By weakness (CWE)
CWE-89: related vulnerabilities
CVEs classified under CWE-89. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
100 published vulnerabilities
- CVE-2026-44238HIGH 8.8
FreePBX versions before 16.0.50 and 17.0.11 contain a SQL injection vulnerability in the CDR (Call Detail Records) Reports module. An authenticated user with CDR section access can manipulate the 'order' and 'sort' parameters to inject arbitrary SQL commands, potentially reading, modifying, or deleting sensitive database content. Unlike many vulnerabilities requiring administrative accounts, this one only needs standard CDR access, broadening the pool of potential attackers within an organization.
- CVE-2026-10105HIGH 8.3
Agno version 2.6.5 contains a SQL injection flaw in its ClickHouse vector database integration. An authenticated attacker can inject malicious SQL commands through the delete_by_metadata() function by crafting specially formatted metadata keys and values. This allows an attacker to delete database records, steal sensitive data, or manipulate stored information. The vulnerability requires valid credentials to exploit, but once authenticated, an attacker has significant control over the database.
- CVE-2018-25382HIGH 8.2
Zechat 1.5 contains an SQL injection flaw in its profile.php endpoint that allows attackers to inject malicious SQL commands through the username parameter without authentication. By crafting specially formatted requests, an attacker can extract database structure information and sensitive data directly from the application's backend database.
- CVE-2018-25385HIGH 8.2
E-Registrasi Pencak Silat version 18.10 contains an SQL injection flaw that allows attackers without credentials to retrieve sensitive data from the application's database. By crafting malicious requests to the monitor_nilai.php endpoint, an attacker can inject SQL commands through the id_partai parameter to extract admin credentials, user records, and other protected information. No authentication is required to attempt this attack.
- CVE-2018-25386HIGH 8.2
HaPe PKH 1.1 contains multiple SQL injection flaws in its admin media management interface that allow attackers to inject malicious SQL commands and extract sensitive database information. Unauthenticated attackers can target the village module, while authenticated users can exploit several administrative modules. The vulnerability stems from improper handling of the 'id' parameter, enabling attackers to manipulate database queries and retrieve system-level data such as database credentials, names, and DBMS version details.
- CVE-2018-25389HIGH 8.2
HaPe PKH 1.1 is vulnerable to SQL injection through the 'nama_kelompok' parameter in the lap-anggota-kelompok-pdf.php endpoint. An attacker can send a specially crafted request without authentication to execute arbitrary SQL commands, enabling extraction of sensitive database information using time-based blind techniques. This is a direct-to-database attack that bypasses application logic entirely.
- CVE-2018-25390HIGH 8.2
HaPe PKH 1.1 is vulnerable to SQL injection through its lap-peserta-perdesa-pdf.php endpoint. An attacker can send a specially crafted request containing SQL code in the 'desa' POST parameter to manipulate database queries without authentication. Using time-based blind SQL injection techniques, an adversary can extract sensitive information from the underlying database by observing query response delays.
- CVE-2018-25394HIGH 8.2
Kados R10 GreenBee contains an SQL injection flaw that allows attackers without authentication to read sensitive database information by crafting malicious web requests. The vulnerability exists in a administrative function that fails to properly validate user input, enabling an attacker to embed SQL commands directly into the system's database queries. This could expose usernames, database names, and system version details.
- CVE-2018-25395HIGH 8.2
Kados R10 GreenBee contains a critical SQL injection flaw in its board feature management interface. An attacker without authentication can craft a specially formatted web request targeting the feature update function to inject arbitrary SQL commands directly into the database. This allows the attacker to read sensitive data like database credentials, user information, and system details—potentially exposing the entire database to compromise.
- CVE-2018-25398HIGH 8.2
CVE-2018-25398 is an unauthenticated SQL injection vulnerability in Open ISES Project version 3.30A. An attacker can craft malicious database queries and submit them through the frm_passwd parameter in POST requests to main.php, bypassing authentication entirely. This allows extraction of sensitive database contents—usernames, database names, system versions—without needing valid credentials. The vulnerability is remotely exploitable with no special conditions required.
- CVE-2018-25399HIGH 8.2
Open ISES Project version 3.30A contains an SQL injection flaw in its nearby.php endpoint that lets unauthenticated attackers inject malicious SQL commands through two URL parameters: tick_lat and tick_lng. An attacker can craft a simple GET request to extract sensitive information from the underlying database, such as usernames, database identifiers, and version numbers. No authentication is required, and exploitation is straightforward—making this a high-severity issue for any organization running this software.
- CVE-2018-25400HIGH 8.2
Open ISES Project version 3.30A contains an unauthenticated SQL injection vulnerability in its form submission endpoint. An attacker can craft malicious SQL code and send it through a web request to extract sensitive information from the application's database without needing valid credentials. The vulnerability requires no user interaction and can be exploited over the network, making it a significant remote threat.
