Total
16066 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1227 | 1 R1bbit | 1 Yimioa | 2025-08-26 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in ywoa up to 2024.07.03. It has been rated as critical. This issue affects the function selectList of the file com/cloudweb/oa/mapper/xml/AddressDao.xml. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-1216 | 1 R1bbit | 1 Yimioa | 2025-08-26 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in ywoa up to 2024.07.03. This issue affects the function selectNoticeList of the file com/cloudweb/oa/mapper/xml/OaNoticeMapper.xml. The manipulation of the argument sort leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-1224 | 1 R1bbit | 1 Yimioa | 2025-08-26 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in ywoa up to 2024.07.03. This vulnerability affects the function listNameBySql of the file com/cloudweb/oa/mapper/xml/UserMapper.xml. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2024-47062 | 1 Navidrome | 1 Navidrome | 2025-08-26 | N/A | 8.8 HIGH |
| Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username. When adding parameters to the URL, they are automatically included in an SQL `LIKE` statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with `AAA`. This results in an SQL query like `password LIKE 'AAA%'`, allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-56215 | 2025-08-26 | N/A | 6.5 MEDIUM | ||
| phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in contact.php via the pagetitle parameter. | |||||
| CVE-2025-9425 | 2025-08-26 | 7.5 HIGH | 7.3 HIGH | ||
| A security flaw has been discovered in itsourcecode Online Tour and Travel Management System 1.0. Affected by this issue is some unknown functionality of the file /enquiry.php. Performing manipulation of the argument pid results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-9423 | 2025-08-26 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was determined in Campcodes Online Water Billing System 1.0. Affected is an unknown function of the file /editecex.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-9421 | 2025-08-26 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in itsourcecode Apartment Management System 1.0. This affects an unknown function of the file /complain/addcomplain.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-9420 | 2025-08-26 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in itsourcecode Apartment Management System 1.0. The impacted element is an unknown function of the file /floor/addfloor.php. Executing manipulation of the argument hdnid can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2025-9471 | 2025-08-26 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in itsourcecode Apartment Management System 1.0. This vulnerability affects unknown code of the file /maintenance/add_maintenance_cost.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-9470 | 2025-08-26 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in itsourcecode Apartment Management System 1.0. This affects an unknown part of the file /management/add_m_committee.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2025-9469 | 2025-08-26 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was detected in itsourcecode Apartment Management System 1.0. Affected by this issue is some unknown functionality of the file /fund/add_fund.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2025-9468 | 2025-08-26 | 7.5 HIGH | 7.3 HIGH | ||
| A security vulnerability has been detected in itsourcecode Apartment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /bill/add_bill.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-9444 | 2025-08-26 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in 1000projects Online Project Report Submission and Evaluation System 1.0. This issue affects some unknown processing of the file /admin/controller/delete_group_student.php. The manipulation of the argument batch_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-56214 | 2025-08-26 | N/A | 9.8 CRITICAL | ||
| phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter. | |||||
| CVE-2025-56212 | 2025-08-26 | N/A | 9.8 CRITICAL | ||
| phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in add-doctor.php via the docname parameter. | |||||
| CVE-2025-55575 | 2025-08-26 | N/A | 9.8 CRITICAL | ||
| SQL Injection vulnerability in SMM Panel 3.1 allowing remote attackers to gain sensitive information via a crafted HTTP request with action=service_detail. | |||||
| CVE-2025-52085 | 2025-08-26 | N/A | 8.8 HIGH | ||
| An SQL injection vulnerability in Yoosee application v6.32.4 allows authenticated users to inject arbitrary SQL queries via a request to a backend API endpoint. Successful exploitation enables extraction of sensitive database information, including but not limited to, the database server banner and version, current database user and schema, the current DBMS user privileges, and arbitrary data from any table. | |||||
| CVE-2025-51092 | 2025-08-26 | N/A | 9.8 CRITICAL | ||
| The LogIn-SignUp project by VishnuSivadasVS is vulnerable to SQL Injection due to unsafe construction of SQL queries in DataBase.php. The functions logIn() and signUp() build queries by directly concatenating user input and unvalidated table names without using prepared statements. While a prepareData() function exists, it is insufficient to prevent SQL injection and does not sanitize the table name. | |||||
| CVE-2024-53499 | 2025-08-26 | N/A | 9.8 CRITICAL | ||
| Jeewms v3.7 was discovered to contain a SQL injection vulnerability via the CgReportController API. | |||||