Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-10220

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-07 Mar, 2020 | 22:37
Updated At-04 Aug, 2024 | 10:58
Rejected At-
Credits

An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:07 Mar, 2020 | 22:37
Updated At:04 Aug, 2024 | 10:58
Rejected At:
▼CVE Numbering Authority (CNA)

An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.py
x_refsource_MISC
http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html
x_refsource_MISC
http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html
x_refsource_MISC
https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
x_refsource_MISC
http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html
x_refsource_MISC
Hyperlink: https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.py
Resource:
x_refsource_MISC
Hyperlink: http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html
Resource:
x_refsource_MISC
Hyperlink: http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html
Resource:
x_refsource_MISC
Hyperlink: https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
Resource:
x_refsource_MISC
Hyperlink: http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.py
x_refsource_MISC
x_transferred
http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html
x_refsource_MISC
x_transferred
http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html
x_refsource_MISC
x_transferred
https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
x_refsource_MISC
x_transferred
http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.py
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:07 Mar, 2020 | 23:15
Updated At:12 Mar, 2020 | 22:15

An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches

rconfig
rconfig
>>rconfig>>Versions up to 3.9.4(inclusive)
cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Primarynvd@nist.gov
CWE ID: CWE-89
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.htmlcve@mitre.org
N/A
http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.htmlcve@mitre.org
N/A
http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.htmlcve@mitre.org
N/A
https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.pycve@mitre.org
N/A
https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.pycve@mitre.org
Exploit
Third Party Advisory
Hyperlink: http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_sqli.py
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

10803Records found

CVE-2020-10547
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-36.11% / 98.28%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 03:24
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-10546
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-87.33% / 99.73%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 03:25
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-10549
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-36.16% / 98.28%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 03:24
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-10548
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-36.11% / 98.28%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 03:24
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-13638
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-76.76% / 99.49%
||
7 Day CHG~0.00%
Published-13 Nov, 2020 | 19:53
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-269
Improper Privilege Management
CVE-2019-16662
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-97.70% / 99.90%
||
7 Day CHG~0.00%
Published-28 Oct, 2019 | 11:52
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-23151
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.72% / 92.10%
||
7 Day CHG~0.00%
Published-09 Aug, 2021 | 22:54
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig 3.9.5 allows command injection by sending a crafted GET request to lib/ajaxHandlers/ajaxArchiveFiles.php since the path parameter is passed directly to the exec function without being escaped.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-10879
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-83.86% / 99.66%
||
7 Day CHG~0.00%
Published-23 Mar, 2020 | 21:44
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the exec function without being escaped.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-23150
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.56% / 72.19%
||
7 Day CHG~0.00%
Published-09 Aug, 2021 | 22:54
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability in config.inc.php of rConfig 3.9.5 allows attackers to access sensitive database information via a crafted GET request to install/lib/ajaxHandlers/ajaxDbInstall.php.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-29004
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.06% / 79.02%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 11:58
Updated-03 Aug, 2024 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig 3.9.6 is affected by SQL Injection. A user must be authenticated to exploit the vulnerability. If --secure-file-priv in MySQL server is not set and the Mysql server is the same as rConfig, an attacker may successfully upload a webshell to the server and access it remotely.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-45030
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.69% / 84.02%
||
7 Day CHG~0.00%
Published-15 Apr, 2023 | 00:00
Updated-06 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability in rConfig 3.9.7 exists via lib/ajaxHandlers/ajaxCompareGetCmdDates.php?command= (this may interact with secure-file-priv).

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-23149
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.35% / 68.17%
||
7 Day CHG~0.00%
Published-09 Aug, 2021 | 22:54
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The dbName parameter in ajaxDbInstall.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a SQL injection and access sensitive database information.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-15713
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.79% / 84.68%
||
7 Day CHG~0.00%
Published-28 Jul, 2020 | 13:03
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.php script using the sortBy parameter, which could allow the attacker to view, add, modify, or delete information in the back-end database.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-15714
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.79% / 84.68%
||
7 Day CHG~0.00%
Published-28 Jul, 2020 | 13:03
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.crud.php script using the custom_Location parameter, which could allow the attacker to view, add, modify, or delete information in the back-end database.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-19207
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-22.73% / 97.44%
||
7 Day CHG~0.00%
Published-21 Nov, 2019 | 21:06
Updated-05 Aug, 2024 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2663
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 38.28%
||
7 Day CHG~0.00%
Published-23 Mar, 2025 | 20:31
Updated-13 May, 2025 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Bank Locker Management System search-locker-details.php sql injection