- CVE-2018-25401HIGH 8.2
Open ISES Project version 3.30A is vulnerable to SQL injection through an unauthenticated web interface. An attacker can craft malicious database queries and send them via HTTP GET requests to the sever_graph.php endpoint, bypassing authentication entirely. This allows extraction of sensitive database schema and contents without legitimate access.
- CVE-2018-25402HIGH 8.2
Open ISES Project version 3.30A contains an SQL injection vulnerability accessible to unauthenticated attackers over the network. By crafting malicious SQL statements in the p1 parameter of GET requests to inc_types_graph.php, an attacker can query the underlying database directly, potentially exposing schema details, user records, and other sensitive stored data. The vulnerability requires no authentication or user interaction, making it relatively straightforward to exploit.
- CVE-2018-25403HIGH 8.2
A SQL injection vulnerability exists in Open ISES Project version 3.30A that allows attackers without authentication to inject malicious database commands through a web parameter. By crafting specially designed requests to the city_graph.php file, attackers can extract sensitive information from the underlying database, including schema details and other stored data. The vulnerability requires no user interaction and can be exploited over the network.
- CVE-2018-25404HIGH 8.2
Open ISES Project version 3.30A is vulnerable to SQL injection through its add_facnote.php endpoint. An attacker can craft malicious SQL code in the ticket_id parameter and send it via a GET request without needing to authenticate first. This allows the attacker to read sensitive data directly from the database, including version information and other confidential records. The vulnerability requires no special conditions—any internet-connected instance of the software is at risk.
- CVE-2018-25405HIGH 8.2
eNdonesia Portal version 8.7 is vulnerable to multiple SQL injection flaws that allow unauthenticated attackers to extract sensitive data directly from the database. An attacker can manipulate specific web parameters—artid, cid, did, contid, and aboutid in the mod.php file—to inject malicious SQL commands. This bypasses normal authentication and gives direct access to usernames, database credentials, and system version information without requiring any valid user account.
- CVE-2018-25406HIGH 8.2
eNdonesia Portal version 8.7 contains multiple SQL injection flaws that allow attackers without authentication to run arbitrary database commands. By inserting malicious SQL code into specific URL parameters—artid, cid, did, contid, and aboutid—across five different modules (publisher, diskusi, galeri, content, and about), attackers can extract sensitive information like database credentials and system version details. This is a network-based attack requiring no user interaction or prior access.
- CVE-2018-25407HIGH 8.2
eNdonesia Portal version 8.7 contains multiple SQL injection flaws in its mod.php file that allow attackers to inject malicious SQL commands without authentication. By crafting specially formed requests targeting parameters like artid, cid, did, contid, and aboutid across various portal modules (publisher, diskusi, galeri, content, about), an attacker can extract sensitive database information such as usernames, database names, and version details. No user interaction or authentication is required to exploit this vulnerability.
- CVE-2018-25411HIGH 8.2
MGB OpenSource Guestbook version 0.7.0.2 contains a flaw that allows attackers to inject malicious database commands into the application without needing to log in. By sending specially crafted web requests to the email.php file with harmful code embedded in the 'id' parameter, an attacker can read sensitive information directly from the database—including the names of tables and columns that store user data. This vulnerability requires no authentication, making it trivial for an external attacker to exploit.
- CVE-2018-25413HIGH 8.2
AiOPMSD Final version 1.0.0 contains an SQL injection flaw that allows attackers to execute unauthorized database queries without authentication. By crafting malicious SQL statements and sending them through the application's search function (search.php), an attacker can extract sensitive information such as database credentials, usernames, and system details. This is a network-based attack requiring no user interaction or special privileges.
- CVE-2018-25414HIGH 8.2
AiOPMSD Final version 1.0.0 contains a straightforward but serious SQL injection flaw in its actor.php endpoint. An attacker can craft malicious SQL code and send it through the actor parameter via a simple GET request—no authentication required—to execute arbitrary database queries. This allows them to extract sensitive information like database credentials, usernames, and version details directly from the backend database.
- CVE-2018-25415HIGH 8.2
AiOPMSD Final version 1.0.0 contains an unauthenticated SQL injection flaw in its director.php endpoint. An attacker can craft a malicious URL with SQL code injected into the director parameter and send it as a simple GET request—no login required. Once executed, the attacker gains unauthorized access to the database, potentially exposing usernames, database names, system version information, and other sensitive data. The vulnerability is trivial to trigger and requires no special tools or user interaction.
- CVE-2018-25416HIGH 8.2
AiOPMSD Final version 1.0.0 contains a SQL injection flaw that allows anyone on the internet to query the application's database directly without logging in. An attacker can craft malicious requests to the country.php endpoint to extract sensitive information such as usernames, database names, and version numbers. This is a straightforward injection attack—the application fails to sanitize user input before passing it to SQL queries.
