Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2015-9448

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-26 Sep, 2019 | 03:33
Updated At-06 Aug, 2024 | 08:51
Rejected At-
Credits

The sendpress plugin before 1.2 for WordPress has SQL Injection via the wp-admin/admin.php?page=sp-queue listid parameter.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:26 Sep, 2019 | 03:33
Updated At:06 Aug, 2024 | 08:51
Rejected At:
▼CVE Numbering Authority (CNA)

The sendpress plugin before 1.2 for WordPress has SQL Injection via the wp-admin/admin.php?page=sp-queue listid parameter.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wpvulndb.com/vulnerabilities/8324
x_refsource_MISC
https://wordpress.org/plugins/sendpress/#developers
x_refsource_MISC
http://cinu.pl/research/wp-plugins/mail_8a2f7613577ea8e613ec274aeec14527.html
x_refsource_MISC
Hyperlink: https://wpvulndb.com/vulnerabilities/8324
Resource:
x_refsource_MISC
Hyperlink: https://wordpress.org/plugins/sendpress/#developers
Resource:
x_refsource_MISC
Hyperlink: http://cinu.pl/research/wp-plugins/mail_8a2f7613577ea8e613ec274aeec14527.html
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://wpvulndb.com/vulnerabilities/8324
x_refsource_MISC
x_transferred
https://wordpress.org/plugins/sendpress/#developers
x_refsource_MISC
x_transferred
http://cinu.pl/research/wp-plugins/mail_8a2f7613577ea8e613ec274aeec14527.html
x_refsource_MISC
x_transferred
Hyperlink: https://wpvulndb.com/vulnerabilities/8324
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://wordpress.org/plugins/sendpress/#developers
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://cinu.pl/research/wp-plugins/mail_8a2f7613577ea8e613ec274aeec14527.html
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:26 Sep, 2019 | 04:15
Updated At:26 Sep, 2019 | 15:57

The sendpress plugin before 1.2 for WordPress has SQL Injection via the wp-admin/admin.php?page=sp-queue listid parameter.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary2.06.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 6.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
CPE Matches

pressified
pressified
>>sendpress>>Versions before 1.2(exclusive)
cpe:2.3:a:pressified:sendpress:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-89Primarynvd@nist.gov
CWE ID: CWE-89
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://cinu.pl/research/wp-plugins/mail_8a2f7613577ea8e613ec274aeec14527.htmlcve@mitre.org
Exploit
Third Party Advisory
https://wordpress.org/plugins/sendpress/#developerscve@mitre.org
Product
Release Notes
https://wpvulndb.com/vulnerabilities/8324cve@mitre.org
Third Party Advisory
Hyperlink: http://cinu.pl/research/wp-plugins/mail_8a2f7613577ea8e613ec274aeec14527.html
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://wordpress.org/plugins/sendpress/#developers
Source: cve@mitre.org
Resource:
Product
Release Notes
Hyperlink: https://wpvulndb.com/vulnerabilities/8324
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

4698Records found

CVE-2016-10940
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-5.52% / 91.85%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 11:49
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The zm-gallery plugin 1.0 for WordPress has SQL injection via the order parameter.

Action-Not Available
Vendor-zm-gallery_projectn/a
Product-zm-galleryn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-6156
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.43%
||
7 Day CHG~0.00%
Published-17 Jun, 2025 | 03:00
Updated-17 Jun, 2025 | 20:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Nipah Virus Testing Management System bwdates-report-ds.php sql injection

A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /bwdates-report-ds.php. The manipulation of the argument testtype leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-Nipah Virus Testing Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-1308
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.41% / 69.29%
||
7 Day CHG~0.00%
Published-07 Feb, 2016 | 11:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in Cisco Unified Communications Manager 10.5(2.13900.9) allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCux99227.

