Search Results (19650 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-36681 2026-04-15 9.8 Critical
SQL Injection vulnerability in the module "Isotope" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` and `pk_isotope::removeData` methods.
CVE-2024-32888 1 Aws 1 Amazon-redshift-jdbc-driver 2026-04-15 10 Critical
The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in the Java Platform, Enterprise Editions. Prior to version 2.1.0.28, SQL injection is possible when using the non-default connection property `preferQueryMode=simple` in combination with application code which has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default, extended query mode. Note that `preferQueryMode` is not a supported parameter in Redshift JDBC driver, and is inherited code from Postgres JDBC driver. Users who do not override default settings to utilize this unsupported query mode are not affected. This issue is patched in driver version 2.1.0.28. As a workaround, do not use the connection property `preferQueryMode=simple`. (NOTE: Those who do not explicitly specify a query mode use the default of extended query mode and are not affected by this issue.)
CVE-2025-42889 1 Sap 1 Starter Solution 2026-04-15 5.4 Medium
SAP Starter Solution allows an authenticated attacker to execute crafted database queries, thereby exposing the back-end database. As a result, this vulnerability has a low impact on the application's confidentiality and integrity but no impact on its availability.
CVE-2025-6753 1 Huija 1 Bicyclesharingserver 2026-04-15 6.3 Medium
A vulnerability was found in huija bicycleSharingServer 1.0 and classified as critical. This issue affects the function selectAdminByNameLike of the file AdminController.java. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-28145 2026-04-15 5.9 Medium
An unauthenticated attacker can perform an SQL injection by accessing the /class/dbconnect.php file and supplying malicious GET parameters. The HTTP GET parameters search, table, field, and value are vulnerable. For example, one SQL injection can be performed on the parameter "field" with the UNION keyword.
CVE-2024-36680 1 Promokit 1 Pkfacebook 2026-04-15 7.5 High
In the module "Facebook" (pkfacebook) <=1.0.1 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The ajax script facebookConnect.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.
CVE-2024-2831 2 Kieranoshea, Wordpress 2 Calendar, Wordpress 2026-04-15 8.8 High
The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-40635 2026-04-15 N/A
SQL injection vulnerability in Comerzzia Backoffice: Sales Orchestrator 3.0.15. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘uidActivity’, ‘codCompany’ and ‘uidInstance’ parameters of the ‘/comerzzia/login’ endpoint.
CVE-2024-8503 1 Vicidial 1 Vicidial 2026-04-15 9.8 Critical
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
CVE-2024-34534 2026-04-15 7.3 High
A SQL injection vulnerability in Cybrosys Techno Solutions Text Commander module (aka text_commander) 16.0 through 16.0.1 allows a remote attacker to gain privileges via the data parameter to models/ir_model.py:IrModel::chech_model.
CVE-2024-34533 1 Odoo 1 Odoo 2026-04-15 7.3 High
A SQL injection vulnerability in ZI PT Solusi Usaha Mudah Analytic Data Query module (aka izi_data) 11.0 through 17.x before 17.0.3 allows a remote attacker to gain privileges via a query to IZITools::query_check, IZITools::query_fetch, or IZITools::query_execute.
CVE-2025-9802 1 Remoteclinic 1 Remote Clinic 2026-04-15 4.7 Medium
A vulnerability was detected in RemoteClinic 2.0. This vulnerability affects unknown code of the file /staff/profile.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely.
CVE-2024-31025 1 Shopex 1 Ecshop 2026-04-15 7.5 High
SQL Injection vulnerability in ECshop 4.x allows an attacker to obtain sensitive information via the file/article.php component.
CVE-2025-41002 1 Manantial De Ideas 1 Infoticketing 2026-04-15 N/A
SQL injection vulnerability in Infoticketing. This vulnerability allows an unauthenticated attacker to retrieve, create, update, and delete the database by sending a POST request using the 'code' parameter in '/components/cart/cartApplyDiscount.php'.
CVE-2024-57238 2026-04-15 7.3 High
Prolink 4G LTE Mobile Wi-Fi DL-7203E V4.0.0B05 is vulnerable to SQL Injection in in the /reqproc/proc_get endpoint. The vulnerability allows an attacker to manipulate SQL queries by injecting malicious SQL code into the order_by parameter.
CVE-2024-57178 2026-04-15 5.9 Medium
An SQL injection vulnerability exists in Stock-Forecaster <=01-04-2020. By sending a specially crafted 'stock-symbol' parameter to the portofolio() endpoint, it is possible to trigger an SQL injection in the application. As a result, the attacker will be able the user data or manipulate the software behavior.
CVE-2024-8757 1 Afthemes 1 Wp Post Author 2026-04-15 7.2 High
The WP Post Author – Boost Your Blog&#039;s Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder plugin for WordPress is vulnerable to time-based SQL Injection via the linked_user_id parameter in all versions up to, and including, 3.8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-22207 2026-04-15 N/A
Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of com_scheduler.
CVE-2025-1464 2026-04-15 7.3 High
A vulnerability, which was classified as critical, has been found in Baiyi Cloud Asset Management System up to 20250204. This issue affects some unknown processing of the file /wuser/admin.house.collect.php. The manipulation of the argument project_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-41009 1 Disenno De Recursos Educativos 1 Virtual Campus Platform 2026-04-15 N/A
SQL injection vulnerability in the DRED virtual campus platform. This vulnerability allows an attacker to retrieve, create, update, and delete data from the database by sending a POST request using the ‘buscame’ parameter in ‘/catalogo_c/catalogo.php’.