- CVE-2018-25417HIGH 8.2
AiOPMSD Final 1.0.0 contains an unauthenticated SQL injection flaw in the quality.php endpoint. An attacker can craft a malicious GET request with a SQL payload in the quality parameter to run arbitrary SQL commands against the backend database, potentially exposing usernames, database identifiers, and version information without requiring any authentication or user interaction.
- CVE-2018-25418HIGH 8.2
AiOPMSD Final version 1.0.0 contains an SQL injection vulnerability in its year parameter that allows attackers to execute arbitrary database queries without authentication. By crafting malicious SQL code and sending it through GET requests to the year.php endpoint, an attacker can extract sensitive information such as usernames, database names, and database version details. The vulnerability requires no user interaction and can be exploited over the network by any unauthenticated actor.
- CVE-2018-25419HIGH 8.2
AiOPMSD Final 1.0.0 suffers from a critical SQL injection flaw in its genre parameter. An attacker can craft a malicious URL to genre.php and extract sensitive data—usernames, database names, version information—without needing to authenticate. The vulnerability is straightforward to exploit over the network and poses a real risk to confidentiality of stored data.
- CVE-2018-25420HIGH 8.2
AiOPMSD Final version 1.0.0 contains an SQL injection flaw that lets attackers query the application's database without needing any credentials. By crafting malicious SQL code into web requests targeting the watch.php endpoint, an attacker can extract sensitive data like user credentials and database structure information. The vulnerability requires no authentication, no special interaction from a victim, and poses a direct threat to data confidentiality.
- CVE-2018-25422HIGH 8.2
MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the id parameter in play.php. Attackers can craft malicious GET requests to extract sensitive data like usernames and other database information without needing authentication.
- CVE-2018-25424HIGH 8.2
Gate Pass Management System version 2.1 contains an SQL injection flaw in its login mechanism that allows attackers to bypass authentication entirely without knowing valid credentials. By crafting malicious SQL code into the login and password fields of the application's login form, an unauthenticated attacker can trick the system into granting access. This is a critical weakness because the login page is typically the first line of defense, and compromising it gives attackers full entry to the application and any data it manages.
- CVE-2018-25425HIGH 8.2
Yot CMS version 3.3.1 contains an unauthenticated SQL injection vulnerability accessible through HTTP GET requests. An attacker can manipulate the 'aid' or 'cid' URL parameters to inject arbitrary SQL commands, potentially exposing sensitive database information without requiring any authentication or user interaction. The vulnerability is network-accessible and relatively straightforward to exploit.
- CVE-2018-25428HIGH 8.2
Paroiciel version 11.20 contains an unauthenticated SQL injection flaw in its trec.php endpoint. An attacker can craft malicious web requests to the tRecIdListe parameter, inject arbitrary SQL commands, and retrieve sensitive database contents like table and column names without needing valid credentials. This is a remote attack that requires no special privileges or user interaction.
- CVE-2018-25433HIGH 8.2
The JE Photo Gallery component for Joomla version 1.1 contains a critical flaw that allows attackers to inject malicious SQL commands without needing credentials. By manipulating a parameter in web requests, attackers can extract sensitive information directly from the database, including user credentials. This vulnerability requires no authentication or user interaction, making it particularly dangerous for websites using this component.
- CVE-2018-25434HIGH 8.2
WP AutoSuggest version 0.24 contains a critical SQL injection flaw that lets attackers bypass authentication entirely and query your WordPress database directly. By sending specially crafted requests to the plugin's autosuggest.php endpoint, an attacker can extract sensitive data—posts, user information, and other database contents—without needing any WordPress account or permissions. This is particularly dangerous because the vulnerability requires no user interaction and is trivial to exploit remotely.
- CVE-2019-25726HIGH 8.2
All in One Video Downloader version 1.2 contains an SQL injection flaw that lets attackers query the application's database without authentication. By crafting malicious requests to the admin interface, adversaries can extract sensitive information like user credentials and database structure details. The vulnerability requires no special access or user interaction—attackers can exploit it remotely over the network.
- CVE-2019-25728HIGH 8.2
Care2x 2.7 contains a flaw that lets attackers bypass authentication entirely and read sensitive database information by modifying a cookie called ck_config. An attacker on the internet can craft a malicious request without any credentials to trick the application into executing unauthorized database queries. The vulnerability affects login pages and module endpoints, making it a straightforward way to extract private data.
- CVE-2019-25730HIGH 8.2
Listing Hub CMS version 1.0 contains a SQL injection flaw that allows attackers without credentials to run arbitrary database commands. By sending specially crafted requests to the pages.php file with malicious values in the id parameter, attackers can extract sensitive information such as database credentials and system version details. The vulnerability requires no authentication or user interaction, making it a straightforward attack vector for anyone with network access to the affected application.