Action-Not Available
Vendor-n/aSamsung
Product-x14j_firmwaren/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-5235
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.41% / 32.62%
||
7 Day CHG~0.00%
Published-23 May, 2024 | 05:00
Updated-26 Feb, 2025 | 21:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Campcodes Complete Web-Based School Management System teacher_salary_invoice.php sql injection

A vulnerability classified as critical has been found in Campcodes Complete Web-Based School Management System 1.0. Affected is an unknown function of the file /view/teacher_salary_invoice.php. The manipulation of the argument teacher_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-265986 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-CampCodes
Product-complete_web-based_school_management_systemComplete Web-Based School Management System
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-9411
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.10%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 00:45
Updated-26 May, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Indian Invoicing System Invoice Generation IGST_Invoice.php sql injection

A vulnerability was found in SourceCodester Indian Invoicing System 1.0. This issue affects some unknown processing of the file /Invoicing/IGST_Invoice.php of the component Invoice Generation Handler. Performing a manipulation of the argument customer_name/category results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.

Action-Not Available
Vendor-SourceCodester
Product-Indian Invoicing System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10754
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.46% / 70.40%
||
7 Day CHG~0.00%
Published-24 May, 2019 | 17:40
Updated-06 Aug, 2024 | 03:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.

Action-Not Available
Vendor-vtigern/a
Product-vtiger_crmn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2005-4349
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.3||MEDIUM
EPSS-1.39% / 68.98%
||
7 Day CHG~0.00%
Published-19 Dec, 2005 | 11:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task of the program is to support query execution by authenticated users, and no external attack scenario exists without an auto-login configuration. Thus it is likely that this issue will be REJECTED. However, a closely related CSRF issue has been assigned CVE-2005-4450

Action-Not Available
Vendor-n/aphpMyAdmin
Product-phpmyadminn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10939
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.60% / 72.78%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 11:47
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The xtremelocator plugin 1.5 for WordPress has SQL injection via the id parameter.

Action-Not Available
Vendor-xtremelocatorn/a
Product-xtremelocatorn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10947
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.52% / 71.60%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 12:03
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Post Indexer plugin before 3.0.6.2 for WordPress has SQL injection via the period parameter by a super admin.

Action-Not Available
Vendor-post_indexer_projectn/a
Product-post_indexern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10951
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.92% / 77.38%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 12:10
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The fs-shopping-cart plugin 2.07.02 for WordPress has SQL injection via the pid parameter.

Action-Not Available
Vendor-firestormpluginsn/a
Product-fs-shopping-cartn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10509
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.41% / 69.37%
||
7 Day CHG~0.00%
Published-31 Aug, 2017 | 20:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the updateAmazonOrderTracking function in upload/admin/model/openbay/amazon.php in OpenCart before version 2.3.0.0 allows remote authenticated administrators to execute arbitrary SQL commands via a carrier (aka courier_id) parameter to openbay.php.

Action-Not Available
Vendor-opencartn/a
Product-opencartn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-9451
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 15.70%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 10:45
Updated-26 May, 2026 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Employee Management System applyleaveprocess.php sql injection

A weakness has been identified in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /process/applyleaveprocess.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Action-Not Available
Vendor-Source Code & Projects
Product-Employee Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-1000120
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-2.10% / 79.40%
||
7 Day CHG~0.00%
Published-27 Oct, 2016 | 21:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla

Action-Not Available
Vendor-huge-itn/a
Product-catalogn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-9524
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 15.70%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 02:45
Updated-26 May, 2026 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
xianrendzw EasyReport REST Endpoint execute sql injection

A flaw has been found in xianrendzw EasyReport up to 2.0.17.0522_Beta. Affected by this issue is the function execute of the component REST Endpoint. Executing a manipulation of the argument reportParams can lead to sql injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-xianrendzw
Product-EasyReport
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-9305
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.10%
||
7 Day CHG~0.00%
Published-23 May, 2026 | 14:30
Updated-28 May, 2026 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QuantumNous new-api self Endpoint topup.go SearchAllTopUps sql injection

A weakness has been identified in QuantumNous new-api up to 0.12.1. The impacted element is the function SearchUserTopUps/SearchAllTopUps of the file model/topup.go of the component self Endpoint. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-QuantumNous
Product-new-api
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-20337
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.04% / 59.79%
||
7 Day CHG~0.00%
Published-05 Jan, 2020 | 21:06
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In PHP Scripts Mall advanced-real-estate-script 4.0.9, the news_edit.php news_id parameter is vulnerable to SQL Injection.

