Total
16736 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-52085 | 1 Yoosee | 1 Yoosee | 2025-09-12 | 8.8 High |
| An SQL injection vulnerability in Yoosee application v6.32.4 allows authenticated users to inject arbitrary SQL queries via a request to a backend API endpoint. Successful exploitation enables extraction of sensitive database information, including but not limited to, the database server banner and version, current database user and schema, the current DBMS user privileges, and arbitrary data from any table. | ||||
| CVE-2025-9391 | 2 Bjskzy, Zhiyou-group | 2 Zhiyou Erp, Zhiyou Erp | 2025-09-12 | 6.3 Medium |
| A weakness has been identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this issue is the function getFieldValue of the component com.artery.workflow.ServiceImpl. This manipulation of the argument sql causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8347 | 1 Kehua | 1 Charging Pile Cloud Platform | 2025-09-12 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in Kehua Charging Pile Cloud Platform 1.0. This affects an unknown part of the file /sys/task/findAllTask. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-54790 | 1 Humhub | 1 Files | 2025-09-12 | 6.5 Medium |
| Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10. | ||||
| CVE-2025-40687 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | 9.8 Critical |
| SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'mobilenumber', 'teamleadname' and 'teammember' parameters in the endpoint '/ofrs/admin/add-team.php'. | ||||
| CVE-2025-40689 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | 9.8 Critical |
| SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'remark', 'status' and 'requestid' parameters in the endpoint '/ofrs/admin/request-details.php'. | ||||
| CVE-2025-40690 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | 9.8 Critical |
| SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'teamid' parameter in the endpoint '/ofrs/admin/edit-team.php'. | ||||
| CVE-2025-40691 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | 9.8 Critical |
| SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'todate' parameter in the endpoint '/ofrs/admin/bwdates-report-result.php'. | ||||
| CVE-2025-40692 | 1 Phpgurukul | 1 Online Fire Reporting System | 2025-09-12 | 9.8 Critical |
| SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'requestid' parameter in the endpoint '/ofrs/details.php'. | ||||
| CVE-2025-57819 | 2 Freepbx, Sangoma | 2 Freepbx, Freepbx | 2025-09-12 | 9.8 Critical |
| FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3. | ||||
| CVE-2023-6436 | 1 Ekolbilisim | 1 Web Sablonu Yazilimi | 2025-09-12 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection.This issue affects Website Template: through 20231215. | ||||
| CVE-2025-10142 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-09-12 | 4.9 Medium |
| The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-6189 | 2 Duplicate Page And Post Project, Wordpress | 2 Duplicate Page And Post, Wordpress | 2025-09-12 | 6.5 Medium |
| The Duplicate Page and Post plugin for WordPress is vulnerable to time-based SQL Injection via the ‘meta_key’ parameter in all versions up to, and including, 2.9.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-10218 | 1 Ruoyi | 1 Ruoyi | 2025-09-12 | 6.3 Medium |
| A flaw has been found in lostvip-com ruoyi-go 2.1. This affects the function SelectListPage of the file modules/system/dao/SysRoleDao.go of the component Background Management Page. This manipulation of the argument sortName causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-9776 | 2 Catfolders, Wordpress | 2 Tame Your Wordpress Media Library Plugin, Wordpress | 2025-09-12 | 6.5 Medium |
| The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-9073 | 2 Maheshmthorat, Wordpress | 2 All In One Minifier Plugin, Wordpress | 2025-09-12 | 7.5 High |
| The All in one Minifier plugin for WordPress is vulnerable to SQL Injection via the 'post_id' parameter in all versions up to, and including, 3.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-9451 | 2 Smartcatai, Wordpress | 2 Smartcat Translator For Wpml Plugin, Wordpress | 2025-09-12 | 6.5 Medium |
| The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.69 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-8692 | 1 Wordpress | 1 Wordpress | 2025-09-12 | 4.9 Medium |
| The Coupon API plugin for WordPress is vulnerable to SQL Injection via the ‘log_duration’ parameter in all versions up to, and including, 6.2.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-55472 | 1 Tirreno | 1 Tirreno | 2025-09-11 | 6.5 Medium |
| SQL Injection vulnerability exists in Tirreno v0.9.5, specifically in the /admin/loadUsers API endpoint. The vulnerability arises due to unsafe handling of user-supplied input in the columns[0][data] parameter, which is directly used in SQL queries without proper validation or parameterization. | ||||
| CVE-2025-9758 | 1 Deepakmisal24 | 1 Chemical Inventory Management System | 2025-09-11 | 6.3 Medium |
| A vulnerability was identified in deepakmisal24 Chemical Inventory Management System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /inventory_form.php. Such manipulation of the argument chem_name leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | ||||