- CVE-2019-25732HIGH 8.2
PHP EI-Tube Script 3 contains a flaw that allows attackers to inject malicious commands into the application's search function without needing any credentials. By crafting specially designed search queries, an attacker can trick the application into executing unauthorized database commands, potentially exposing usernames, passwords, and other sensitive information stored in the database.
- CVE-2019-25745HIGH 8.2
The Google Review Slider WordPress plugin version 6.1 contains a SQL injection flaw that allows attackers to execute unauthorized database queries without needing to log in. By crafting malicious requests targeting the 'tid' parameter, an attacker can gradually extract sensitive data from a WordPress site's database using time-based blind SQL injection—a technique where database response delays confirm whether injected queries are true or false. This vulnerability poses a direct risk to any WordPress installation running the affected plugin version.
- CVE-2025-15655HIGH 7.6
Mojoomla School Management contains a SQL injection vulnerability that allows authenticated administrators to execute arbitrary SQL commands against the underlying database. An attacker with high-level privileges can exploit this flaw to read sensitive data, modify school records, or cause service disruptions. The vulnerability affects all versions up to and including 93.2.0.
- CVE-2026-24782HIGH 7.6
Kiteworks, a platform designed to securely manage private data networks, contains multiple SQL injection flaws in its Secure Data Forms feature. Prior to version 9.3.0, an authenticated user with FormBuilder role permissions can exploit these vulnerabilities to access or alter form definitions belonging to other users and potentially modify some system-wide settings. This is a privilege escalation and data exposure risk that requires prompt patching.
- CVE-2026-10110HIGH 7.3
A SQL injection vulnerability exists in code-projects Student Details Management System version 1.0 affecting the /index.php file. An attacker can manipulate the 'roll' parameter to inject arbitrary SQL commands, potentially accessing, modifying, or deleting sensitive student records. The vulnerability requires no authentication and can be exploited remotely over the network. Public exploit code is already available, increasing the risk of active exploitation.
- CVE-2026-10111HIGH 7.3
A SQL injection vulnerability exists in the Login Page of sambitraj STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker can manipulate the email parameter during login to inject malicious SQL commands, potentially compromising the database. The vulnerability requires no authentication or user interaction and can be exploited remotely. Exploit code has already been published publicly, elevating the practical risk.
- CVE-2026-10178HIGH 7.3
A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows unauthenticated remote attackers to inject malicious SQL commands through the ID parameter in the admin album editing interface. The flaw permits reading, modifying, or deleting database records without authorization. Public exploit code is available, elevating immediate risk.
- CVE-2026-10184HIGH 7.3
SourceCodester Hospitals Patient Records Management System version 1.0 contains a SQL injection vulnerability in its user deletion function. An attacker can send a specially crafted request to the /classes/Users.php endpoint that manipulates the ID parameter, allowing unauthorized database queries. Because this flaw requires no authentication and can be exploited over the network, it poses a significant risk to hospital operations and patient data confidentiality.
- CVE-2026-10185HIGH 7.3
A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0. An attacker can send a malicious request to the /classes/Users.php file with a crafted ID parameter that causes the application to execute unintended database commands. No authentication is required, and the vulnerability is accessible over the network. Public exploit code is available, increasing the risk of active exploitation.
- CVE-2026-10186HIGH 7.3
CVE-2026-10186 is a SQL injection vulnerability in code-projects Online Hospital Management System version 1.0. An attacker can craft a malicious request to the /patient.php file, manipulating the 'editid' parameter to execute arbitrary SQL commands against the backend database. No authentication is required, and the exploit can be triggered remotely over the network. Public exploit details are available, increasing the practical risk of active exploitation.
- CVE-2026-10208HIGH 7.3
A SQL injection vulnerability exists in the Online Hospital Management System version 1.php, specifically in the login_user function of login_1.php. An attacker can manipulate the Username parameter during login to inject malicious SQL commands. This allows unauthorized access and data compromise without requiring authentication or user interaction. The vulnerability is remotely exploitable and public exploit code has already been released.
- CVE-2026-10225HIGH 7.3
A SQL injection vulnerability exists in raisulislamg4's student management system (PHP-based). An attacker can manipulate the Username parameter in the login_check.php file to inject malicious SQL commands. The vulnerability is network-accessible, requires no authentication, and doesn't require user interaction. Exploit code is publicly available. The project uses a rolling release model, making it difficult to track specific patched versions.