Action-Not Available
Vendor-advanced_real_estate_script_projectn/a
Product-advanced_real_estate_scriptn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-1000552
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.03% / 59.55%
||
7 Day CHG~0.00%
Published-26 Jun, 2018 | 16:00
Updated-05 Aug, 2024 | 12:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Trovebox version <= 4.0.0-rc6 contains a SQL Injection vulnerability in album component that can result in SQL code injection. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed.

Action-Not Available
Vendor-troveboxn/a
Product-troveboxn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-1000117
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-2.31% / 81.23%
||
7 Day CHG~0.00%
Published-21 Oct, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XSS & SQLi in HugeIT slideshow v1.0.4

Action-Not Available
Vendor-huge-itn/a
Product-slideshown/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10378
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.26% / 66.10%
||
7 Day CHG~0.00%
Published-29 May, 2017 | 19:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.php, related to the menuSaveVisibility function.

Action-Not Available
Vendor-e107n/a
Product-e107n/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-1000119
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-2.31% / 81.23%
||
7 Day CHG~0.00%
Published-21 Oct, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla

Action-Not Available
Vendor-huge-itn/a
Product-catalogn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-9342
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.10%
||
7 Day CHG~0.00%
Published-23 May, 2026 | 22:15
Updated-27 May, 2026 | 17:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Hospitals Patient Records Management System view_history.php sql injection

A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. Impacted is an unknown function of the file /admin/patients/view_history.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

Action-Not Available
Vendor-SourceCodester
Product-Hospitals Patient Records Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10379
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.65% / 73.68%
||
7 Day CHG~0.00%
Published-29 May, 2017 | 19:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The VirtueMart com_virtuemart component 3.0.14 for Joomla! allows SQL injection by remote authenticated administrators via the virtuemart_paymentmethod_id or virtuemart_shipmentmethod_id parameter to administrator/index.php.

Action-Not Available
Vendor-virtuemartn/a
Product-virtuemartn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-20842
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-0.97% / 57.48%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 13:18
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-9607
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.10%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 00:00
Updated-28 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Courier Management System parcel_list.php sql injection

A vulnerability was found in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /parcel_list.php. Performing a manipulation of the argument s results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.

Action-Not Available
Vendor-ITSourceCode
Product-Courier Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-1000118
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-2.31% / 81.23%
||
7 Day CHG~0.00%
Published-21 Oct, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XSS & SQLi in HugeIT slideshow v1.0.4

Action-Not Available
Vendor-huge-itn/a
Product-slideshown/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-6136
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 29.77%
||
7 Day CHG~0.00%
Published-16 Jun, 2025 | 19:31
Updated-17 Jun, 2025 | 20:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Projectworlds Life Insurance Management System insertPayment.php sql injection

A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /insertPayment.php. The manipulation of the argument recipt_no leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Projectworlds
Product-Life Insurance Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-0769
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-2.89% / 85.21%
||
7 Day CHG~0.00%
Published-23 Jan, 2017 | 21:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple SQL injection vulnerabilities in eshop-orders.php in the eShop plugin 6.3.14 for WordPress allow (1) remote administrators to execute arbitrary SQL commands via the delid parameter or remote authenticated users to execute arbitrary SQL commands via the (2) view, (3) mark, or (4) change parameter.

