Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CVEs (19,378)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-3180 - - Apr 22, 2026 Mar 2, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cgl_mail’ parameter in all versions up to, and...Show more The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cgl_mail’ parameter in all versions up to, and including, 28.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerability's ’cgLostPasswordEmail’ parameter was patched in version 28.1.4, and the ’cgl_mail’ parameter was patched in version 28.1.5.Show less
CVE-2026-26707 1Oretnom23 1Pharmacy Point Of Sale System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_supplier.php.
CVE-2026-26706 1Oretnom23 1Pharmacy Point Of Sale System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_receipt.php.
CVE-2026-26705 1Oretnom23 1Pharmacy Point Of Sale System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_product.php.
CVE-2026-26704 1Oretnom23 1Pharmacy Point Of Sale System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/view_category.php.
CVE-2026-28399 1Nocodb 1Nocodb Mar 3, 2026 Mar 2, 2026 6.2 MEDIUM· v4 8.8 HIGH· v3 N/A· v2 NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched...Show more NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.Show less
CVE-2026-26708 1Oretnom23 1Pharmacy Point Of Sale System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_user.php.
CVE-2026-26700 1Jon Remus Sevellejo 1Personnel Property Equipment System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/edit_employee.php.
CVE-2026-26701 1Jon Remus Sevellejo 1Personnel Property Equipment System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/edit_tecnical_user.php.
CVE-2026-26703 1Jon Remus Sevellejo 1Personnel Property Equipment System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/advance_search.php.
CVE-2026-26702 1Jon Remus Sevellejo 1Personnel Property Equipment System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/myitem_reuse.php.
CVE-2026-26696 1Carmelo 1Simple Student Alumni System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordteacher_edit.php.
CVE-2026-26695 1Carmelo 1Simple Student Alumni System Mar 5, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordstudent_edit.php.
CVE-2026-26694 1Carmelo 1Simple Student Alumni System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 code-projects Simple Student Alumni System v1.0 is vulnerale to SQL Injection in /TracerStudy/modal_view.php.
CVE-2025-50192 1Chamilo 1Chamilo Lms Mar 3, 2026 Mar 2, 2026 8.8 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in /main/webservices/registration.soap.php. This issue has been patched in version 1.11.30.
CVE-2025-50191 1Chamilo 1Chamilo Lms Mar 3, 2026 Mar 2, 2026 7.0 HIGH· v4 7.2 HIGH· v3 N/A· v2 Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. This issue has been patched in version 1.11.30.
CVE-2025-50190 1Chamilo 1Chamilo Lms Mar 3, 2026 Mar 2, 2026 8.8 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /index.php script. This issue has been patched in version 1.11.3...Show more Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /index.php script. This issue has been patched in version 1.11.30.Show less
CVE-2025-50189 1Chamilo 1Chamilo Lms Mar 3, 2026 Mar 2, 2026 7.2 HIGH· v4 8.8 HIGH· v3 N/A· v2 Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login paramet...Show more Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.Show less
CVE-2025-50188 1Chamilo 1Chamilo Lms Mar 3, 2026 Mar 2, 2026 7.0 HIGH· v4 7.2 HIGH· v3 N/A· v2 Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/v...Show more Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.Show less
CVE-2026-26698 1Carmelo 1Simple Student Alumni System Mar 3, 2026 Mar 2, 2026 N/A· v4 4.9 MEDIUM· v3 N/A· v2 code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/modal_edit.php.

Previous 1...686970...969 Next