Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10258 | 1 Nokia | 1 Infinera Dna | 2026-02-26 | 6.3 Medium |
| Infinera DNA is vulnerable to a time-based SQL injection vulnerability due to insufficient input validation, which may result in leaking of sensitive information. | ||||
| CVE-2025-27378 | 1 Altium | 2 Aes, On-prem Enterprise Server | 2026-02-26 | 8.6 High |
| AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries. | ||||
| CVE-2026-3135 | 2 Clive 21, Itsourcecode | 2 News Portal Project, News Portal Project | 2026-02-26 | 7.3 High |
| A weakness has been identified in itsourcecode News Portal Project 1.0. The impacted element is an unknown function of the file /admin/add-category.php. This manipulation of the argument Category causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2024-13162 | 1 Ivanti | 1 Endpoint Manager | 2026-02-26 | 7.2 High |
| SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848. | ||||
| CVE-2025-25064 | 1 Synacor | 1 Zimbra Collaboration Suite | 2026-02-26 | 8.8 High |
| SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata. | ||||
| CVE-2025-25181 | 1 Advantive | 1 Veracore | 2026-02-26 | 5.8 Medium |
| A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 parameter. | ||||
| CVE-2025-22217 | 2026-02-26 | 8.6 High | ||
| Avi Load Balancer contains an unauthenticated blind SQL Injection vulnerability which was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. A malicious user with network access may be able to use specially crafted SQL queries to gain database access. | ||||
| CVE-2025-30473 | 1 Apache | 1 Airflow Common Sql Provider | 2026-02-26 | 8.8 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow Common SQL Provider. When using the partition clause in SQLTableCheckOperator as parameter (which was a recommended pattern), Authenticated UI User could inject arbitrary SQL command when triggering DAG exposing partition_clause to the user. This allowed the DAG Triggering user to escalate privileges to execute those arbitrary commands which they normally would not have. This issue affects Apache Airflow Common SQL Provider: before 1.24.1. Users are recommended to upgrade to version 1.24.1, which fixes the issue. | ||||
| CVE-2025-22461 | 1 Ivanti | 1 Endpoint Manager | 2026-02-26 | 7.2 High |
| SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution. | ||||
| CVE-2025-47178 | 1 Microsoft | 2 Configuration Manager, Configuration Manager 2503 | 2026-02-26 | 8 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to execute code over an adjacent network. | ||||
| CVE-2025-47172 | 1 Microsoft | 4 Sharepoint Enterprise Server, Sharepoint Server, Sharepoint Server 2016 and 1 more | 2026-02-26 | 8.8 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-49218 | 2 Microsoft, Trendmicro | 3 Windows, Endpoint Encryption Policy Server, Trend Micro Endpoint Encryption | 2026-02-26 | 7.7 High |
| A post-auth SQL injection vulnerability in the Trend Micro Endpoint Encryption PolicyServer could allow an attacker to escalate privileges on affected installations. This is similar to, but not identical to CVE-2025-49215. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability. | ||||
| CVE-2025-25257 | 1 Fortinet | 1 Fortiweb | 2026-02-26 | 9.6 Critical |
| An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. | ||||
| CVE-2025-0966 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2026-02-26 | 7.6 High |
| IBM InfoSphere Information Server 11.7 vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | ||||
| CVE-2025-2928 | 1 Genetec | 1 Security Center | 2026-02-26 | 7.2 High |
| SQL Injection affecting the Archiver role. | ||||
| CVE-2025-8296 | 1 Ivanti | 1 Avalanche | 2026-02-26 | 7.2 High |
| SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution | ||||
| CVE-2025-32327 | 1 Google | 1 Android | 2026-02-26 | 7.8 High |
| In multiple functions of PickerDbFacade.java, there is a possible unauthorized data access due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-47954 | 1 Microsoft | 2 Sql Server, Sql Server 2022 | 2026-02-26 | 8.8 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-58462 | 2 Opexus, Opexustech | 2 Foiaxpress Pal, Foiaxpress Public Access Link | 2026-02-26 | 9.8 Critical |
| OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx. A remote, unauthenticated attacker could read, write, or delete any content in the underlying database. | ||||
| CVE-2025-27240 | 1 Zabbix | 1 Zabbix | 2026-02-26 | 7.2 High |
| A Zabbix adminitrator can inject arbitrary SQL during the autoremoval of hosts by inserting malicious SQL in the 'Visible name' field. | ||||