Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-4309

Summary
Assigner-cisa-cg
Assigner Org ID-9119a7d8-5eab-497f-8521-727c672e3725
Published At-10 Oct, 2023 | 17:27
Updated At-18 Sep, 2024 | 18:52
Rejected At-
Credits

Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:cisa-cg
Assigner Org ID:9119a7d8-5eab-497f-8521-727c672e3725
Published At:10 Oct, 2023 | 17:27
Updated At:18 Sep, 2024 | 18:52
Rejected At:
▼CVE Numbering Authority (CNA)

Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.

Affected Products
Vendor
Election Services Co. (ESC)
Product
Internet Election Service
Default Status
unknown
Versions
Affected
  • From 0 through 2023-08-12 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
3.110.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Schema
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://schemasecurity.co/private-elections.pdf
N/A
https://www.youtube.com/watch?v=yeG1xZkHc64
N/A
https://www.electionservicesco.com/pages/services_internet.php
N/A
Hyperlink: https://schemasecurity.co/private-elections.pdf
Resource: N/A
Hyperlink: https://www.youtube.com/watch?v=yeG1xZkHc64
Resource: N/A
Hyperlink: https://www.electionservicesco.com/pages/services_internet.php
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://schemasecurity.co/private-elections.pdf
x_transferred
https://www.youtube.com/watch?v=yeG1xZkHc64
x_transferred
https://www.electionservicesco.com/pages/services_internet.php
x_transferred
Hyperlink: https://schemasecurity.co/private-elections.pdf
Resource:
x_transferred
Hyperlink: https://www.youtube.com/watch?v=yeG1xZkHc64
Resource:
x_transferred
Hyperlink: https://www.electionservicesco.com/pages/services_internet.php
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:9119a7d8-5eab-497f-8521-727c672e3725
Published At:10 Oct, 2023 | 18:15
Updated At:02 Aug, 2024 | 08:15

Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.110.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CPE Matches

electionservicesco
electionservicesco
>>internet_election_service>>-
cpe:2.3:a:electionservicesco:internet_election_service:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Primarynvd@nist.gov
CWE-89Secondary9119a7d8-5eab-497f-8521-727c672e3725
CWE ID: CWE-89
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-89
Type: Secondary
Source: 9119a7d8-5eab-497f-8521-727c672e3725
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://schemasecurity.co/private-elections.pdf9119a7d8-5eab-497f-8521-727c672e3725
N/A
https://www.electionservicesco.com/pages/services_internet.php9119a7d8-5eab-497f-8521-727c672e3725
N/A
https://www.youtube.com/watch?v=yeG1xZkHc649119a7d8-5eab-497f-8521-727c672e3725
N/A
Hyperlink: https://schemasecurity.co/private-elections.pdf
Source: 9119a7d8-5eab-497f-8521-727c672e3725
Resource: N/A
Hyperlink: https://www.electionservicesco.com/pages/services_internet.php
Source: 9119a7d8-5eab-497f-8521-727c672e3725
Resource: N/A
Hyperlink: https://www.youtube.com/watch?v=yeG1xZkHc64
Source: 9119a7d8-5eab-497f-8521-727c672e3725
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

6100Records found

CVE-2016-11000
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.13% / 79.75%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 14:32
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wp-ultimate-exporter plugin through 1.1 for WordPress has SQL injection via the export_type_name parameter.

Action-Not Available
Vendor-smackcodersn/a
Product-ultimate_exportern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4550
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.43% / 34.56%
||
7 Day CHG-0.00%
Published-11 May, 2025 | 22:31
Updated-16 May, 2025 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Apartment Visitors Management System pass-details.php sql injection

A vulnerability, which was classified as critical, has been found in PHPGurukul Apartment Visitors Management System 1.0. This issue affects some unknown processing of the file /admin/pass-details.php. The manipulation of the argument pid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-apartment_visitors_management_systemApartment Visitors Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4559
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.3||CRITICAL
EPSS-0.46% / 36.47%
||
7 Day CHG~0.00%
Published-12 May, 2025 | 06:03
Updated-12 May, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netvision ISOinsight - SQL Injection

The ISOinsight from Netvision has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Action-Not Available
Vendor-Netvision
Product-ISOinsight
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4509
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 33.40%
||
7 Day CHG~0.00%
Published-10 May, 2025 | 17:31
Updated-16 May, 2025 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul e-Diary Management System manage-notes.php sql injection

A vulnerability, which was classified as critical, has been found in PHPGurukul e-Diary Management System 1.0. This issue affects some unknown processing of the file /manage-notes.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-e-diary_management_systeme-Diary Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-46190
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 27.18%
||
7 Day CHG~0.00%
Published-09 May, 2025 | 00:00
Updated-22 May, 2025 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in user_delivery_update.php via the order_id POST parameter.

