web Application System | 2026-01-05 | 7.3 High |
| A security flaw has been discovered in Seeyon Zhiyuan OA Web Application System up to 20251222. This impacts an unknown function of the file /carManager/carUseDetailList.j%73p. The manipulation of the argument CAR_BRAND_NO results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59389 | 1 Qnap | 1 Hyper Data Protector | 2026-01-05 | N/A |
| An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: Hyper Data Protector 2.2.4.1 and later | ||||
| CVE-2025-65235 | 2 Opencode, Opencode Systems | 2 Ussd Gateway, Ussd Gateway | 2026-01-02 | 9.8 Critical |
| OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function. | ||||
| CVE-2025-65236 | 2 Opencode, Opencode Systems | 2 Ussd Gateway, Ussd Gateway | 2026-01-02 | 9.8 Critical |
| OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint. | ||||
| CVE-2025-59213 | 1 Microsoft | 4 Configuration Manager, Configuration Manager 2403, Configuration Manager 2409 and 1 more | 2026-01-02 | 8.4 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an unauthorized attacker to elevate privileges locally. | ||||
| CVE-2025-55320 | 1 Microsoft | 5 Configuration Manager, Configuration Manager 2403, Configuration Manager 2409 and 2 more | 2026-01-02 | 6.8 Medium |
| Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to elevate privileges over an adjacent network. | ||||
| CVE-2025-59499 | 1 Microsoft | 5 Sql Server, Sql Server 2016, Sql Server 2017 and 2 more | 2026-01-02 | 8.8 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2023-1454 | 1 Jeecg | 1 Jeecg Boot | 2026-01-02 | 6.3 Medium |
| A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223299. | ||||
| CVE-2025-68914 | 1 Riello-ups | 1 Netman 208 | 2026-01-02 | 6.5 Medium |
| Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/login.cgi username SQL Injection. For example, an attacker can delete the LOGINFAILEDTABLE table. | ||||
| CVE-2025-67285 | 2 Angeljudesuarez, Itsourcecode | 2 Covid Tracking System Using Qr-code, Covid Tracking System | 2026-01-02 | 7.3 High |
| A SQL injection vulnerability was found in the '/cts/admin/?page=zone' file of ITSourcecode COVID Tracking System Using QR-Code v1.0. The reason for this issue is that attackers inject malicious code from the parameter 'id' and use it directly in SQL queries without the need for appropriate cleaning or validation. | ||||
| CVE-2023-7331 | 2026-01-02 | 4.7 Medium | ||
| A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 25c9965a872c704f3a9475488dc5d3196902199a. It is suggested to install a patch to address this issue. | ||||
| CVE-2025-15169 | 1 Biggidroid | 1 Simple Php Cms | 2026-01-02 | 4.7 Medium |
| A weakness has been identified in BiggiDroid Simple PHP CMS 1.0. Affected by this issue is some unknown functionality of the file /admin/editsite.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-44065 | 2 Cloudlog, Magicbug | 2 Cloudlog, Cloudlog | 2025-12-31 | 9.8 Critical |
| Time-based blind SQL Injection vulnerability in Cloudlog v2.6.15 at the endpoint /index.php/logbookadvanced/search in the qsoresults parameter. | ||||
| CVE-2025-46268 | 1 Advantech | 2 Webaccess/scada, Webaccess\/scada | 2025-12-31 | 6.3 Medium |
| Advantech WebAccess/SCADA is vulnerable to SQL injection, which may allow an attacker to execute arbitrary SQL commands. | ||||
| CVE-2025-63948 | 2 Craigtaub, Phpmsadmin | 2 Phpmsadmin, Phpmsadmin | 2025-12-31 | 5.4 Medium |
| A SQL Injection vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary SQL commands via the dbname parameter, potentially leading to information disclosure or database manipulation. | ||||
| CVE-2023-53917 | 1 Powerstonegh | 1 Affiliate Me | 2025-12-31 | 6.5 Medium |
| Affiliate Me version 5.0.1 contains a SQL injection vulnerability in the admin.php endpoint that allows authenticated administrators to manipulate database queries. Attackers can exploit the 'id' parameter with crafted union-based queries to extract sensitive user information including usernames and password hashes. | ||||