Total
16419 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-48573 | 2 Aquila, Aquila-cms | 2 Cms, Aquilacms | 2025-04-22 | 9.8 Critical |
| A NoSQL injection vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. | ||||
| CVE-2025-0532 | 1 Codezips | 1 Gym Management System | 2025-04-22 | 6.3 Medium |
| A vulnerability was found in Codezips Gym Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /dashboard/admin/new_submit.php. The manipulation of the argument m_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-0535 | 1 Codezips | 1 Gym Management System | 2025-04-22 | 6.3 Medium |
| A vulnerability classified as critical has been found in Codezips Gym Management System 1.0. This affects an unknown part of the file /dashboard/admin/edit_mem_submit.php. The manipulation of the argument uid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-0565 | 1 Zzcms | 1 Zzcms | 2025-04-22 | 7.3 High |
| A vulnerability was found in ZZCMS 2023. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-50766 | 2 Oretnom23, Sourcecodester | 2 Survey Application System, Survey Application System | 2025-04-22 | 9.8 Critical |
| SourceCodester Survey Application System 1.0 is vulnerable to SQL Injection in takeSurvey.php via the id parameter. | ||||
| CVE-2025-3402 | 1 Seeyon | 1 Fe Collaborative Office Platform | 2025-04-22 | 6.3 Medium |
| A vulnerability was found in Seeyon Zhiyuan Interconnect FE Collaborative Office Platform 5.5.2 and classified as critical. This issue affects some unknown processing of the file /sysform/042/check.js%70. The manipulation of the argument Name leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2020-18243 | 1 Enricozab | 1 Cms | 2025-04-22 | 6.5 Medium |
| SQL injection vulnerability found in Enricozab CMS v.1.0 allows a remote attacker to execute arbitrary code via /hdo/hdo-view-case.php. | ||||
| CVE-2025-28198 | 1 Hitstiresoftware | 1 Hitout Car Sale | 2025-04-22 | 5.9 Medium |
| A SQL injection vulnerability in Hitout car sale 1.0 allows a remote attacker to obtain sensitive information via the orderBy parameter of the StoreController.java component. | ||||
| CVE-2022-24707 | 1 Anuko | 1 Time Tracker | 2025-04-22 | 7.4 High |
| Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input. | ||||
| CVE-2022-24815 | 1 Jhipster | 1 Generator-jhipster | 2025-04-22 | 8.1 High |
| JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservice architectures. SQL Injection vulnerability in entities for applications generated with the option "reactive with Spring WebFlux" enabled and an SQL database using r2dbc. Applications created without "reactive with Spring WebFlux" and applications with NoSQL databases are not affected. Users who have generated a microservice Gateway using the affected version may be impacted as Gateways are reactive by default. Currently, SQL injection is possible in the findAllBy(Pageable pageable, Criteria criteria) method of an entity repository class generated in these applications as the where clause using Criteria for queries are not sanitized and user input is passed on as it is by the criteria. This issue has been patched in v7.8.1. Users unable to upgrade should be careful when combining criterias and conditions as the root of the issue lies in the `EntityManager.java` class when creating the where clause via `Conditions.just(criteria.toString())`. `just` accepts the literal string provided. Criteria's `toString` method returns a plain string and this combination is vulnerable to sql injection as the string is not sanitized and will contain whatever used passed as input using any plain SQL. | ||||
| CVE-2022-24844 | 2 Gin-vue-admin Project, Postgresql | 2 Gin-vue-admin, Postgresql | 2025-04-22 | 8.1 High |
| Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. The problem occurs in the following code in server/service/system/sys_auto_code_pgsql.go, which means that PostgreSQL must be used as the database for this vulnerability to occur. Users must: Require JWT login) and be using PostgreSQL to be affected. This issue has been resolved in version 2.5.1. There are no known workarounds. | ||||
| CVE-2022-2807 | 1 Algan | 1 Prens Student Information System | 2025-04-22 | 9.8 Critical |
| SQL Injection vulnerability in Algan Software Prens Student Information System allows SQL Injection.This issue affects Prens Student Information System: before 2.1.11. | ||||
| CVE-2025-28100 | 1 Geeeeeeeek | 1 Dingfanzu | 2025-04-22 | 9.8 Critical |
| A SQL Injection vulnerability in dingfanzuCMS v.1.0 allows a attacker to execute arbitrary code via not filtering the content correctly at the "operateOrder.php" id parameter. | ||||
| CVE-2022-31092 | 1 Pimcore | 1 Pimcore | 2025-04-22 | 7.5 High |
| Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is not done properly in both cases, so there's the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the listing classes. This issue has been resolved in version 10.4.4. Users are advised to upgrade or to apple the patch manually. There are no known workarounds for this issue. | ||||
| CVE-2022-31101 | 1 Prestashop | 1 Blockwishlist | 2025-04-22 | 8.1 High |
| prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2022-31197 | 4 Debian, Fedoraproject, Postgresql and 1 more | 6 Debian Linux, Fedora, Postgresql Jdbc Driver and 3 more | 2025-04-22 | 7.1 High |
| PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2025-29189 | 1 Flowiseai | 1 Flowise | 2025-04-22 | 7.6 High |
| Flowise <= 2.2.3 is vulnerable to SQL Injection. via tableName parameter at Postgres_VectorStores. | ||||
| CVE-2025-29390 | 1 Jerryhanjj | 1 Erp | 2025-04-22 | 8.8 High |
| jerryhanjj ERP 1.0 is vulnerable to SQL Injection in the set_password function in application/controllers/home.php. | ||||
| CVE-2025-29391 | 1 Horvey | 1 Library-manager | 2025-04-22 | 7.2 High |
| horvey Library-Manager v1.0 is vulnerable to SQL Injection in Admin/Controller/BookController.class.php. | ||||
| CVE-2024-40068 | 1 Oretnom23 | 1 Online Id Generator System | 2025-04-22 | 5.9 Medium |
| Sourcecodester Online ID Generator System 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at id_generator/admin/?page=templates/manage_template&id=1. | ||||