Total
16800 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-62387 | 1 Ivanti | 1 Endpoint Manager | 2025-10-15 | N/A | 6.5 MEDIUM |
| SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. | |||||
| CVE-2025-62388 | 1 Ivanti | 1 Endpoint Manager | 2025-10-15 | N/A | 6.5 MEDIUM |
| SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. | |||||
| CVE-2025-62389 | 1 Ivanti | 1 Endpoint Manager | 2025-10-15 | N/A | 6.5 MEDIUM |
| SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. | |||||
| CVE-2025-62390 | 1 Ivanti | 1 Endpoint Manager | 2025-10-15 | N/A | 6.5 MEDIUM |
| SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. | |||||
| CVE-2025-62391 | 1 Ivanti | 1 Endpoint Manager | 2025-10-15 | N/A | 6.5 MEDIUM |
| SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. | |||||
| CVE-2025-62392 | 1 Ivanti | 1 Endpoint Manager | 2025-10-15 | N/A | 6.5 MEDIUM |
| SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. | |||||
| CVE-2025-62384 | 1 Ivanti | 1 Endpoint Manager | 2025-10-15 | N/A | 6.5 MEDIUM |
| SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. | |||||
| CVE-2025-3847 | 1 Markparticle | 1 Webserver | 2025-10-15 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical has been found in markparticle WebServer up to 1.0. This affects an unknown part of the file code/http/httprequest.cpp of the component Login. The manipulation of the argument username/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3856 | 1 Xxyopen | 1 Novel-plus | 2025-10-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been classified as critical. This affects the function searchByPage of the file /book/searchByPage. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-2722 | 1 Atisoluciones | 1 Ciges | 2025-10-15 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in the CIGESv2 system, through /ajaxConfigTotem.php, in the 'id' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query. | |||||
| CVE-2024-2723 | 1 Atisoluciones | 1 Ciges | 2025-10-15 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in the CIGESv2 system, through /ajaxSubServicios.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query. | |||||
| CVE-2024-2724 | 1 Atisoluciones | 1 Ciges | 2025-10-15 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in the CIGESv2 system, through /ajaxServiciosAtencion.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query. | |||||
| CVE-2025-46011 | 1 Nadh | 1 Listmonk | 2025-10-15 | N/A | 6.5 MEDIUM |
| Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges. | |||||
| CVE-2024-4257 | 1 Bluenettechnology | 1 Clinical Browsing System | 2025-10-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in BlueNet Technology Clinical Browsing System 1.2.1. It has been classified as critical. This affects an unknown part of the file /xds/deleteStudy.php. The manipulation of the argument documentUniqueId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262149 was assigned to this vulnerability. | |||||
| CVE-2025-7744 | 1 Dolusoft | 1 Omaspot | 2025-10-15 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dolusoft Omaspot allows SQL Injection.This issue affects Omaspot: before 12.09.2025. | |||||
| CVE-2024-8251 | 1 Mintplexlabs | 1 Anythingllm | 2025-10-15 | N/A | 5.3 MEDIUM |
| A vulnerability in mintplex-labs/anything-llm prior to version 1.2.2 allows for Prisma injection. The issue exists in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is directly taken to the Prisma library's where clause. An attacker can exploit this by providing a specially crafted JSON object, such as {"sessionId":{"not":"a"}}, causing Prisma to return all data from the table. This can lead to unauthorized access to all user queries in embedded chat mode. | |||||
| CVE-2024-8055 | 2025-10-15 | N/A | 7.5 HIGH | ||
| Vanna v0.6.3 is vulnerable to SQL injection via Snowflake database in its file staging operations using the `PUT` and `COPY` commands. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, such as `/etc/passwd`, by exploiting the exposed SQL queries through a Python Flask API. | |||||
| CVE-2024-5827 | 2025-10-15 | N/A | 9.8 CRITICAL | ||
| Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `<?php system($_GET[0]); ?>`. This can lead to command execution or the creation of backdoors. | |||||
| CVE-2024-5753 | 2025-10-15 | N/A | 7.5 HIGH | ||
| vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by exploiting the exposed SQL queries via a Python Flask API. | |||||
| CVE-2024-12911 | 1 Llamaindex | 1 Llamaindex | 2025-10-15 | N/A | 7.1 HIGH |
| A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects the latest version and is fixed in version 0.5.1. | |||||