A vulnerability has been found in PHPGurukul Bank Locker Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /search-locker-details.php. The manipulation of the argument searchinput leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-bank_locker_management_systemBank Locker Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-4357
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-1.00% / 58.44%
||
7 Day CHG~0.00%
Published-02 Jan, 2023 | 21:49
Updated-10 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LetsRecover < 1.2.0 - Unauthenticated SQLi

The LetsRecover WordPress plugin before 1.2.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Action-Not Available
Vendor-letsrecover_projectUnknown
Product-letsrecoverLetsRecover
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2014-125065
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.67% / 47.56%
||
7 Day CHG~0.00%
Published-07 Jan, 2023 | 19:39
Updated-06 Aug, 2024 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
john5223 bottle-auth sql injection

A vulnerability, which was classified as critical, was found in john5223 bottle-auth. Affected is an unknown function. The manipulation leads to sql injection. The name of the patch is 99cfbcc0c1429096e3479744223ffb4fda276875. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217632.

Action-Not Available
Vendor-bottle-auth_projectjohn5223
Product-bottle-authbottle-auth
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2640
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 38.05%
||
7 Day CHG~0.00%
Published-23 Mar, 2025 | 03:31
Updated-24 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Doctor Appointment Management System appointment-bwdates-reports-details.php sql injection

A vulnerability was found in PHPGurukul Doctor Appointment Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /doctor/appointment-bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-Doctor Appointment Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-16644
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.37% / 68.49%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 15:16
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

App\Home\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Zhuanti/group?id= substring.

Action-Not Available
Vendor-tuzicmsn/a
Product-tuzicmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2014-125052
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.64% / 46.35%
||
7 Day CHG~0.00%
Published-06 Jan, 2023 | 20:40
Updated-06 Aug, 2024 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JervenBolleman sparql-identifiers RegistryDao.java sql injection

A vulnerability was found in JervenBolleman sparql-identifiers and classified as critical. This issue affects some unknown processing of the file src/main/java/org/identifiers/db/RegistryDao.java. The manipulation leads to sql injection. The patch is named 44bb0db91c064e305b192fc73521d1dfd25bde52. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217571.

Action-Not Available
Vendor-sparql-identifiers_projectJervenBolleman
Product-sparql-identifierssparql-identifiers
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2657
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 38.04%
||
7 Day CHG~0.00%
Published-23 Mar, 2025 | 17:31
Updated-13 May, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
projectworlds Apartment Visitors Management System front.php sql injection

A vulnerability classified as critical was found in projectworlds Apartment Visitors Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /front.php. The manipulation of the argument rid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Projectworlds
Product-apartment_visitors_management_systemApartment Visitors Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-26612
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.52% / 40.52%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 20:34
Updated-28 Feb, 2025 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection endpoint 'adicionar_almoxarife.php' parameter 'id_almoxarifado', 'id_funcionario' in WeGIA

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A SQL Injection vulnerability was discovered in the WeGIA application, `adicionar_almoxarife.php` endpoint. This vulnerability could allow an attacker to execute arbitrary SQL queries, allowing unauthorized access to sensitive information. This issue has been addressed in version 3.2.13 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-wegiaLabRedesCefetRJ
Product-wegiaWeGIA
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2014-125083
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.65% / 46.75%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 09:22
Updated-15 Oct, 2024 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Anant Labs google-enterprise-connector-dctm sql injection

A vulnerability has been found in Anant Labs google-enterprise-connector-dctm up to 3.2.3 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument username/domain leads to sql injection. The patch is named 6fba04f18ab7764002a1da308e7cd9712b501cb7. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218911.

Action-Not Available
Vendor-anantAnant Labs
Product-google-enterprise-connector-dctmgoogle-enterprise-connector-dctm
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-26794
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-75.78% / 99.46%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 00:00
Updated-18 Dec, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)

Action-Not Available
Vendor-Exim
Product-eximExim
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-25775
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 36.27%
||
7 Day CHG~0.00%
Published-25 Apr, 2025 | 00:00
Updated-28 May, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Codeastro Bus Ticket Booking System v1.0 is vulnerable to SQL injection via the kodetiket parameter in /BusTicket-CI/tiket/cekorder.

