Total
16884 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-31460 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2025-11-04 | N/A | 6.5 MEDIUM |
| Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue. | |||||
| CVE-2024-31458 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2025-11-04 | N/A | 4.6 MEDIUM |
| Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue. | |||||
| CVE-2024-31445 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2025-11-04 | N/A | 8.8 HIGH |
| Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue. | |||||
| CVE-2024-9465 | 1 Paloaltonetworks | 1 Expedition | 2025-11-04 | N/A | 9.1 CRITICAL |
| An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system. | |||||
| CVE-2025-63453 | 2025-11-04 | N/A | 9.8 CRITICAL | ||
| Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/contact.php. | |||||
| CVE-2020-36857 | 2025-11-04 | N/A | N/A | ||
| Nagios XI versions prior to 5.6.14 contain a post-authentication SQL injection vulnerability in the SNMP Trap Interface page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database. | |||||
| CVE-2020-36869 | 2025-11-04 | N/A | N/A | ||
| Nagios XI versions prior to 5.7.5 contain a SQL injection vulnerability in the SNMP Trap Interface edit page. Exploitation requires an account with administrative privileges to access the affected interface. A user with administrative access could supply crafted input that is not properly sanitized, allowing SQL injection that may lead to unauthorized disclosure or modification of application data or execution of arbitrary SQL commands against the backend database. | |||||
| CVE-2021-47693 | 2025-11-04 | N/A | N/A | ||
| The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.3 / Nagios XI 5.8.5 contains a SQL injection vulnerability in the search text handling. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and in some environments could allow further compromise of the application or backend database. | |||||
| CVE-2012-10063 | 2025-11-04 | N/A | N/A | ||
| Nagios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Configuration Manager (CCM) interface. Authenticated users could manipulate SQL queries by supplying crafted input to specific CCM parameters, potentially allowing access to configuration data stored in the application database. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly. | |||||
| CVE-2016-15050 | 2025-11-04 | N/A | N/A | ||
| Nagios XI versions prior to 5.2.4 contain a SQL injection vulnerability in the notification search functionality. User-supplied search parameters were incorporated into SQL statements without adequate parameterization or sanitation, allowing an authenticated user to manipulate database queries. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly. | |||||
| CVE-2020-36859 | 2025-11-04 | N/A | N/A | ||
| The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.0.7 / Nagios XI 5.7.4 contains multiple SQL injection vulnerabilities in the object edit pages. Unsanitized user-supplied input was incorporated into SQL queries used by configuration object editors, allowing authenticated users to inject SQL fragments. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and in some environments could allow further compromise of the application or backend database. | |||||
| CVE-2025-63452 | 2025-11-04 | N/A | 9.4 CRITICAL | ||
| Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/forgot-pass.php. | |||||
| CVE-2025-12614 | 2025-11-04 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A weakness has been identified in SourceCodester Best House Rental Management System 1.0. Impacted is the function delete_payment of the file /admin_class.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-64366 | 2025-11-04 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through <= 3.6.27. | |||||
| CVE-2025-12503 | 2025-11-04 | N/A | 6.5 MEDIUM | ||
| EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | |||||
| CVE-2025-12463 | 2025-11-04 | N/A | 9.8 CRITICAL | ||
| An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi` script. This has been confirmed on the EFD-2130 camera running firmware version 1.12.0.19. | |||||
| CVE-2025-12607 | 2025-11-04 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was identified in itsourcecode Online Loan Management System 1.0. Impacted is an unknown function of the file /manage_payment.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | |||||
| CVE-2025-12617 | 2025-11-04 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in itsourcecode Billing System 1.0. This affects an unknown function of the file /admin/app/login_crud.php. Executing manipulation of the argument Password can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | |||||
| CVE-2025-11740 | 2025-11-04 | N/A | 6.5 MEDIUM | ||
| The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the Subscriptions Manager in all versions up to, and including, 2.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-12604 | 2025-11-04 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in itsourcecode Online Loan Management System 1.0. This affects an unknown part of the file /load_fields.php. The manipulation of the argument loan_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||