- CVE-2026-10226HIGH 7.3
A SQL injection vulnerability exists in the raisulislamg4 student management system (a PHP-based open-source project). An attacker can manipulate parameters in the delete.php file—specifically user_id, course_id, teacher_id, student_id, or application_id—to inject malicious SQL commands. This can be exploited remotely without authentication or user interaction, allowing an attacker to read, modify, or delete database records. Proof-of-concept code has been published, increasing the risk of active exploitation.
- CVE-2026-10227HIGH 7.3
A SQL injection vulnerability exists in the student management system by raisulislamg4 (up to commit 310d950e) that allows unauthenticated attackers to manipulate the role parameter in the user creation process. An attacker can submit malicious input through the add_user_check.php endpoint to execute arbitrary SQL commands, potentially reading, modifying, or deleting database contents. The vulnerability has been publicly disclosed and proof-of-concept information is available, increasing the likelihood of active exploitation.
- CVE-2026-10249HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online Blood Bank Management System version 1.0 within the admin request-viewing interface. An unauthenticated attacker can manipulate the ID parameter to inject malicious SQL commands, potentially allowing unauthorized access to sensitive patient data, modification of records, or system disruption. Public exploits are already available, elevating the practical risk.
- CVE-2026-10250HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online Blood Bank Management System version 1.0 that allows unauthenticated attackers to manipulate the hospital parameter in the /admin/campsdetails.php file, potentially compromising the confidentiality, integrity, and availability of the system and its data. The vulnerability is remotely exploitable and public exploit code is available, elevating active exploitation risk.
- CVE-2026-10251HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0. An attacker can send a specially crafted request to the login functionality via the Username parameter to execute arbitrary database commands. Because the vulnerability requires no authentication and can be triggered remotely, it poses a significant risk to exposed instances. Public exploit code is available, increasing the likelihood of active exploitation.
- CVE-2026-10252HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0 that allows unauthenticated attackers to inject malicious SQL commands through the ID parameter in the /manage_tenant.php file. This could enable attackers to read, modify, or delete tenant data stored in the application's database without requiring any special credentials or user interaction. The vulnerability is publicly known and exploit code is available.
- CVE-2026-10253HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0. The vulnerability is located in the /manage_payment.php file, specifically in how it processes the ID parameter. An attacker can manipulate this parameter to inject malicious SQL commands, potentially allowing unauthorized access to sensitive payment and rental data. The vulnerability requires no authentication, can be exploited over the network, and exploit code is publicly available.
- CVE-2026-10260HIGH 7.3
CodeAstro Online Job Portal version 1.0 contains a SQL injection vulnerability in its admin job deletion function. An attacker can manipulate the ID parameter in the /admin/jobs-admins/delete-jobs.php file to inject malicious SQL commands, potentially compromising the database. The vulnerability requires no authentication and can be exploited over the network. Proof-of-concept code has been released publicly, increasing the likelihood of active exploitation.
- CVE-2026-10261HIGH 7.3
CodeAstro Online Job Portal version 1.0 contains a SQL injection vulnerability in its application status checking functionality. An attacker can manipulate the ID parameter in the /users/application_status.php file to inject malicious SQL commands, potentially gaining unauthorized access to the database. The vulnerability can be exploited remotely without authentication, making it accessible to anyone on the internet.
- CVE-2026-10262HIGH 7.3
A SQL injection vulnerability exists in Real State Services version 1.0 that allows an attacker to manipulate the Username parameter in the login form (/loginuser.php) to inject malicious SQL commands. Because no authentication is required and the vulnerability can be triggered over the network, an attacker can exploit this remotely to read, modify, or delete sensitive database information without needing valid credentials. The flaw has been publicly disclosed, increasing the risk of active exploitation.
- CVE-2026-10263HIGH 7.3
A SQL injection vulnerability exists in SourceCodester Computer Repair Shop Management System version 1.0 and earlier. An attacker can manipulate the ID parameter in the product management interface to inject malicious SQL commands, potentially exposing, modifying, or deleting sensitive data. The vulnerability requires no authentication and can be exploited remotely by anyone with network access to the application.
- CVE-2026-10290HIGH 7.3
A SQL injection vulnerability exists in the Hotel and Tourism Reservation System version 1.0, specifically in the tour.php file's GET parameter handler. An attacker can manipulate the 'tour' parameter to inject arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the database. Because the vulnerability is remotely exploitable without authentication, and public exploits are available, organizations running this software face immediate risk.
- CVE-2026-10606HIGH 7.3
DedeCMS version 5.7.88 contains a SQL injection vulnerability in its feedback handling system. An attacker can manipulate user input passed to the TrimMsg function in the feedback component to inject malicious SQL commands. Since no authentication is required and the attack can be performed over the network, this vulnerability poses a significant risk to any organization running the affected version. The vulnerability has already been disclosed publicly, increasing the likelihood of active exploitation.
