Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-27613

Summary
Assigner-synology
Assigner Org ID-db201096-a0cc-46c7-9a55-61d9e221bf01
Published At-28 Jul, 2022 | 06:35
Updated At-17 Sep, 2024 | 01:40
Rejected At-
Credits

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in webapi component in Synology CardDAV Server before 6.0.10-0153 allows remote authenticated users to inject SQL commands via unspecified vectors.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:synology
Assigner Org ID:db201096-a0cc-46c7-9a55-61d9e221bf01
Published At:28 Jul, 2022 | 06:35
Updated At:17 Sep, 2024 | 01:40
Rejected At:
▼CVE Numbering Authority (CNA)

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in webapi component in Synology CardDAV Server before 6.0.10-0153 allows remote authenticated users to inject SQL commands via unspecified vectors.

Affected Products
Vendor
Synology, Inc.Synology
Product
CardDAV Server
Versions
Affected
  • From unspecified before 6.0.10-0153 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
3.18.3HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.synology.com/security/advisory/Synology_SA_21_06
x_refsource_CONFIRM
Hyperlink: https://www.synology.com/security/advisory/Synology_SA_21_06
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.synology.com/security/advisory/Synology_SA_21_06
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.synology.com/security/advisory/Synology_SA_21_06
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@synology.com
Published At:28 Jul, 2022 | 07:15
Updated At:03 Aug, 2022 | 20:16

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in webapi component in Synology CardDAV Server before 6.0.10-0153 allows remote authenticated users to inject SQL commands via unspecified vectors.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary3.18.3HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CPE Matches
Synology, Inc.
synology
>>carddav_server>>Versions before 6.0.10-0153(exclusive)
cpe:2.3:a:synology:carddav_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Primarysecurity@synology.com
CWE ID: CWE-89
Type: Primary
Source: security@synology.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.synology.com/security/advisory/Synology_SA_21_06security@synology.com
Vendor Advisory
Hyperlink: https://www.synology.com/security/advisory/Synology_SA_21_06
Source: security@synology.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

2323Records found
CVE-2022-22684
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-7.2||HIGH
EPSS-1.81% / 83.08%
||
7 Day CHG~0.00%
Published-28 Jul, 2022 | 06:25
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_managerDiskStation Manager (DSM)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-29092
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-8.8||HIGH
EPSS-1.20% / 79.17%
||
7 Day CHG~0.00%
Published-01 Jun, 2021 | 09:45
Updated-16 Sep, 2024 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-photo_stationSynology Photo Station
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-5401
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.94%
||
7 Day CHG~0.00%
Published-04 Dec, 2025 | 14:20
Updated-05 Dec, 2025 | 21:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_manager_unified_controllerdiskstation_managerUnified Controller (DSMUC)DiskStation Manager (DSM)
CWE ID-CWE-913
Improper Control of Dynamically-Managed Code Resources
CVE-2021-34810
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-9.9||CRITICAL
EPSS-1.11% / 78.36%
||
7 Day CHG~0.00%
Published-18 Jun, 2021 | 03:00
Updated-16 Sep, 2024 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-download_stationDownload Station
CWE ID-CWE-269
Improper Privilege Management
CVE-2021-27648
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-9||CRITICAL
EPSS-9.89% / 93.10%
||
7 Day CHG~0.00%
Published-28 Apr, 2021 | 07:25
Updated-16 Sep, 2024 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-antivirus_essentialSynology Antivirus Essential
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2019-11826
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-8||HIGH
EPSS-0.86% / 75.22%
||
7 Day CHG~0.00%
Published-30 Jun, 2019 | 15:00
Updated-16 Sep, 2024 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Relative path traversal vulnerability in SYNO.PhotoTeam.Upload.Item in Synology Moments before 1.3.0-0691 allows remote authenticated users to upload arbitrary files via the name parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-momentsPhoto Moments
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-44142
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-35.70% / 97.14%
||
7 Day CHG~0.00%
Published-21 Feb, 2022 | 14:30
Updated-23 Apr, 2025 | 19:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

