Total
16949 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-60266 | 2 Bestfeng, Xckk | 2 Xckk, Xckk | 2025-10-16 | 6.5 Medium |
| In xckk v9.6, there is a SQL injection vulnerability in which the orderBy parameter in address/list is not securely filtered, resulting in a SQL injection vulnerability. | ||||
| CVE-2025-60267 | 2 Bestfeng, Xckk | 2 Xckk, Xckk | 2025-10-16 | 6.5 Medium |
| In xckk v9.6, there is a SQL injection vulnerability in which the cond parameter in notice/list is not securely filtered, resulting in a SQL injection vulnerability. | ||||
| CVE-2025-60316 | 2 Mayurik, Sourcecodester | 2 Pet Grooming Management Software, Pet Grooming Management Software | 2025-10-16 | 9.4 Critical |
| SourceCodester Pet Grooming Management Software 1.0 is vulnerable to SQL Injection in admin/view_customer.php via the ID parameter. | ||||
| CVE-2025-1958 | 1 Aaluoxiang | 1 Oa System | 2025-10-15 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in aaluoxiang oa_system 1.0. This issue affects some unknown processing of the file src/main/resources/mappers/address-mapper.xml. The manipulation of the argument outtype leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-40711 | 1 Quiter | 1 Quiter Gateway | 2025-10-15 | 9.8 Critical |
| SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the id_concesion parameter in /<Client>FacturaE/VerFacturaPDF. | ||||
| CVE-2025-40712 | 1 Quiter | 1 Quiter Gateway | 2025-10-15 | 9.8 Critical |
| SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the id_concesion parameter in /<Client>FacturaE/DescargarFactura. | ||||
| CVE-2025-40713 | 1 Quiter | 1 Quiter Gateway | 2025-10-15 | 9.8 Critical |
| SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the campo parameter in/<Client>FacturaE/BusquedasFacturasSesion. | ||||
| CVE-2025-40714 | 1 Quiter | 1 Quiter Gateway | 2025-10-15 | 9.8 Critical |
| SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the campo id_factura in /<Client>FacturaE/listado_facturas_ficha.jsp. | ||||
| CVE-2025-3846 | 1 Markparticle | 1 Webserver | 2025-10-15 | 7.3 High |
| A vulnerability was found in markparticle WebServer up to 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file code/http/httprequest.cpp of the component Registration. The manipulation of the argument username/password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3847 | 1 Markparticle | 1 Webserver | 2025-10-15 | 7.3 High |
| A vulnerability classified as critical has been found in markparticle WebServer up to 1.0. This affects an unknown part of the file code/http/httprequest.cpp of the component Login. The manipulation of the argument username/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3856 | 1 Xxyopen | 1 Novel-plus | 2025-10-15 | 6.3 Medium |
| A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been classified as critical. This affects the function searchByPage of the file /book/searchByPage. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-2722 | 2 Atisoluciones, Ciges | 2 Ciges, Cigesv2 | 2025-10-15 | 9.8 Critical |
| SQL injection vulnerability in the CIGESv2 system, through /ajaxConfigTotem.php, in the 'id' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query. | ||||
| CVE-2024-2723 | 2 Atisoluciones, Ciges | 2 Ciges, Cigesv2 | 2025-10-15 | 9.8 Critical |
| SQL injection vulnerability in the CIGESv2 system, through /ajaxSubServicios.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query. | ||||
| CVE-2024-2724 | 2 Atisoluciones, Ciges | 2 Ciges, Cigesv2 | 2025-10-15 | 9.8 Critical |
| SQL injection vulnerability in the CIGESv2 system, through /ajaxServiciosAtencion.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query. | ||||
| CVE-2025-46011 | 1 Nadh | 1 Listmonk | 2025-10-15 | 6.5 Medium |
| Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges. | ||||
| CVE-2025-10808 | 1 Campcodes | 1 Farm Management System | 2025-10-15 | 7.3 High |
| A weakness has been identified in Campcodes Farm Management System 1.0. Impacted is an unknown function of the file /uploadProduct.php. This manipulation of the argument Type causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2024-4257 | 1 Bluenettechnology | 1 Clinical Browsing System | 2025-10-15 | 6.3 Medium |
| A vulnerability was found in BlueNet Technology Clinical Browsing System 1.2.1. It has been classified as critical. This affects an unknown part of the file /xds/deleteStudy.php. The manipulation of the argument documentUniqueId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262149 was assigned to this vulnerability. | ||||
| CVE-2025-7744 | 1 Dolusoft | 1 Omaspot | 2025-10-15 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dolusoft Omaspot allows SQL Injection.This issue affects Omaspot: before 12.09.2025. | ||||
| CVE-2024-8251 | 1 Mintplexlabs | 1 Anythingllm | 2025-10-15 | N/A |
| A vulnerability in mintplex-labs/anything-llm prior to version 1.2.2 allows for Prisma injection. The issue exists in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is directly taken to the Prisma library's where clause. An attacker can exploit this by providing a specially crafted JSON object, such as {"sessionId":{"not":"a"}}, causing Prisma to return all data from the table. This can lead to unauthorized access to all user queries in embedded chat mode. | ||||
| CVE-2024-8055 | 1 Vanna-ai | 1 Vanna | 2025-10-15 | N/A |
| Vanna v0.6.3 is vulnerable to SQL injection via Snowflake database in its file staging operations using the `PUT` and `COPY` commands. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, such as `/etc/passwd`, by exploiting the exposed SQL queries through a Python Flask API. | ||||