- CVE-2026-10607HIGH 7.3
DedeCMS 5.7.88 contains a SQL injection vulnerability in its friend links management function. An attacker can manipulate the 'msg' parameter in /plus/flink.php to inject malicious SQL commands, allowing unauthorized database access, modification, or deletion. No authentication is required, and the vulnerability can be exploited over the network. Public exploit code exists, elevating the practical risk.
- CVE-2026-10608HIGH 7.3
DedeCMS version 5.7.88 contains a SQL injection vulnerability in its RemoveXSS function within the /plus/carbuyaction.php file. An attacker can inject malicious SQL commands through the postname or des parameters without authentication, potentially compromising data confidentiality, integrity, and availability. The vulnerability is remotely exploitable and proof-of-concept code has been publicly released.
- CVE-2026-10620HIGH 7.3
A SQL injection vulnerability exists in code-projects Student Admission System version 1.0. The flaw resides in the /index.php file and can be exploited by manipulating the eid or did parameters. An attacker can inject malicious SQL commands without authentication, potentially reading or modifying sensitive student and admission data. Public exploit code is available, increasing the likelihood of active exploitation.
- CVE-2026-10704HIGH 7.3
SourceCodester's Pizzafy E-Commerce System version 1.0 contains a SQL injection vulnerability in the administrative login function. An attacker can manipulate the username field during authentication to inject malicious SQL commands, potentially gaining unauthorized database access without needing credentials or user interaction. The vulnerability is network-accessible and exploits are now publicly available.
- CVE-2018-25392HIGH 7.1
MaxOn ERP Software versions 8.x through 9.x contain a SQL injection flaw that lets authenticated users inject malicious SQL commands through specific parameters in the activity logging function. An attacker with valid credentials can craft POST requests to extract sensitive database information such as version numbers and database names. While exploitation requires authentication, the impact—unauthorized access to database structure and sensitive data—represents a meaningful security risk for organizations running these versions.
- CVE-2018-25410HIGH 7.1
SIM-PKH version 2.4.1 contains a SQL injection flaw in its admin media management interface. An authenticated attacker can craft malicious requests to the /admin/media.php endpoint that inject SQL code, allowing them to extract sensitive database information such as usernames, database names, and version details. The vulnerability requires valid login credentials but poses a meaningful risk to data confidentiality within affected deployments.
- CVE-2018-25429HIGH 7.1
Paroiciel version 11.20 contains an SQL injection vulnerability in the zpro.php endpoint that allows authenticated users to execute arbitrary database queries by manipulating the zProIdPro parameter. An attacker with valid credentials can craft malicious SQL statements to extract sensitive information from the database, including usernames, database names, and version details. This is a post-authentication attack that does not require user interaction.
- CVE-2018-25430HIGH 7.1
Paroiciel version 11.20 contains a SQL injection flaw in its egeq.php endpoint. Authenticated users can craft malicious requests that embed SQL commands into the eGeqIdEquipe parameter, allowing them to query the underlying database directly. This bypasses normal access controls and could expose sensitive information such as database version details and other stored data. The vulnerability requires valid login credentials, so it represents an insider threat or compromised-account scenario.
- CVE-2018-25431HIGH 7.1
No-Cms 1.0 contains a SQL injection flaw in its privilege management export feature. An authenticated user can craft a specially formatted request to extract sensitive data from the application's database by injecting malicious SQL commands into the order_by parameter. The vulnerability requires valid credentials but poses significant risk to data confidentiality.
- CVE-2026-39229MEDIUM 6.5
Bolt CMS versions up to 3.7.0 contain a SQL injection vulnerability in how it processes the 'order' parameter on content listing pages. An attacker who has legitimate user credentials—even with minimal permissions—can craft malicious input to extract sensitive data from the database. The vulnerability is triggered through the OrderDirective component during normal sorting operations. This is an information disclosure risk; attackers cannot modify or delete data, but they can read information they shouldn't access.
- CVE-2026-10170MEDIUM 6.3
A SQL injection vulnerability exists in code-projects Visitor Management System version 1.0. An authenticated attacker can manipulate the 'phone' parameter in the /vms/php/phone_0.php file to inject malicious SQL commands. This allows the attacker to read, modify, or delete database contents without special privileges. The vulnerability requires valid login credentials to exploit and has a published proof-of-concept.
- CVE-2026-10176MEDIUM 6.3
Aider-AI's Aider version 0.86.3 contains a SQL injection vulnerability in its code generation workflow that can be exploited by authenticated users to manipulate database queries. While the vulnerability requires login credentials to trigger, an attacker with access can extract, modify, or delete sensitive data. Public exploit information is available, increasing the near-term risk of active exploitation.