Action-Not Available
Vendor-SambaCanonical Ltd.Red Hat, Inc.Fedora ProjectSynology, Inc.Debian GNU/Linux
Product-enterprise_linux_serverubuntu_linuxsambaenterprise_linux_server_update_services_for_sap_solutionsenterprise_linux_server_ausenterprise_linuxvirtualization_hostenterprise_linux_desktopdiskstation_managergluster_storagecodeready_linux_builderenterprise_linux_for_scientific_computingdebian_linuxenterprise_linux_workstationfedoraenterprise_linux_for_ibm_z_systemsenterprise_linux_eusenterprise_linux_for_power_little_endian_eusenterprise_linux_server_tusenterprise_linux_for_power_little_endianenterprise_linux_for_ibm_z_systems_eusenterprise_linux_resilient_storageenterprise_linux_for_power_big_endianSamba
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-787
Out-of-bounds Write
CVE-2021-43928
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-9.9||CRITICAL
EPSS-1.06% / 77.89%
||
7 Day CHG~0.00%
Published-07 Feb, 2022 | 02:15
Updated-17 Sep, 2024 | 00:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in mail sending and receiving component in Synology Mail Station before 20211105-10315 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-mail_stationMail Station
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-43749
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 48.55%
||
7 Day CHG~0.00%
Published-26 Oct, 2022 | 10:05
Updated-09 May, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper privilege management vulnerability in summary report management in Synology Presto File Server before 2.1.2-1601 allows remote authenticated users to bypass security constraint via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-presto_file_serverPresto File Server
CWE ID-CWE-269
Improper Privilege Management
CVE-2023-41738
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-7.2||HIGH
EPSS-0.76% / 73.51%
||
7 Day CHG~0.00%
Published-31 Aug, 2023 | 09:08
Updated-01 Oct, 2024 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Directory Domain Functionality in Synology Router Manager (SRM) before 1.3.1-9346-6 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-router_managerSynology Router Manager (SRM)
CVE-2021-34809
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-9.9||CRITICAL
EPSS-1.64% / 82.17%
||
7 Day CHG~0.00%
Published-18 Jun, 2021 | 03:00
Updated-16 Sep, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-download_stationDownload Station
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-22688
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-8.8||HIGH
EPSS-1.02% / 77.51%
||
7 Day CHG~0.00%
Published-25 Mar, 2022 | 06:55
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_managerDiskStation Manager (DSM)
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2017-11161
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.58% / 69.29%
||
7 Day CHG~0.00%
Published-08 Sep, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php.

Action-Not Available
Vendor-Synology, Inc.
Product-photo_stationSynology Photo Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-50631
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-7.5||HIGH
EPSS-1.23% / 79.37%
||
7 Day CHG~0.00%
Published-19 Mar, 2025 | 05:50
Updated-19 Mar, 2025 | 14:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to inject SQL commands, limited to write operations, via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-Synology Drive Server
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-43927
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.41% / 61.78%
||
7 Day CHG~0.00%
Published-07 Feb, 2022 | 02:15
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_managerDiskStation Manager (DSM)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-43925
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.41% / 61.23%
||
7 Day CHG~0.00%
Published-07 Feb, 2022 | 02:15
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_managerDiskStation Manager (DSM)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-33180
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-7.3||HIGH
EPSS-0.34% / 56.86%
||
7 Day CHG~0.00%
Published-01 Jun, 2021 | 09:45
Updated-17 Sep, 2024 | 03:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-media_serverSynology Media Server
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-29089
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.82% / 74.59%
||
7 Day CHG~0.00%
Published-02 Jun, 2021 | 02:15
Updated-16 Sep, 2024 | 21:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-photo_stationSynology Photo Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-29090
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-7.2||HIGH
EPSS-1.04% / 77.70%
||
7 Day CHG~0.00%
Published-02 Jun, 2021 | 02:00
Updated-17 Sep, 2024 | 03:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-photo_stationSynology Photo Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-11821
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-7.3||HIGH
EPSS-0.58% / 69.12%
||
7 Day CHG~0.00%
Published-30 Jun, 2019 | 15:00
Updated-17 Sep, 2024 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-photo_stationPhoto Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-8914
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-7.3||HIGH
EPSS-0.32% / 55.46%
||
7 Day CHG~0.00%
Published-10 May, 2018 | 13:00
Updated-16 Sep, 2024 | 17:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to execute arbitrary SQL commands via the ObjectID parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-media_serverMedia Server
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-43926
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.41% / 61.23%
||
7 Day CHG~0.00%
Published-07 Feb, 2022 | 02:15
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_managerDiskStation Manager (DSM)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-6911
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.58% / 81.83%
||
7 Day CHG~0.00%
Published-11 Sep, 2015 | 16:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL commands via the id parameter to watchstatus.cgi.