Action-Not Available
Vendor-lerouxyxchiren/a
Product-client_database_management_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4491
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.55% / 41.79%
||
7 Day CHG~0.00%
Published-09 May, 2025 | 21:00
Updated-13 May, 2025 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Campcodes Online Food Ordering System ticket-status.php sql injection

A vulnerability classified as critical was found in Campcodes Online Food Ordering System 1.0. This vulnerability affects unknown code of the file /routers/ticket-status.php. The manipulation of the argument ticket_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-CampCodes
Product-online_food_ordering_systemOnline Food Ordering System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4466
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.75% / 50.48%
||
7 Day CHG~0.00%
Published-09 May, 2025 | 06:00
Updated-22 Dec, 2025 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Gym Management System ajax.php sql injection

A vulnerability was found in itsourcecode Gym Management System 1.0. It has been classified as critical. This affects an unknown part of the file /ajax.php?action=save_payment. The manipulation of the argument registration_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-admercITSourceCodeAdrian Mercurio
Product-gym_management_systemGym Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4464
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.75% / 50.48%
||
7 Day CHG~0.00%
Published-09 May, 2025 | 05:31
Updated-22 Dec, 2025 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Gym Management System ajax.php sql injection

A vulnerability has been found in itsourcecode Gym Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=save_plan. The manipulation of the argument plan leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-admercITSourceCodeAdrian Mercurio
Product-gym_management_systemGym Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4363
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.42% / 33.84%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 15:31
Updated-19 Dec, 2025 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Gym Management System ajax.php sql injection

A vulnerability, which was classified as critical, has been found in itsourcecode Gym Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=end_membership. The manipulation of the argument rid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-admercITSourceCodeAdrian Mercurio
Product-gym_management_systemGym Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-17232
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.75% / 75.08%
||
7 Day CHG~0.00%
Published-20 Sep, 2018 | 06:00
Updated-05 Aug, 2024 | 10:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in archivebot.py in docmarionum1 Slack ArchiveBot (aka slack-archive-bot) before 2018-09-19 allows remote attackers to execute arbitrary SQL commands via the text parameter to cursor.execute().

Action-Not Available
Vendor-slack_archivebot_projectn/a
Product-slack_archivebotn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-16659
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.74% / 84.34%
||
7 Day CHG~0.00%
Published-28 Sep, 2018 | 00:00
Updated-05 Aug, 2024 | 10:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Rausoft ID.prove 2.95. The login page allows SQL injection via Microsoft SQL Server stacked queries in the Username POST parameter. Hypothetically, an attacker can utilize master..xp_cmdshell for the further privilege elevation.

Action-Not Available
Vendor-rausoftn/a
Product-id.proven/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-1494
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.74% / 49.99%
||
7 Day CHG~0.00%
Published-18 Mar, 2023 | 23:00
Updated-11 Feb, 2025 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBOS ApiController.php sql injection

A vulnerability classified as critical has been found in IBOS 4.5.5. Affected is an unknown function of the file ApiController.php. The manipulation of the argument emailids leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223380.

Action-Not Available
Vendor-ibosn/a
Product-ibosIBOS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4482
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.44% / 35.17%
||
7 Day CHG~0.00%
Published-09 May, 2025 | 17:31
Updated-16 May, 2025 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Project Worlds Student Project Allocation System forgot_password_sql.php sql injection

A vulnerability classified as critical was found in Project Worlds Student Project Allocation System 1.0. Affected by this vulnerability is an unknown functionality of the file /change_pass/forgot_password_sql.php. The manipulation of the argument Pat_BloodGroup1 leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

Action-Not Available
Vendor-Projectworlds
Product-student_project_allocation_systemStudent Project Allocation System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-21806
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.16% / 63.35%
||
7 Day CHG~0.00%
Published-27 Jul, 2021 | 16:20
Updated-04 Aug, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL Injection Vulnerability in ECTouch v2 via the shop page in index.php..

