Total
18039 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14514 | 1 Campcodes | 1 Supplier Management System | 2026-02-24 | 7.3 High |
| A flaw has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/add_distributor.php. This manipulation of the argument txtDistributorAddress causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | ||||
| CVE-2025-14285 | 1 Code-projects | 1 Employee Profile Management System | 2026-02-24 | 7.3 High |
| A vulnerability was found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file edit_personnel.php. The manipulation of the argument per_id results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | ||||
| CVE-2025-14222 | 2 Carmelogarcia, Code-projects | 2 Employee Profile Management System, Employee Profile Management System | 2026-02-24 | 6.3 Medium |
| A flaw has been found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file /print_personnel_report.php. This manipulation of the argument per_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | ||||
| CVE-2025-14210 | 1 Projectworlds | 1 Advanced Library Management System | 2026-02-24 | 7.3 High |
| A security vulnerability has been detected in projectworlds Advanced Library Management System 1.0. Affected is an unknown function of the file /delete_member.php. Such manipulation of the argument user_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2020-35613 | 1 Joomla | 1 Joomla\! | 2026-02-24 | 9.8 Critical |
| An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list. | ||||
| CVE-2026-0722 | 2 Paultgoodchild, Wordpress | 2 Shield: Blocks Bots, Protects Users, And Prevents Security Breaches, Wordpress | 2026-02-24 | 6.5 Medium |
| The Shield Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 21.0.8. This is due to the plugin allowing nonce verification to be bypassed via user-supplied parameter in the 'isNonceVerifyRequired' function. This makes it possible for unauthenticated attackers to execute SQL injection attacks, extracting sensitive information from the database, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-2867 | 2 Admerc, Itsourcecode | 2 Vehicle Management System, Vehicle Management System | 2026-02-23 | 7.3 High |
| A vulnerability was determined in itsourcecode Vehicle Management System 1.0. Affected is an unknown function of the file /billaction.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-24956 | 2 Shahjada, Wordpress | 2 Download Manager Addons For Elementor, Wordpress | 2026-02-23 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0. | ||||
| CVE-2026-2706 | 1 Code-projects | 1 Patient Record Management System | 2026-02-23 | 6.3 Medium |
| A flaw has been found in code-projects Patient Record Management System 1.0. This affects an unknown function of the file /fecalysis_not.php. This manipulation of the argument comp_id causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | ||||
| CVE-2026-2912 | 2 Code-projects, Fabian | 2 Online Reviewer System, Online Reviewer System | 2026-02-23 | 7.3 High |
| A vulnerability was found in code-projects Online Reviewer System 1.0. Impacted is an unknown function of the file /system/system/students/assessments/results/studentresult-view.php. The manipulation of the argument test_id results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | ||||
| CVE-2019-25439 | 1 Novismart | 1 Novismart Cms | 2026-02-23 | 8.2 High |
| NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injection payloads in the Referer header to extract sensitive database information or cause denial of service. | ||||
| CVE-2019-25440 | 1 Webincorp | 1 Webincorp Erp | 2026-02-23 | 8.2 High |
| WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. Attackers can send GET requests to product_detail.php with malicious prod_id values to extract sensitive database information. | ||||
| CVE-2019-25366 | 1 Microasp | 1 Microasp (portal+) Cms | 2026-02-23 | 8.2 High |
| microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.phtml with SQL injection payloads using extractvalue and concat functions to extract sensitive database information like the current database name. | ||||
| CVE-2019-25462 | 1 Web-ofisi | 1 Rent A Car | 2026-02-23 | 8.2 High |
| Web Ofisi Rent a Car v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'klima' parameter. Attackers can send GET requests to with malicious 'klima' values to extract sensitive database information or cause denial of service. | ||||
| CVE-2026-1581 | 2 Tomdever, Wordpress | 2 Wpforo Forum, Wordpress | 2026-02-23 | 7.5 High |
| The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-2232 | 2 Wcproducttable, Wordpress | 2 Product Table And List Builder For Woocommerce Lite, Wordpress | 2026-02-23 | 7.5 High |
| The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 4.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-2963 | 1 Jinher | 1 Oa C6 | 2026-02-23 | 6.3 Medium |
| A vulnerability was determined in Jinher OA C6 up to 20260210. This issue affects some unknown processing of the file /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx. This manipulation of the argument id/offsnum causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to install a patch to address this issue. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-24494 | 1 Order Up | 1 Online Ordering System | 2026-02-23 | 9.8 Critical |
| SQL Injection vulnerability in the /api/integrations/getintegrations endpoint of Order Up Online Ordering System 1.0 allows an unauthenticated attacker to access sensitive backend database data via a crafted store_id parameter in a POST request. | ||||
| CVE-2026-25993 | 1 Evershop | 1 Evershop | 2026-02-23 | 9.8 Critical |
| EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1. | ||||
| CVE-2026-25947 | 1 Worklenz | 1 Worklenz | 2026-02-23 | 8.8 High |
| Worklenz is a project management tool. Prior to 2.1.7, there are multiple SQL injection vulnerabilities were discovered in backend SQL query construction affecting project and task management controllers, reporting and financial data endpoints, real-time socket.io handlers, and resource allocation and scheduling features. The vulnerability has been patched in version v2.1.7. | ||||