Action-Not Available
Vendor-n/aSynology, Inc.
Product-video_stationn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-6910
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.63% / 70.43%
||
7 Day CHG~0.00%
Published-11 Sep, 2015 | 16:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in Synology Video Station before 1.5-0757 allows remote attackers to execute arbitrary SQL commands via the id parameter to audiotrack.cgi.

Action-Not Available
Vendor-n/aSynology, Inc.
Product-video_stationn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29235
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.14%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:26
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in IOModule.EnumLog webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-surveillance_stationdiskstation_managerSurveillance Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29232
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.14%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:24
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Alert.Enum webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-surveillance_stationdiskstation_managerSurveillance Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29227
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.14%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:08
Updated-04 Aug, 2025 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Layout.LayoutSave webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-surveillance_stationdiskstation_managerSurveillance Stationsurveillance_station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29233
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.14%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:25
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Emap.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-surveillance_stationdiskstation_managerSurveillance Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29238
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.14%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:28
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-surveillance_stationdiskstation_managerSurveillance Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29236
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.59%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:27
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in AudioPattern.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-surveillance_stationdiskstation_managerSurveillance Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29230
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.59%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:22
Updated-04 Aug, 2025 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in SnapShot.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-surveillance_stationdiskstation_managerSurveillance Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29234
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.14%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:26
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Group.Save webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-surveillance_stationdiskstation_managerSurveillance Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29239
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.59%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:28
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-surveillance_stationdiskstation_managerSurveillance Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29237
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.14%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:27
Updated-04 Aug, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in ActionRule.Delete webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-surveillance_stationdiskstation_managerSurveillance Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-27660
Matching Score-6
Assigner-Synology Inc.
ShareView Details
Matching Score-6
Assigner-Synology Inc.
CVSS Score-9.6||CRITICAL
EPSS-2.20% / 84.62%
||
7 Day CHG~0.00%
Published-30 Nov, 2020 | 09:30
Updated-17 Sep, 2024 | 04:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-safeaccessSafe Access
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36636
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.33% / 55.56%
||
7 Day CHG~0.00%
Published-02 Sep, 2022 | 04:34
Updated-03 Aug, 2024 | 10:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Garage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /print.php.

Action-Not Available
Vendor-n/amayuri_k
Product-garage_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2847
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 39.54%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 13:00
Updated-28 May, 2025 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Codezips Gym Management System over_month.php sql injection

A vulnerability, which was classified as critical, has been found in Codezips Gym Management System 1.0. This issue affects some unknown processing of the file /dashboard/admin/over_month.php. The manipulation of the argument mm leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-CodeZips
Product-gym_management_systemGym Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-2984
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 39.54%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 08:31
Updated-14 May, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Payroll Management System delete.php sql injection

A vulnerability was found in code-projects Payroll Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /delete.php. The manipulation of the argument emp_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Source Code & ProjectsFabian Ros
Product-payroll_management_systemPayroll Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36635
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.08% / 84.21%
||
7 Day CHG~0.00%
Published-07 Oct, 2022 | 00:00
Updated-03 Aug, 2024 | 10:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.