- CVE-2026-10193MEDIUM 6.3
OFCMS versions up to 1.1.3 contain a SQL injection vulnerability in the ComnController component. An authenticated attacker can manipulate the 'system.user.query' parameter to inject malicious SQL commands, potentially accessing, modifying, or deleting database records. The vulnerability has been publicly disclosed and exploit code is available, making active exploitation a realistic threat.
- CVE-2026-10202MEDIUM 6.3
A SQL injection vulnerability exists in OFCMS version 1.1.3 affecting the JSON Query Interface within the SystemDictController component. An authenticated attacker can send specially crafted queries to manipulate SQL commands executed by the application, potentially reading, modifying, or deleting database records. The vulnerability requires valid user credentials but can be exploited over the network without user interaction. Exploit code is publicly available, increasing the risk of active exploitation.
- CVE-2026-10203MEDIUM 6.3
A SQL injection vulnerability exists in OFCMS 1.1.3 within the Query function of the SystemParamController component. The flaw allows authenticated attackers to inject malicious SQL commands through the JSON Query Interface, potentially compromising database integrity and confidentiality. Public exploit code is available, increasing active exploitation risk.
- CVE-2026-10204MEDIUM 6.3
A SQL injection vulnerability has been discovered in OFCMS version 1.1.3, specifically in the JSON Query Interface of the user management controller. An authenticated attacker can submit specially crafted queries to execute arbitrary SQL commands against the application's database. This could allow them to read, modify, or delete sensitive data. The vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, but exploit code has been publicly released, increasing the practical risk of attacks.
- CVE-2026-10209MEDIUM 6.3
A SQL injection vulnerability exists in the Online Hospital Management System version 1.0, specifically in the appointment booking functionality. An authenticated attacker can manipulate the 'editid' parameter in the appointmentdetail.php file to inject malicious SQL commands. This allows an attacker with valid credentials to read, modify, or delete sensitive appointment and patient data without additional authorization. Since the exploit has been publicly disclosed, the risk of active exploitation is elevated.
- CVE-2026-10235MEDIUM 6.3
CodeAstro Ingredients Stock Management System version 1.0 contains a SQL injection vulnerability in its stock manager component. An authenticated attacker can manipulate the txt_search_category parameter in the /Ingredients-Stock/stock_manager.php file to execute arbitrary SQL queries. This allows unauthorized data access, modification, or deletion within the application's database. The vulnerability requires valid login credentials but can be exploited over the network without user interaction.
- CVE-2026-10242MEDIUM 6.3
itsourcecode Content Management System version 1.0 contains a SQL injection vulnerability in the /instructions.php file. An attacker with user-level access can manipulate the topic_id parameter to execute unauthorized database queries, potentially reading, modifying, or deleting sensitive data. The vulnerability is remotely exploitable and public exploit code is available.
- CVE-2026-10256MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0 affecting the comment-saving functionality. An authenticated attacker can manipulate the Name parameter in /save_comment.php to execute arbitrary SQL queries, potentially reading, modifying, or deleting database contents. The vulnerability requires valid user credentials but does not require user interaction to exploit. Public exploit code is available, elevating the practical risk despite the MEDIUM CVSS score.
- CVE-2026-10257MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0, specifically in the admin update functionality. An authenticated user can inject malicious SQL commands through the topic_id parameter when uploading images, potentially reading, modifying, or deleting database contents. Public exploit code is available, increasing near-term risk.
- CVE-2026-10258MEDIUM 6.3
itsourcecode Content Management System version 1.0 contains a SQL injection vulnerability in its administrative interface. An authenticated attacker can manipulate the topic_id parameter in the /admin/add_sub_topic.php file to inject malicious SQL commands, potentially allowing unauthorized access to, modification of, or deletion of database records. The vulnerability requires valid login credentials but can be exploited over the network without additional user interaction.
- CVE-2026-10265MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0 that allows authenticated users to manipulate the topic_id parameter in the /admin/edit_topic.php file to execute arbitrary SQL queries. An attacker with valid admin credentials can exploit this to read, modify, or delete database records. Public exploits are available, elevating operational risk.
- CVE-2026-10286MEDIUM 6.3
CodeAstro Payroll System version 1.0 contains a SQL injection vulnerability in its employee home page functionality. An authenticated attacker can inject malicious SQL commands through the emp_id parameter, allowing them to read, modify, or delete database records. This vulnerability requires valid login credentials and is reachable over the network. Public exploit information is available, increasing the immediate risk of exploitation.
- CVE-2026-10296MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 that allows authenticated users to manipulate the Username parameter in the /ajax.php endpoint to execute arbitrary SQL queries. An attacker with valid login credentials can exploit this flaw to read, modify, or delete database contents. The vulnerability requires authentication but is otherwise straightforward to exploit and has been publicly disclosed.