Action-Not Available
Vendor-ectouchn/a
Product-ectouchn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4484
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.44% / 35.17%
||
7 Day CHG~0.00%
Published-09 May, 2025 | 19:00
Updated-22 Dec, 2025 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Gym Management System ajax.php sql injection

A vulnerability, which was classified as critical, was found in itsourcecode Gym Management System 1.0. This affects an unknown part of the file /ajax.php?action=delete_user. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-admercITSourceCodeAdrian Mercurio
Product-gym_management_systemGym Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-1198
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.8||CRITICAL
EPSS-0.66% / 47.00%
||
7 Day CHG~0.00%
Published-10 Mar, 2023 | 10:54
Updated-01 Jun, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQLi in Saysis Starcities

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saysis Starcities allows SQL Injection. This issue affects Starcities: through 1.3.

Action-Not Available
Vendor-saysisSaysis
Product-starcitiesStarcities
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-44073
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 32.55%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 00:00
Updated-12 Jun, 2025 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_comment_news.php.

Action-Not Available
Vendor-seacmsn/a
Product-seacmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4301
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.42% / 33.85%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 00:31
Updated-13 May, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Content Management System search-notice.php sql injection

A vulnerability classified as critical was found in itsourcecode Content Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /search-notice.php. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-emiloiITSourceCode
Product-content_management_systemContent Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-16850
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8||HIGH
EPSS-5.15% / 91.40%
||
7 Day CHG~0.00%
Published-13 Nov, 2018 | 15:00
Updated-05 Aug, 2024 | 10:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.

Action-Not Available
Vendor-The PostgreSQL ProjectCanonical Ltd.The PostgreSQL Global Development GroupRed Hat, Inc.
Product-ubuntu_linuxpostgresqlenterprise_linuxpostgresql
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-20975
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.28% / 66.49%
||
7 Day CHG~0.00%
Published-12 Aug, 2021 | 14:49
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In \lib\admin\action\dataaction.class.php in Gxlcms v1.1, SQL Injection exists via the $filename parameter.

Action-Not Available
Vendor-gxlcmsn/a
Product-gxlcmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-10942
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.99% / 78.18%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 11:53
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has SQL injection via the insert_id parameter exploitable via CSRF.

Action-Not Available
Vendor-podloven/a
Product-podlove_podcast_publishern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4297
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 37.85%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 23:00
Updated-16 May, 2025 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Men Salon Management System change-password.php sql injection

A vulnerability was found in PHPGurukul Men Salon Management System 2.0. It has been classified as critical. This affects an unknown part of the file /admin/change-password.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Multiple parameters might be affected.

Action-Not Available
Vendor-PHPGurukul LLP
Product-men_salon_management_systemMen Salon Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-4399
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.5||MEDIUM
EPSS-0.72% / 49.32%
||
7 Day CHG~0.00%
Published-10 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TicklishHoneyBee nodau db.c sql injection

A vulnerability was found in TicklishHoneyBee nodau. It has been rated as critical. Affected by this issue is some unknown functionality of the file src/db.c. The manipulation of the argument value/name leads to sql injection. The name of the patch is 7a7d737a3929f335b9717ddbd31db91151b69ad2. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-215252.

Action-Not Available
Vendor-nodau_projectTicklishHoneyBee
Product-nodaunodau
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-43214
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.89% / 54.96%
||
7 Day CHG~0.00%
Published-22 Nov, 2022 | 00:00
Updated-29 Apr, 2025 | 05:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the orderId parameter at printOrder.php.

Action-Not Available
Vendor-billing_system_projectn/a
Product-billing_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2005-4891
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.76% / 75.20%
||
7 Day CHG~0.00%
Published-15 Jan, 2020 | 16:09
Updated-08 Aug, 2024 | 00:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements.

Action-Not Available
Vendor-simplemachinesSimple Machine Forum
Product-simple_machine_forumSimple Machine Forum
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4314
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 37.85%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 04:31
Updated-14 May, 2025 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Advanced Web Store index.php sql injection

A vulnerability has been found in SourceCodester Advanced Web Store 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/index.php. The manipulation of the argument txtLogin leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-donbermoySourceCodester
Product-advanced_web_storeAdvanced Web Store
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-43775
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-20.59% / 97.21%
||
7 Day CHG~0.00%
Published-26 Oct, 2022 | 00:00
Updated-07 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The HICT_Loop class in Delta Electronics DIAEnergy v1.9 contains a SQL Injection flaw that could allow an attacker to gain code execution on a remote system.