Action-Not Available
Vendor-n/aZKTeco Co., Ltd.
Product-zkbiosecurity_v5000n/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36686
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.33% / 55.56%
||
7 Day CHG~0.00%
Published-29 Aug, 2022 | 13:56
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /admin/?page=reports/stockin&month=.

Action-Not Available
Vendor-ingredient_stock_management_system_projectn/a
Product-ingredient_stock_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36703
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.33% / 55.56%
||
7 Day CHG~0.00%
Published-25 Aug, 2022 | 20:41
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /stocks/manage_stockin.php.

Action-Not Available
Vendor-ingredients_stock_management_system_projectn/a
Product-ingredients_stock_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36698
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.33% / 55.56%
||
7 Day CHG~0.00%
Published-25 Aug, 2022 | 20:41
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /categories/view_category.php.

Action-Not Available
Vendor-ingredients_stock_management_system_projectn/a
Product-ingredients_stock_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-8111
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-0.35% / 57.80%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 14:33
Updated-13 May, 2026 | 03:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36704
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.33% / 55.56%
||
7 Day CHG~0.00%
Published-28 Aug, 2022 | 22:46
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the Id parameter at /librarian/studentdetails.php.

Action-Not Available
Vendor-n/ajkev
Product-library_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7816
Matching Score-4
Assigner-PostgreSQL
ShareView Details
Matching Score-4
Assigner-PostgreSQL
CVSS Score-8.7||HIGH
EPSS-0.20% / 42.32%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 14:35
Updated-11 May, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
pgAdmin 4: OS command injection in Import/Export query export via psql metacommand breakout

OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable. Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks. This issue affects pgAdmin 4: before 9.15.

Action-Not Available
Vendor-pgadmin.org
Product-pgAdmin 4
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7815
Matching Score-4
Assigner-PostgreSQL
ShareView Details
Matching Score-4
Assigner-PostgreSQL
CVSS Score-8.7||HIGH
EPSS-0.05% / 16.07%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 14:35
Updated-11 May, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
pgAdmin 4: SQL injection in Maintenance tool option values leading to remote code execution

SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host. Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects pgAdmin 4: before 9.15.

Action-Not Available
Vendor-pgadmin.org
Product-pgAdmin 4
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7489
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.09% / 25.23%
||
7 Day CHG~0.00%
Published-02 May, 2026 | 09:02
Updated-05 May, 2026 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sunnet|CTMS - SQL Injection

CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Action-Not Available
Vendor-Sunnet
Product-CTMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36690
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.33% / 55.56%
||
7 Day CHG~0.00%
Published-29 Aug, 2022 | 13:56
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=user/manage_user&id=.

Action-Not Available
Vendor-ingredient_stock_management_system_projectn/a
Product-ingredient_stock_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36700
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.33% / 55.56%
||
7 Day CHG~0.00%
Published-25 Aug, 2022 | 20:42
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ingredients Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /items/manage_item.php.

Action-Not Available
Vendor-ingredients_stock_management_system_projectn/a
Product-ingredients_stock_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-3661
Matching Score-4
Assigner-Trellix
ShareView Details
Matching Score-4
Assigner-Trellix
CVSS Score-8.1||HIGH
EPSS-0.17% / 38.18%
||
7 Day CHG~0.00%
Published-13 Nov, 2019 | 23:40
Updated-04 Aug, 2024 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced Threat Defense (ATD) - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.

Action-Not Available
Vendor-McAfee, LLC
Product-advanced_threat_defenseAdvanced Threat Defense (ATD)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 46
  • 47
  • Next
Details not found