- CVE-2026-10297MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 within the course management functionality. An authenticated attacker can manipulate the ID parameter in the /manage_course.php endpoint to execute arbitrary SQL queries against the underlying database. The vulnerability requires valid login credentials but can be exploited over the network without additional interaction. Exploit code is publicly available, elevating the practical risk.
- CVE-2026-10302MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 within the /manage_fee.php file. An authenticated attacker can manipulate the ID parameter to inject malicious SQL commands, potentially allowing unauthorized access to, modification of, or deletion of database records. The vulnerability requires valid user credentials to exploit but can be triggered remotely over the network.
- CVE-2026-10568MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0. An authenticated attacker can manipulate the ID parameter in the /manage_payment.php file to execute arbitrary SQL queries against the backend database. This vulnerability requires valid login credentials to exploit, but can lead to unauthorized data access, modification, or deletion. Public exploit code is available, increasing the practical risk of exploitation.
- CVE-2026-10808MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 that allows authenticated users to manipulate the ID parameter in the /manage_student.php file, potentially enabling unauthorized data access, modification, or deletion. The vulnerability requires valid login credentials but can be exploited remotely over the network. Public exploit code is available, elevating the risk of active attack.
- CVE-2026-10809MEDIUM 6.3
CVE-2026-10809 is a SQL injection vulnerability in itsourcecode Fees Management System version 1.0. An authenticated attacker can manipulate the ID parameter in the /manage_user.php file to inject malicious SQL commands, potentially reading, modifying, or deleting database records. The flaw requires valid login credentials but can be exploited over the network without user interaction. Public exploit code is available, elevating the practical risk despite the medium CVSS score.
- CVE-2026-10811MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0. The flaw resides in the /receipt.php file, specifically in how the application processes the ef_id parameter. An authenticated attacker can manipulate this parameter to inject malicious SQL commands, potentially allowing them to read, modify, or delete database records. Public disclosure of this vulnerability means exploitation techniques are already available, elevating the practical risk.
- CVE-2026-10874MEDIUM 6.3
A SQL injection vulnerability exists in projectworlds Online Art Gallery Shop Project version 1.0 affecting the admin dashboard. An authenticated attacker can manipulate the 'social_insta' parameter in the /admin/adminHome.php file to inject malicious SQL commands. This allows unauthorized access to sensitive database information, modification of data, or potential system disruption. The vulnerability requires valid login credentials but has no other technical barriers to exploitation.
- CVE-2026-10875MEDIUM 6.3
A SQL injection vulnerability exists in projectworlds Online Art Gallery Shop Project version 1.0 that allows authenticated users to inject malicious SQL commands through the social_twitter parameter in the admin panel. An attacker with login credentials can exploit this flaw to read, modify, or delete database records. Public exploit code has been released, increasing the risk of active exploitation.
- CVE-2026-0075MEDIUM 5.9
CVE-2026-0075 is a SQL injection vulnerability in Google Android's contact database access functions that allows local attackers to escalate privileges without needing special permissions or user interaction. An attacker with local access to an Android device can exploit this flaw to read, modify, or delete contact information and potentially gain elevated system privileges.
- CVE-2026-10039MEDIUM 4.9
The Frontend Admin plugin for WordPress contains a SQL injection vulnerability that allows authenticated administrators to extract sensitive data from the website's database. The flaw exists in how the plugin processes the 'order' parameter—it fails to properly escape user input before inserting it into database queries. An attacker with administrator privileges can craft a malicious request containing both 'order' and 'orderby' parameters to inject additional SQL commands and retrieve unauthorized information. This vulnerability affects all versions up to and including 3.28.28.
- CVE-2026-10155MEDIUM 4.7
A SQL injection vulnerability exists in Bdtask Multi-Store Inventory Management System version 1.0 within the Accounts Report Handler. An authenticated attacker can manipulate the 'dtpToDate' parameter in the accounts report search function to inject malicious SQL commands. While the vulnerability requires high privileges to exploit, successful attacks could leak sensitive financial data, modify account records, or disrupt reporting functionality. Public exploit code is available, increasing real-world risk.
- CVE-2026-10171MEDIUM 4.7
A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows authenticated administrators to manipulate the ID parameter in the album update functionality. An attacker with admin credentials can inject malicious SQL commands through the /Administrator/PHP/AdminUpdateAlbum.php endpoint, potentially compromising database integrity and confidentiality. The vulnerability has been publicly disclosed and exploit code is available, increasing the likelihood of active exploitation.
- CVE-2026-10237MEDIUM 4.7
A SQL injection vulnerability was identified in SourceCodester Water Billing Management System version 1.0. An authenticated administrator can manipulate the ID parameter in the user management interface to inject malicious SQL commands, potentially reading or modifying sensitive database records. The vulnerability requires administrative privileges to exploit but poses a risk to data integrity and confidentiality within billing systems. Public proof-of-concept code exists, elevating the practical risk of exploitation.