Action-Not Available
Vendor-n/aDelta Electronics, Inc.
Product-diaenergieDelta Electronics DIAEnergie
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-6138
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-9.8||CRITICAL
EPSS-2.63% / 83.69%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 20:03
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The uname parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection An attacker can send an HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-os4edn/a
Product-opensisOS4Ed
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-42984
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.71% / 49.19%
||
7 Day CHG~0.00%
Published-14 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WoWonder Social Network Platform 4.1.4 was discovered to contain a SQL injection vulnerability via the offset parameter at requests.php?f=search&s=recipients.

Action-Not Available
Vendor-wowondern/a
Product-wowondern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-43672
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-67.08% / 99.21%
||
7 Day CHG~0.00%
Published-12 Nov, 2022 | 00:00
Updated-01 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_access_manager_plusmanageengine_pam360manageengine_password_manager_pron/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-41348
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-8.7||HIGH
EPSS-0.46% / 36.44%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 11:24
Updated-18 Feb, 2026 | 12:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este

SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters 'val1' and 'cont in '/WinplusPortal/ws/sWinplus.svc/json/getacumper_post'.

Action-Not Available
Vendor-iestInformatica del Este
Product-winplusWinPlus
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-4375
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-2.89% / 85.19%
||
7 Day CHG~0.00%
Published-09 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mingsoft MCMS list sql injection

A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.2.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215196.

Action-Not Available
Vendor-mingsoftMingsoft
Product-mcmsMCMS
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-4383
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-1.04% / 59.73%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 14:31
Updated-02 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CBX Petition for WordPress <= 1.0.3 - Unauthenticated SQLi

The CBX Petition for WordPress plugin through 1.0.3 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Action-Not Available
Vendor-codeboxrUnknown
Product-cbx_petition_for_wordpressCBX Petition for WordPress
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-4297
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-3.60% / 88.04%
||
7 Day CHG~0.00%
Published-02 Jan, 2023 | 21:49
Updated-11 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP AutoComplete Search <= 1.0.4 - Unauthenticated SQLi

The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection

Action-Not Available
Vendor-netflixtechUnknown
Product-wp_autocomplete_searchWP AutoComplete Search
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4312
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 37.85%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 04:00
Updated-14 May, 2025 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Advanced Web Store productdetail.php sql injection

A vulnerability, which was classified as critical, has been found in SourceCodester Advanced Web Store 1.0. This issue affects some unknown processing of the file /productdetail.php. The manipulation of the argument prodid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-donbermoySourceCodester
Product-advanced_web_storeAdvanced Web Store
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-20289
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.13% / 62.53%
||
7 Day CHG~0.00%
Published-01 Feb, 2021 | 17:38
Updated-04 Aug, 2024 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sql injection vulnerability in the yccms 3.3 project. The no_top function's improper judgment of the request parameters, triggers a sql injection vulnerability.

Action-Not Available
Vendor-yccmsn/a
Product-yccmsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-11024
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.36% / 68.45%
||
7 Day CHG~0.00%
Published-30 Mar, 2020 | 19:41
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. NOTE: this product is apparently discontinued.

Action-Not Available
Vendor-odata4j_projectn/a
Product-odata4jn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-11023
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.36% / 68.44%
||
7 Day CHG~0.00%
Published-30 Mar, 2020 | 19:41
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE: this product is apparently discontinued.

Action-Not Available
Vendor-odata4j_projectn/a
Product-odata4jn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4353
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 32.39%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 12:00
Updated-06 Nov, 2025 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Brilliance Golden Link Secondary System queryTsDictionaryType.htm sql injection

A vulnerability, which was classified as critical, was found in Brilliance Golden Link Secondary System up to 20250424. Affected is an unknown function of the file /paraframework/queryTsDictionaryType.htm. The manipulation of the argument dictCn1 leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-brillianceBrilliance
Product-golden_link_secondary_systemGolden Link Secondary System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4151
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.44% / 35.14%
||
7 Day CHG+0.02%
Published-01 May, 2025 | 05:31
Updated-07 May, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Curfew e-Pass Management System pass-bwdates-reports-details.php sql injection

A vulnerability was found in PHPGurukul Curfew e-Pass Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/pass-bwdates-reports-details.php. The manipulation of the argument fromdate leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