Action-Not Available
Vendor-elfdenn/a
Product-eshop_pluginn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-1000116
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-2.10% / 79.46%
||
7 Day CHG~0.00%
Published-21 Oct, 2016 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS

Action-Not Available
Vendor-huge-itn/a
Product-portfolio_gallery_managern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10007
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.29% / 66.65%
||
7 Day CHG-0.02%
Published-19 Feb, 2018 | 21:00
Updated-06 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter.

Action-Not Available
Vendor-n/adotCMS, LLC
Product-dotcmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-6122
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 26.22%
||
7 Day CHG~0.00%
Published-16 Jun, 2025 | 12:31
Updated-17 Jun, 2025 | 20:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Restaurant Order System table.php sql injection

A vulnerability, which was classified as critical, was found in code-projects Restaurant Order System 1.0. This affects an unknown part of the file /table.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Restaurant Order System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10008
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.29% / 66.65%
||
7 Day CHG-0.02%
Published-19 Feb, 2018 | 21:00
Updated-06 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter.

Action-Not Available
Vendor-n/adotCMS, LLC
Product-dotcmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7290
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 10.51%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 16:30
Updated-28 Apr, 2026 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JeecgBoot loadDict Endpoint SqlInjectionUtil.java SqlInjectionUtil sql injection

A vulnerability was determined in JeecgBoot up to 3.9.1. Impacted is the function SqlInjectionUtil of the file jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java of the component loadDict Endpoint. This manipulation of the argument keyword causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Patch name: a9c8e8eb1185751c4c3c68d2a53f3dadee9edc6b. To fix this issue, it is recommended to deploy a patch.

Action-Not Available
Vendor-n/a
Product-JeecgBoot
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-9400
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.94% / 77.70%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 15:10
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wordpress-meta-robots plugin through 2.1 for WordPress has wp-admin/post-new.php text SQL injection.

Action-Not Available
Vendor-typomedian/a
Product-wordpress_meta_robotsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7678
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 9.57%
||
7 Day CHG~0.00%
Published-03 May, 2026 | 04:00
Updated-05 May, 2026 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YunaiV yudao-cloud GoViewDataServiceImpl.java getDataBySQL sql injection

A vulnerability was identified in YunaiV yudao-cloud up to 2026.01. This affects the function getDataBySQL of the file yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-YunaiV
Product-yudao-cloud
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-20179
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.02% / 59.17%
||
7 Day CHG~0.00%
Published-09 Jan, 2020 | 21:28
Updated-05 Aug, 2024 | 02:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter.

Action-Not Available
Vendor-soplanningn/a
Product-soplanningn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-9457
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.90% / 77.17%
||
7 Day CHG~0.00%
Published-10 Oct, 2019 | 15:48
Updated-13 Feb, 2025 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The pretty-link plugin before 1.6.8 for WordPress has PrliLinksController::list_links SQL injection via the group parameter.

Action-Not Available
Vendor-caseproofn/a
Product-prettylinksn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-8114
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 9.57%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 22:00
Updated-08 May, 2026 | 14:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JeecgBoot JSON Object loadTreeData sql injection

A vulnerability was identified in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation of the argument condition leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor confirms (translated from Chinese): "It should have been fixed; a batch of issues were recently resolved."

Action-Not Available
Vendor-n/a
Product-JeecgBoot
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-9399
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-1.73% / 74.76%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 15:09
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wp-stats-dashboard plugin through 2.9.4 for WordPress has admin/graph_trend.php type SQL injection.

Action-Not Available
Vendor-trivetechnologyn/a
Product-wp-stats-dashboardn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-9398
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.94% / 77.70%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 15:08
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php gcid SQL injection.

