Total
19632 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-37564 | 2026-04-15 | 8.5 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PayPlus LTD PayPlus Payment Gateway.This issue affects PayPlus Payment Gateway: from n/a through 7.0.7. | ||||
| CVE-2025-13319 | 1 Nettec | 1 Digi On-prem Manager | 2026-04-15 | 8.8 High |
| An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. The API is not enabled by default, and a valid API token is required to perform the attack. | ||||
| CVE-2024-2453 | 1 Advantech | 1 Webaccess/scada | 2026-04-15 | 6.4 Medium |
| There is an SQL injection vulnerability in Advantech WebAccess/SCADA software that allows an authenticated attacker to remotely inject SQL code in the database. Successful exploitation of this vulnerability could allow an attacker to read or modify data on the remote database. | ||||
| CVE-2025-1154 | 2026-04-15 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in xxyopen Novel up to 3.4.1. Affected by this issue is some unknown functionality of the file /api/front/search/books. The manipulation of the argument sort leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | ||||
| CVE-2024-57178 | 2026-04-15 | 5.9 Medium | ||
| An SQL injection vulnerability exists in Stock-Forecaster <=01-04-2020. By sending a specially crafted 'stock-symbol' parameter to the portofolio() endpoint, it is possible to trigger an SQL injection in the application. As a result, the attacker will be able the user data or manipulate the software behavior. | ||||
| CVE-2024-36680 | 1 Promokit | 1 Pkfacebook | 2026-04-15 | 7.5 High |
| In the module "Facebook" (pkfacebook) <=1.0.1 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The ajax script facebookConnect.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection. | ||||
| CVE-2025-10712 | 1 07fly | 3 07fly-cms, 07flycms, 07flycrm | 2026-04-15 | 7.3 High |
| A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This issue affects some unknown processing of the file /index.php/Login/login. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4665 | 2 Arshid, Wordpress | 2 Wordpress Contact Form Cfdb7, Wordpress | 2026-04-15 | 9.6 Critical |
| WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization (PHP Object Injection). The weakness arises due to insufficient validation of user input in plugin endpoints, allowing crafted input to influence backend queries in unexpected ways. Using specially crafted payloads, this can escalate into unsafe deserialization, enabling arbitrary object injection in PHP. Although the issue is remotely exploitable without authentication, it does require a crafted interaction with the affected endpoint in order to trigger successfully. | ||||
| CVE-2024-33276 | 1 Prestashop | 1 Prestashop | 2026-04-15 | 9.8 Critical |
| SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method. | ||||
| CVE-2024-4423 | 2026-04-15 | 7.2 High | ||
| The access control in CemiPark software does not properly validate user-entered data, which allows the authentication bypass. An attacker who has network access to the login panel can log in with administrator rights to the application.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products. | ||||
| CVE-2024-28816 | 1 Aaravrajsingh | 1 Chatbot | 2026-04-15 | 7.1 High |
| Student Information Chatbot a0196ab allows SQL injection via the username to the login function in index.php. | ||||
| CVE-2025-2928 | 1 Genetec | 1 Security Center | 2026-04-15 | 7.2 High |
| SQL Injection affecting the Archiver role. | ||||
| CVE-2024-43207 | 2026-04-15 | 8.5 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Valiano Unite Gallery Lite.This issue affects Unite Gallery Lite: from n/a through 1.7.62. | ||||
| CVE-2025-12397 | 1 Google | 2 Cloud Looker, Looker | 2026-04-15 | N/A |
| A SQL injection vulnerability was found in Looker Studio. A Looker Studio user with report view access could inject malicious SQL that would execute with the report owner's permissions. The vulnerability affected to reports with BigQuery as the data source. This vulnerability was patched on 21 July 2025, and no customer action is needed. | ||||
| CVE-2024-29732 | 2026-04-15 | 9.8 Critical | ||
| A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete all the information of database. This vulnerability was found on login page via "user" parameter. | ||||
| CVE-2024-6003 | 2026-04-15 | 7.3 High | ||
| A vulnerability was found in Guangdong Baolun Electronics IP Network Broadcasting Service Platform 2.0. It has been classified as critical. Affected is an unknown function of the file /api/v2/maps. The manipulation of the argument orderColumn leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268692. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-11460 | 1 Picture-planet | 1 Verowa Connect | 2026-04-15 | 7.5 High |
| The Verowa Connect plugin for WordPress is vulnerable to SQL Injection via the 'search_string' parameter in all versions up to, and including, 3.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2019-25439 | 1 Novismart | 1 Novismart Cms | 2026-04-15 | 8.2 High |
| NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injection payloads in the Referer header to extract sensitive database information or cause denial of service. | ||||
| CVE-2024-33450 | 2026-04-15 | 7.5 High | ||
| SQL Injection in Finereport v.8.0 allows a remote attacker to obtain sensitive information | ||||
| CVE-2024-54447 | 2026-04-15 | N/A | ||
| Saved search functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. | ||||