Action-Not Available
Vendor-PHPGurukul LLP
Product-curfew_e-pass_management_systemCurfew e-Pass Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-4427
Matching Score-4
Assigner-OTRS AG
ShareView Details
Matching Score-4
Assigner-OTRS AG
CVSS Score-6.5||MEDIUM
EPSS-0.71% / 49.21%
||
7 Day CHG~0.00%
Published-19 Dec, 2022 | 08:09
Updated-14 Apr, 2025 | 18:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection via OTRS Search API

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

Action-Not Available
Vendor-OTRS AG
Product-otrs((OTRS)) Community EditionOTRS
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-8592
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.40% / 69.20%
||
7 Day CHG~0.00%
Published-03 Feb, 2020 | 20:05
Updated-04 Aug, 2024 | 10:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

eG Manager 7.1.2 allows SQL Injection via the user parameter to com.eg.LoginHelperServlet (aka the Forgot Password feature).

Action-Not Available
Vendor-eginnovationsn/a
Product-eg_managern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4214
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.44% / 35.14%
||
7 Day CHG+0.02%
Published-02 May, 2025 | 19:31
Updated-28 May, 2025 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGuruku Online DJ Booking Management System booking-bwdates-reports-details.php sql injection

A vulnerability was found in PHPGuruku Online DJ Booking Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/booking-bwdates-reports-details.php. The manipulation of the argument fromdate leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

Action-Not Available
Vendor-PHPGurukuPHPGurukul LLP
Product-online_dj_booking_management_systemOnline DJ Booking Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4176
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.50% / 39.02%
||
7 Day CHG+0.02%
Published-01 May, 2025 | 21:31
Updated-09 May, 2025 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Blood Bank & Donor Management System request-received-bydonar.php sql injection

A vulnerability has been found in PHPGurukul Blood Bank & Donor Management System 2.4 and classified as critical. This vulnerability affects unknown code of the file /admin/request-received-bydonar.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-blood_bank_\&_donor_management_systemBlood Bank & Donor Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4213
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.28% / 19.48%
||
7 Day CHG+0.01%
Published-02 May, 2025 | 18:00
Updated-28 May, 2025 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Online Birth Certificate System search.php sql injection

A vulnerability has been found in PHPGurukul Online Birth Certificate System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/search.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-PHPGurukul LLP
Product-online_birth_certificate_systemOnline Birth Certificate System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4195
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.47% / 37.25%
||
7 Day CHG+0.02%
Published-02 May, 2025 | 01:00
Updated-22 Dec, 2025 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Gym Management System ajax.php sql injection

A vulnerability was found in itsourcecode Gym Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /ajax.php?action=save_member. The manipulation of the argument umember_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-admercITSourceCodeAdrian Mercurio
Product-gym_management_systemGym Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4313
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.48% / 37.85%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 04:31
Updated-14 May, 2025 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Advanced Web Store admin_addnew_product.php sql injection

A vulnerability, which was classified as critical, was found in SourceCodester Advanced Web Store 1.0. Affected is an unknown function of the file /admin/admin_addnew_product.php. The manipulation of the argument txtProdId leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-donbermoySourceCodester
Product-advanced_web_storeAdvanced Web Store
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-43215
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.87% / 54.43%
||
7 Day CHG~0.00%
Published-22 Nov, 2022 | 00:00
Updated-29 Apr, 2025 | 05:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the endDate parameter at getOrderReport.php.

Action-Not Available
Vendor-billing_system_projectn/a
Product-billing_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-4242
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.56%
||
7 Day CHG+0.01%
Published-03 May, 2025 | 18:31
Updated-09 May, 2025 | 13:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Online Birth Certificate System between-dates-report.php sql injection

A vulnerability classified as critical was found in PHPGurukul Online Birth Certificate System 2.0. Affected by this vulnerability is an unknown functionality of the file /admin/between-dates-report.php. The manipulation of the argument fromdate leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

Action-Not Available
Vendor-PHPGurukul LLP
Product-online_birth_certificate_systemOnline Birth Certificate System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-43774
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.70% / 48.49%
||
7 Day CHG~0.00%
Published-26 Oct, 2022 | 00:00
Updated-07 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The HandlerPageP_KID class in Delta Electronics DIAEnergy v1.9 contains a SQL Injection flaw that could allow an attacker to gain code execution on a remote system.

Action-Not Available
Vendor-n/aDelta Electronics, Inc.
Product-diaenergieDelta Electronics DIAEnergie
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 121
  • 122
  • Next
Details not found