Action-Not Available
Vendor-webmaster-sourcen/a
Product-gocodesn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7489
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.33% / 24.48%
||
7 Day CHG~0.00%
Published-02 May, 2026 | 09:02
Updated-05 May, 2026 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sunnet|CTMS - SQL Injection

CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Action-Not Available
Vendor-Sunnet
Product-CTMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-9454
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.93% / 77.49%
||
7 Day CHG~0.00%
Published-07 Oct, 2019 | 14:22
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The smooth-slider plugin before 2.7 for WordPress has SQL Injection via the wp-admin/admin.php?page=smooth-slider-admin current_slider_id parameter.

Action-Not Available
Vendor-slidervillan/a
Product-smooth_slidern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7742
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 15.12%
||
7 Day CHG~0.00%
Published-04 May, 2026 | 07:00
Updated-04 May, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CodeAstro Online Classroom facultylogin sql injection

A flaw has been found in CodeAstro Online Classroom 1.0. The affected element is an unknown function of the file /OnlineClassroom/facultylogin. Executing a manipulation of the argument fid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.

Action-Not Available
Vendor-CodeAstro
Product-Online Classroom
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7392
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.10%
||
7 Day CHG~0.00%
Published-29 Apr, 2026 | 16:45
Updated-29 Apr, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Pharmacy Sales and Inventory System ajax.php delete_supplier sql injection

A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts the function delete_supplier of the file /ajax.php?action=delete_supplier. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-SourceCodester
Product-Pharmacy Sales and Inventory System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-5434
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.80% / 52.00%
||
7 Day CHG~0.00%
Published-31 Oct, 2023 | 08:32
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Superb slideshow gallery <= 13.1 - Authenticated (Subscriber+) SQL Injection via Shortcode

The Superb slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 13.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Action-Not Available
Vendor-gopiplusgopiplus
Product-superb_slideshow_gallerySuperb slideshow gallery
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-9395
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.74% / 74.89%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 15:04
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The users-ultra plugin before 1.5.64 for WordPress has SQL Injection via an ajax action.

Action-Not Available
Vendor-usersultran/a
Product-users_ultra_membershipn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7391
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.10%
||
7 Day CHG~0.00%
Published-29 Apr, 2026 | 16:15
Updated-30 Apr, 2026 | 13:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Pharmacy Sales and Inventory System ajax.php save_supplier sql injection

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function save_supplier of the file /ajax.php?action=save_supplier. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

Action-Not Available
Vendor-SourceCodester
Product-Pharmacy Sales and Inventory System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7745
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.10%
||
7 Day CHG~0.00%
Published-04 May, 2026 | 07:45
Updated-04 May, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CodeAstro Online Classroom facultydetails sql injection

A vulnerability was determined in CodeAstro Online Classroom 1.0. This impacts an unknown function of the file /OnlineClassroom/facultydetails. This manipulation of the argument deleteid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-CodeAstro
Product-Online Classroom
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-8444
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.35% / 26.65%
||
7 Day CHG+0.09%
Published-16 Jun, 2026 | 06:49
Updated-16 Jun, 2026 | 13:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) SQL Injection via 'curselrevs' Parameter

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, then concatenating each array element directly into a `WHERE id IN ( ... )` clause without quoting and executing via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Action-Not Available
Vendor-https://wpreviewslider.com/
Product-WP Review Slider Pro
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-8125
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 16.19%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 01:30
Updated-08 May, 2026 | 23:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Simple Chat System sendMessage.php sql injection

A vulnerability was detected in code-projects Simple Chat System 1.0. This vulnerability affects unknown code of the file sendMessage.php. The manipulation of the argument type/length/business parameter validity results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Simple Chat System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7741
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.09%
||
7 Day CHG~0.00%
Published-04 May, 2026 | 06:45
Updated-04 May, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CodeAstro Online Classroom studentlogin sql injection

A vulnerability was detected in CodeAstro Online Classroom 1.0. Impacted is an unknown function of the file /OnlineClassroom/studentlogin. Performing a manipulation of the argument sid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.

Action-Not Available
Vendor-CodeAstro
Product-Online Classroom
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 93
  • 94
  • Next
Details not found