Action-Not Available
Vendor-n/aCodeAstro
Product-bus_ticket_booking_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2676
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.46% / 36.90%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 01:00
Updated-04 Jun, 2025 | 16:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Bank Locker Management System add-subadmin.php sql injection

A vulnerability, which was classified as critical, was found in PHPGurukul Bank Locker Management System 1.0. This affects an unknown part of the file /add-subadmin.php. The manipulation of the argument sadminusername leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-bank_locker_management_systemBank Locker Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2655
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.55% / 41.82%
||
7 Day CHG~0.00%
Published-23 Mar, 2025 | 16:31
Updated-22 Nov, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester AC Repair and Services System Users.php delete_users sql injection

A vulnerability was detected in SourceCodester AC Repair and Services System 1.0. The affected element is the function save_users/delete_users of the file /classes/Users.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. Other parameters might be affected as well.

Action-Not Available
Vendor-SourceCodesteroretnom23
Product-ac_repair_and_services_systemAC Repair and Services System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2677
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 38.05%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 01:31
Updated-04 Jun, 2025 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Bank Locker Management System changeidproof.php sql injection

A vulnerability has been found in PHPGurukul Bank Locker Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /changeidproof.php. The manipulation of the argument editid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-bank_locker_management_systemBank Locker Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-25257
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-9.6||CRITICAL
EPSS-96.71% / 99.88%
||
7 Day CHG~0.00%
Published-17 Jul, 2025 | 15:10
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-08-08||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwebFortiWebFortiWeb
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-8734
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.26% / 17.26%
||
7 Day CHG~0.00%
Published-17 May, 2026 | 05:00
Updated-18 May, 2026 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Oinone Pamirs queryListByWrapper RSQLToSQLNodeConnector.makeVariable sql injection

A vulnerability was determined in Oinone Pamirs up to 7.2.0. Affected by this issue is the function RSQLToSQLNodeConnector.makeVariable of the component queryListByWrapper Interface. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Oinone
Product-Pamirs
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2678
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 38.05%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 02:00
Updated-04 Jun, 2025 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Bank Locker Management System changeimage1.php sql injection

A vulnerability was found in PHPGurukul Bank Locker Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /changeimage1.php. The manipulation of the argument editid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-bank_locker_management_systemBank Locker Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2014-125079
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.66% / 46.97%
||
7 Day CHG~0.00%
Published-15 Jan, 2023 | 08:58
Updated-08 Apr, 2025 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
agy pontifex.http Http.coffee sql injection

A vulnerability was found in agy pontifex.http. It has been declared as critical. This vulnerability affects unknown code of the file lib/Http.coffee. The manipulation leads to sql injection. Upgrading to version 0.1.0 is able to address this issue. The name of the patch is e52a758f96861dcef2dabfecb9da191bb2e07761. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218356.

Action-Not Available
Vendor-pontifex.http_projectagy
Product-pontifex.httppontifex.http
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-25763
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.82% / 52.73%
||
7 Day CHG~0.00%
Published-06 Mar, 2025 | 00:00
Updated-07 Jul, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

crmeb CRMEB-KY v5.4.0 and before has a SQL Injection vulnerability at getRead() in /system/SystemDatabackupServices.php

Action-Not Available
Vendor-crmebn/a
Product-crmebn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2641
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 38.04%
||
7 Day CHG~0.00%
Published-23 Mar, 2025 | 04:31
Updated-24 Mar, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Art Gallery Management System edit-artist-detail.php sql injection

A vulnerability, which was classified as critical, has been found in PHPGurukul Art Gallery Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/edit-artist-detail.php?editid=1. The manipulation of the argument Name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-Art Gallery Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-6903
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.40% / 31.89%
||
7 Day CHG~0.00%
Published-30 Jun, 2025 | 10:32
Updated-11 Jul, 2025 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Car Rental System approve.php sql injection

A vulnerability was found in code-projects Car Rental System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/approve.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-anishaSource Code & Projects
Product-car_rental_systemCar Rental System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2014-1608
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.14% / 86.33%
||
7 Day CHG~0.00%
Published-18 Mar, 2014 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request.

Action-Not Available
Vendor-n/aDebian GNU/LinuxMantis Bug Tracker (MantisBT)
Product-debian_linuxmantisbtn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2014-125058
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.71% / 48.94%
||
7 Day CHG~0.00%
Published-07 Jan, 2023 | 10:10
Updated-06 Aug, 2024 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnMeSomeCodes project3 search.rb search_first_name sql injection

A vulnerability was found in LearnMeSomeCodes project3 and classified as critical. This issue affects the function search_first_name of the file search.rb. The manipulation leads to sql injection. The patch is named d3efa17ae9f6b2fc25a6bbcf165cefed17c7035e. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217607. NOTE: Maintainer is aware of this issue as remarked in the source code.

