Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions.
Unauthenticated PHP Object Injection in Hot Coffee <= 1.7 versions.
An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST paramete
A SQL injection vulnerability exists in the St. Joe ERP system ("圣乔ERP系统") that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login en
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query par
Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method. NOTE: the vendor's position is that this is intended
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attac
An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur.
Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.
Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exa
Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions.
Unauthenticated PHP Object Injection in Moderno < 1.43 versions.
The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user suppl
Improper neutralization of input provided by a low-privileged user into a file search functionality in Ready_'s Invoices module allows for SQL Injection attacks.
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter b
Unauthenticated PHP Object Injection in Alukas < 3.0.0 versions.
A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in t
pandas-ai v3.0.0 was discovered to contain a SQL injection vulnerability via the pandasai.agent.base._execute_sql_query component.