Export limit exceeded: 19646 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (19646 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-13531 1 Itsourcecode 1 Hospital Management System 2026-06-29 6.3 Medium
A security flaw has been discovered in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /department.php. The manipulation of the argument editid results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
CVE-2026-13555 1 Itsourcecode 1 Online Hotel Management System 2026-06-29 7.3 High
A vulnerability was found in itsourcecode Online Hotel Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/mod_users/controller.php?action=add. The manipulation of the argument Name results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.
CVE-2026-13331 2 Trainingbusinesspros, Wordpress 2 Groundhogg — Crm, Newsletters, And Marketing Automation, Wordpress 2026-06-27 6.5 Medium
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with marketer-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2026-40083 1 Cacti 1 Cacti 2026-06-27 7.2 High
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The cacti_unserialize() function calls unserialize() with allowed_classes set to false, which prevents object injection but still allows arbitrary string arrays to be deserialized. Then, at lines 760 to 766, the deserialized array values are passed directly into db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',', $selected_items) . ')'), where they are imploded into the SQL statement without any integer validation, resulting in SQL Injection when using SNMP agent management permissions. This issue has been fixed in version 1.2.31.
CVE-2026-57643 2 Afthemes, Wordpress 2 Wp Post Author, Wordpress 2026-06-26 8.5 High
Contributor SQL Injection in WP Post Author <= 3.9.1 versions.
CVE-2026-57653 2 Wordpress, Wpjobportal 2 Wordpress, Wp Job Portal 2026-06-26 8.5 High
Contributor SQL Injection in WP Job Portal <= 2.5.2 versions.
CVE-2026-54825 2 Wordpress, Wpdatatables 2 Wordpress, Wpdatatables 2026-06-26 9.3 Critical
Unauthenticated SQL Injection in wpDataTables <= 7.4 versions.
CVE-2026-56064 2 Themefic, Wordpress 2 Tourfic, Wordpress 2026-06-26 8.5 High
Subscriber SQL Injection in Tourfic <= 2.22.5 versions.
CVE-2026-57631 2 Ays-pro, Wordpress 2 Popup Box, Wordpress 2026-06-26 7.6 High
Administrator SQL Injection in Popup box <= 6.0.1 versions.
CVE-2026-57636 2 Tomdever, Wordpress 2 Wpforo Forum, Wordpress 2026-06-26 8.5 High
Contributor SQL Injection in wpForo Forum <= 3.0.9 versions.
CVE-2026-57662 2 Wasiliy Strecker, Wordpress 2 Contest Gallery, Wordpress 2026-06-26 8.5 High
Contributor SQL Injection in Contest Gallery <= 30.0.0 versions.
CVE-2026-54831 2 Paolo, Wordpress 2 Geodirectory, Wordpress 2026-06-26 9.3 Critical
Unauthenticated SQL Injection in GeoDirectory <= 2.8.162 versions.
CVE-2026-56070 2 Themehunk, Wordpress 2 Advance Product Search, Wordpress 2026-06-26 9.3 Critical
Unauthenticated SQL Injection in Advance Product Search <= 1.4.4 versions.
CVE-2026-39951 1 Cacti 1 Cacti 2026-06-26 7.6 High
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31.
CVE-2026-37149 1 Anirudhkannanvp 1 Grocery Store Management System 2026-06-26 7.7 High
GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.
CVE-2026-13226 2 Trainingbusinesspros, Wordpress 2 Groundhogg — Crm, Newsletters, And Marketing Automation, Wordpress 2026-06-26 6.5 Medium
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, meaning any authenticated user regardless of role can reach the vulnerable code path.
CVE-2016-20069 2 Dwbooster, Wordpress 2 Booking Calendar Contact Form, Wordpress 2026-06-26 8.2 High
WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.
CVE-2016-20068 2 Dwbooster, Wordpress 2 Booking Calendar Contact Form, Wordpress 2026-06-26 8.2 High
WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information.
CVE-2026-39502 2 10web, Wordpress 2 Form Maker, Wordpress 2026-06-26 9.3 Critical
Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions.
CVE-2026-54813 2 Brainstorm Force, Wordpress 2 Suredash, Wordpress 2026-06-26 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force SureDash allows Blind SQL Injection. This issue affects SureDash: from n/a through 1.8.0.