Action-Not Available
Vendor-address_book_projectLearnMeSomeCodes
Product-address_bookproject3
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-25519
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 38.11%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 00:00
Updated-28 Mar, 2025 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Seacms <=13.3 is vulnerable to SQL Injection in admin_zyk.php.

Action-Not Available
Vendor-seacmsn/a
Product-seacmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2014-125046
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.64% / 46.35%
||
7 Day CHG~0.00%
Published-06 Jan, 2023 | 09:53
Updated-10 Apr, 2025 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Seiji42 cub-scout-tracker databaseAccessFunctions.js sql injection

A vulnerability, which was classified as critical, was found in Seiji42 cub-scout-tracker. This affects an unknown part of the file databaseAccessFunctions.js. The manipulation leads to sql injection. The patch is named b4bc1a328b1f59437db159f9d136d9ed15707e31. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217551.

Action-Not Available
Vendor-cub-scout-tracker_projectSeiji42
Product-cub-scout-trackercub-scout-tracker
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2642
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 38.04%
||
7 Day CHG~0.00%
Published-23 Mar, 2025 | 07:00
Updated-02 Apr, 2025 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Art Gallery Management System edit-art-product-detail.php sql injection

A vulnerability, which was classified as critical, was found in PHPGurukul Art Gallery Management System 1.0. This affects an unknown part of the file /admin/edit-art-product-detail.php?editid=2. The manipulation of the argument editide/sprice/description leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-art_gallery_management_systemArt Gallery Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-25516
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 38.11%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 00:00
Updated-28 Mar, 2025 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Seacms <=13.3 is vulnerable to SQL Injection in admin_paylog.php.

Action-Not Available
Vendor-seacmsn/a
Product-seacmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2014-2323
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-61.67% / 99.06%
||
7 Day CHG~0.00%
Published-14 Mar, 2014 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.

Action-Not Available
Vendor-lighttpdn/aopenSUSEDebian GNU/LinuxSUSE
Product-debian_linuxlighttpdlinux_enterprise_high_availability_extensionlinux_enterprise_software_development_kitopensusen/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2647
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.47% / 37.13%
||
7 Day CHG~0.00%
Published-23 Mar, 2025 | 11:00
Updated-24 Mar, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Art Gallery Management System search.php sql injection

A vulnerability was found in PHPGurukul Art Gallery Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /search.php. The manipulation of the argument Search leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-Art Gallery Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2654
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.53% / 40.72%
||
7 Day CHG~0.00%
Published-23 Mar, 2025 | 16:00
Updated-26 Mar, 2025 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester AC Repair and Services System manage_service.php sql injection

A vulnerability was found in SourceCodester AC Repair and Services System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/services/manage_service.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-SourceCodesteroretnom23
Product-ac_repair_and_services_systemAC Repair and Services System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2679
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.46% / 36.90%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 02:31
Updated-04 Jun, 2025 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Bank Locker Management System contact-us.php sql injection

A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /contact-us.php. The manipulation of the argument pagetitle leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-bank_locker_management_systemBank Locker Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-8785
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.25% / 16.69%
||
7 Day CHG~0.00%
Published-18 May, 2026 | 02:45
Updated-18 May, 2026 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
projectworlds hospital-management-system-in-php GET Parameter update_info.php getAllPatientDetail sql injection

A flaw has been found in projectworlds hospital-management-system-in-php 1.0. Affected by this vulnerability is the function getAllPatientDetail of the file update_info.php of the component GET Parameter Handler. Executing a manipulation of the argument appointment_no can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-Projectworlds
Product-hospital-management-system-in-php
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2014-1925
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.99% / 78.23%
||
7 Day CHG~0.00%
Published-24 Jan, 2020 | 16:42
Updated-06 Aug, 2024 | 09:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be leveraged by remote attackers using CVE-2014-1924.

Action-Not Available
Vendor-kohan/a
Product-kohan/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-25389
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.73% / 49.59%
||
7 Day CHG~0.00%
Published-13 Feb, 2025 | 00:00
Updated-28 Mar, 2025 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL Injection vulnerability was found in /admin/forgot-password.php in Phpgurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the contactno POST request parameter.

Action-Not Available
Vendor-n/aPHPGurukul LLP
Product-land_record_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-12348
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.66% / 73.81%
||
7 Day CHG~0.00%
Published-24 May, 2021 | 15:03
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in zzcms 2019. SQL Injection exists in user/ztconfig.php via the daohang or img POST parameter.

Action-Not Available
Vendor-zzcmsn/a
Product-zzcmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 216
  • 217
  • Next
Details not found