Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CVEs (19,406)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-26695 1Carmelo 1Simple Student Alumni System Mar 5, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordstudent_edit.php.
CVE-2026-26694 1Carmelo 1Simple Student Alumni System Mar 3, 2026 Mar 2, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 code-projects Simple Student Alumni System v1.0 is vulnerale to SQL Injection in /TracerStudy/modal_view.php.
CVE-2025-50192 1Chamilo 1Chamilo Lms Mar 3, 2026 Mar 2, 2026 8.8 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in /main/webservices/registration.soap.php. This issue has been patched in version 1.11.30.
CVE-2025-50191 1Chamilo 1Chamilo Lms Mar 3, 2026 Mar 2, 2026 7.0 HIGH· v4 7.2 HIGH· v3 N/A· v2 Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. This issue has been patched in version 1.11.30.
CVE-2025-50190 1Chamilo 1Chamilo Lms Mar 3, 2026 Mar 2, 2026 8.8 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /index.php script. This issue has been patched in version 1.11.3...Show more Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /index.php script. This issue has been patched in version 1.11.30.Show less
CVE-2025-50189 1Chamilo 1Chamilo Lms Mar 3, 2026 Mar 2, 2026 7.2 HIGH· v4 8.8 HIGH· v3 N/A· v2 Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login paramet...Show more Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.Show less
CVE-2025-50188 1Chamilo 1Chamilo Lms Mar 3, 2026 Mar 2, 2026 7.0 HIGH· v4 7.2 HIGH· v3 N/A· v2 Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/v...Show more Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.Show less
CVE-2026-26698 1Carmelo 1Simple Student Alumni System Mar 3, 2026 Mar 2, 2026 N/A· v4 4.9 MEDIUM· v3 N/A· v2 code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/modal_edit.php.
CVE-2026-26697 1Carmelo 1Simple Student Alumni System Mar 3, 2026 Mar 2, 2026 N/A· v4 4.9 MEDIUM· v3 N/A· v2 code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordteacher_view.php?teacherID=.
CVE-2025-12462 - - Apr 27, 2026 Mar 2, 2026 9.3 CRITICAL· v4 N/A· v3 N/A· v2 A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path in multiple parameters resulting in Blind SQL Injection. This issue was...Show more A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path in multiple parameters resulting in Blind SQL Injection. This issue was fixed in versions above 8.0.Show less
CVE-2025-30062 - - Apr 27, 2026 Mar 2, 2026 6.9 MEDIUM· v4 N/A· v3 N/A· v2 In the "CheckUnitCodeAndKey.pl" service, the "validateOrgUnit" function is vulnerable to SQL injection.
CVE-2025-10350 - - Apr 27, 2026 Mar 2, 2026 8.8 HIGH· v4 N/A· v3 N/A· v2 SQL Injection vulnerability in "imageserver" module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including data processed by GCM CLININET software.T...Show more SQL Injection vulnerability in "imageserver" module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions before 7.9.0.Show less
CVE-2026-2584 - - May 19, 2026 Mar 2, 2026 9.3 CRITICAL· v4 N/A· v3 N/A· v2 A critical SQL Injection (SQLi) vulnerability has been identified in the authentication module of the system. An unauthenticated, remote attacker (AV:N/PR:N) can exploit this flaw by sending specially crafted SQL queries...Show more A critical SQL Injection (SQLi) vulnerability has been identified in the authentication module of the system. An unauthenticated, remote attacker (AV:N/PR:N) can exploit this flaw by sending specially crafted SQL queries through the login interface. Due to low attack complexity (AC:L) and the absence of specific requirements (AT:N), the vulnerability allows for a total compromise of the system's configuration data (VC:H/VI:H). While the availability of the service remains unaffected (VA:N), the breach may lead to a limited exposure of sensitive information regarding subsequent or interconnected systems (SC:L).Show less
CVE-2026-3413 1Angeljudesuarez 1University Management System Apr 29, 2026 Mar 2, 2026 5.5 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A flaw has been found in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /admin_single_student.php. This manipulation of the argument ID causes sql injection. The attack...Show more A flaw has been found in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /admin_single_student.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.Show less
CVE-2026-3411 1Angeljudesuarez 1University Management System Apr 29, 2026 Mar 2, 2026 5.5 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A security vulnerability has been detected in itsourcecode University Management System 1.0. Affected by this issue is some unknown functionality of the file /admin_single_student_update.php. The manipulation of the argu...Show more A security vulnerability has been detected in itsourcecode University Management System 1.0. Affected by this issue is some unknown functionality of the file /admin_single_student_update.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.Show less
CVE-2026-3410 1Angeljudesuarez 1Society Management System Apr 29, 2026 Mar 2, 2026 5.5 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A weakness has been identified in itsourcecode Society Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/check_studid.php. Executing a manipulation of the argument stude...Show more A weakness has been identified in itsourcecode Society Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/check_studid.php. Executing a manipulation of the argument student_id can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.Show less
CVE-2026-3406 1Projectworlds 1Online Art Gallery Shop Apr 29, 2026 Mar 2, 2026 5.5 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was found in projectworlds Online Art Gallery Shop 1.0. The impacted element is an unknown function of the file /admin/registration.php of the component Registration Handler. The manipulation of the argum...Show more A vulnerability was found in projectworlds Online Art Gallery Shop 1.0. The impacted element is an unknown function of the file /admin/registration.php of the component Registration Handler. The manipulation of the argument fname results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.Show less
CVE-2026-28562 1Gvectors 1Wpforo Forum Mar 5, 2026 Feb 28, 2026 8.8 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob pa...Show more wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.Show less
CVE-2025-13673 - - Mar 2, 2026 Feb 28, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the use...Show more The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6.Show less
CVE-2026-28516 1Opendcim 1Opendcim Mar 10, 2026 Feb 27, 2026 9.3 CRITICAL· v4 8.8 HIGH· v3 N/A· v2 openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements...Show more openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.Show less

Previous 1...707172...971 Next