Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CVEs (19,368)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-6151 - - Apr 29, 2026 Apr 13, 2026 5.5 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. This vulnerability affects unknown code of the file /util/PaymentStatusFunction.php. The manipulation of the argument CUSTOMER_ID results...Show more A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. This vulnerability affects unknown code of the file /util/PaymentStatusFunction.php. The manipulation of the argument CUSTOMER_ID results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.Show less
CVE-2026-6149 - - Apr 29, 2026 Apr 13, 2026 5.5 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A flaw has been found in code-projects Vehicle Showroom Management System 1.0. Affected by this issue is some unknown functionality of the file /util/BookVehicleFunction.php. Executing a manipulation of the argument BRAN...Show more A flaw has been found in code-projects Vehicle Showroom Management System 1.0. Affected by this issue is some unknown functionality of the file /util/BookVehicleFunction.php. Executing a manipulation of the argument BRANCH_ID can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.Show less
CVE-2026-6148 - - Apr 29, 2026 Apr 13, 2026 5.5 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability was detected in code-projects Vehicle Showroom Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /util/MonthTotalReportUpdateFunction.php. Performing a manipula...Show more A vulnerability was detected in code-projects Vehicle Showroom Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /util/MonthTotalReportUpdateFunction.php. Performing a manipulation of the argument BRANCH_ID results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.Show less
CVE-2026-6142 - - Apr 29, 2026 Apr 13, 2026 5.5 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability was identified in tushar-2223 Hotel Management System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. Affected by this vulnerability is an unknown functionality of the file /admin/roomdelete.php. The mani...Show more A vulnerability was identified in tushar-2223 Hotel Management System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. Affected by this vulnerability is an unknown functionality of the file /admin/roomdelete.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.Show less
CVE-2019-25713 1Myt Project 1Myt Apr 17, 2026 Apr 12, 2026 7.1 HIGH· v4 8.1 HIGH· v3 N/A· v2 MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafte...Show more MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data.Show less
CVE-2019-25710 1Dolibarr 1Dolibarr Erp/crm Apr 17, 2026 Apr 12, 2026 8.8 HIGH· v4 9.1 CRITICAL· v3 N/A· v2 Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through...Show more Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.Show less
CVE-2019-25707 1Ebrigade 1Ebrigade Apr 17, 2026 Apr 12, 2026 7.1 HIGH· v4 7.1 HIGH· v3 N/A· v2 eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to pdf...Show more eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to pdf.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table names and schema details.Show less
CVE-2019-25703 1Impresscms 1Impresscms Apr 17, 2026 Apr 12, 2026 7.1 HIGH· v4 8.8 HIGH· v3 N/A· v2 ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requ...Show more ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.Show less
CVE-2019-25699 1Gurkanuzunca 1Newsbull Apr 17, 2026 Apr 12, 2026 7.1 HIGH· v4 7.1 HIGH· v3 N/A· v2 Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injectio...Show more Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injection techniques. Attackers can inject malicious SQL code through the search parameter in endpoints like /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs to manipulate database queries and retrieve sensitive data.Show less
CVE-2019-25697 1Victoralagwu 1Cmssite Apr 17, 2026 Apr 12, 2026 8.8 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php...Show more CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php with malicious cat_id values to extract sensitive database information including usernames and credentials.Show less
CVE-2019-25693 1Montala 1Resourcespace Apr 17, 2026 Apr 12, 2026 7.1 HIGH· v4 7.1 HIGH· v3 N/A· v2 ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers...Show more ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data.Show less
CVE-2018-25257 - - Apr 15, 2026 Apr 12, 2026 7.1 HIGH· v4 7.1 HIGH· v3 N/A· v2 Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in SystemProfileForm. Attackers can su...Show more Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in SystemProfileForm. Attackers can submit crafted SQL statements in the profile edit endpoint to modify user credentials and gain administrative access.Show less
CVE-2026-5207 - - Apr 24, 2026 Apr 11, 2026 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The LifterLMS plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 9.2.1. This is due to insufficient escaping on the user supplied parameter and lack of suf...Show more The LifterLMS plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 9.2.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Instructor-level access and above who have the edit_post capability on the quiz, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.Show less
CVE-2026-36236 1Janobe 1Engineers Online Portal Apr 14, 2026 Apr 10, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter.
CVE-2026-36235 1Itsourcecode 1Online Student Enrollment System Apr 14, 2026 Apr 10, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL...Show more A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or validation.Show less
CVE-2026-36234 1Itsourcecode 1Online Student Enrollment System Apr 14, 2026 Apr 10, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter.
CVE-2026-36233 1Itsourcecode 1Online Student Enrollment System Apr 14, 2026 Apr 10, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parame...Show more A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries without the need for appropriate cleaning or validation.Show less
CVE-2026-36232 1Itsourcecode 1Online Student Enrollment System Apr 14, 2026 Apr 10, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly...Show more A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly concatenated into the SQL query without any sanitization or validation.Show less
CVE-2026-29861 - - Apr 27, 2026 Apr 10, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.
CVE-2026-23780 1Bmc 1Control M/managed File Transfer Apr 27, 2026 Apr 10, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input valida...Show more An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.Show less

Previous 1...363738...969 Next