Search Results (19635 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-13552 1 Itsourcecode 1 Online Hotel Management System 2026-06-29 7.3 High
A vulnerability was detected in itsourcecode Online Hotel Management System 1.0. This impacts an unknown function of the file /admin/mod_amenities/controller.php?action=edit. Performing a manipulation of the argument amen_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
CVE-2026-13497 1 Itsourcecode 1 Hospital Management System 2026-06-29 6.3 Medium
A vulnerability was determined in itsourcecode Hospital Management System 1.0. The impacted element is an unknown function of the file /appointment.php. This manipulation of the argument editid causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2026-13529 1 Yzmcms 1 Yzmcms 2026-06-29 5.6 Medium
A vulnerability was determined in YzmCMS up to 7.5. This affects an unknown function of the file /application/install/index.php. Executing a manipulation of the argument siteurl can lead to sql injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-13535 1 Codeastro 1 Human Resource Management System 2026-06-29 6.3 Medium
A flaw has been found in CodeAstro Human Resource Management System 1.0. This vulnerability affects the function GetFileInfo of the file hrsystem/application/models/Employee_model.php of the component View Endpoint. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.
CVE-2026-13541 1 Itsourcecode 1 Hospital Management System 2026-06-29 6.3 Medium
A weakness has been identified in itsourcecode Hospital Management System 1.0. This impacts an unknown function of the file /doctorchangepassword.php. Executing a manipulation of the argument newpassword can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
CVE-2026-13559 1 Code-projects 1 Real State Services 2026-06-29 7.3 High
A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-list_sale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
CVE-2026-13486 1 Sourcecodester 1 Class And Exam Timetabling System 2026-06-29 7.3 High
A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/6.php. This impacts an unknown function of the file /preview6.php. Executing a manipulation of the argument course_year_section can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2026-13485 1 Sourcecodester 1 Class And Exam Timetabling System 2026-06-29 7.3 High
A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /preview.php. Performing a manipulation of the argument course_year_section results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
CVE-2026-13525 1 Codeastro 1 Human Resource Management System 2026-06-29 6.3 Medium
A vulnerability was detected in CodeAstro Human Resource Management System 1.0. This issue affects the function emselectByCode of the file application/models/Employee_model.php of the component Update_Earn_Leave Endpoint. The manipulation of the argument emid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.
CVE-2026-13531 1 Itsourcecode 1 Hospital Management System 2026-06-29 6.3 Medium
A security flaw has been discovered in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /department.php. The manipulation of the argument editid results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
CVE-2026-13555 1 Itsourcecode 1 Online Hotel Management System 2026-06-29 7.3 High
A vulnerability was found in itsourcecode Online Hotel Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/mod_users/controller.php?action=add. The manipulation of the argument Name results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.
CVE-2026-13331 2 Trainingbusinesspros, Wordpress 2 Groundhogg — Crm, Newsletters, And Marketing Automation, Wordpress 2026-06-27 6.5 Medium
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with marketer-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2026-40083 1 Cacti 1 Cacti 2026-06-27 7.2 High
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The cacti_unserialize() function calls unserialize() with allowed_classes set to false, which prevents object injection but still allows arbitrary string arrays to be deserialized. Then, at lines 760 to 766, the deserialized array values are passed directly into db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',', $selected_items) . ')'), where they are imploded into the SQL statement without any integer validation, resulting in SQL Injection when using SNMP agent management permissions. This issue has been fixed in version 1.2.31.
CVE-2026-57643 2 Afthemes, Wordpress 2 Wp Post Author, Wordpress 2026-06-26 8.5 High
Contributor SQL Injection in WP Post Author <= 3.9.1 versions.
CVE-2026-57653 2 Wordpress, Wpjobportal 2 Wordpress, Wp Job Portal 2026-06-26 8.5 High
Contributor SQL Injection in WP Job Portal <= 2.5.2 versions.
CVE-2026-54825 2 Wordpress, Wpdatatables 2 Wordpress, Wpdatatables 2026-06-26 9.3 Critical
Unauthenticated SQL Injection in wpDataTables <= 7.4 versions.
CVE-2026-56064 2 Themefic, Wordpress 2 Tourfic, Wordpress 2026-06-26 8.5 High
Subscriber SQL Injection in Tourfic <= 2.22.5 versions.
CVE-2026-57631 2 Ays-pro, Wordpress 2 Popup Box, Wordpress 2026-06-26 7.6 High
Administrator SQL Injection in Popup box <= 6.0.1 versions.
CVE-2026-57636 2 Tomdever, Wordpress 2 Wpforo Forum, Wordpress 2026-06-26 8.5 High
Contributor SQL Injection in wpForo Forum <= 3.0.9 versions.
CVE-2026-57662 2 Wasiliy Strecker, Wordpress 2 Contest Gallery, Wordpress 2026-06-26 8.5 High
Contributor SQL Injection in Contest Gallery <= 30.0.0 versions.