Total
16791 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-60269 | 1 Huayi-tec | 1 Jeewms | 2025-10-16 | N/A | 9.4 CRITICAL |
| JEEWMS 20250820 is vulnerable to SQL Injection in the exportXls function located in the src/main/java/org/jeecgframework/web/cgreport/controller/excel/CgExportExcelController.java file. | |||||
| CVE-2025-61675 | 2025-10-16 | N/A | N/A | ||
| FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17. | |||||
| CVE-2025-11501 | 2025-10-16 | N/A | 7.5 HIGH | ||
| The Dynamically Display Posts plugin for WordPress is vulnerable to SQL Injection via the 'tax_query' parameter in all versions up to, and including, 1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-11177 | 2025-10-16 | N/A | 7.5 HIGH | ||
| The External Login plugin for WordPress is vulnerable to SQL Injection via the 'log' parameter in all versions up to, and including, 1.11.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database when a PostgreSQL or MSSQL database is configured as the external authentication database. | |||||
| CVE-2025-10045 | 2025-10-16 | N/A | 4.9 MEDIUM | ||
| The onOffice for WP-Websites plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-10660 | 2025-10-16 | N/A | 6.5 MEDIUM | ||
| The WP Dashboard Chat plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-10682 | 2025-10-16 | N/A | 6.5 MEDIUM | ||
| The TARIFFUXX plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4. This is due to insufficient neutralization of user-supplied input used directly in SQL queries. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject additional SQL into queries and extract sensitive information from the database via a crafted id attribute in the 'tariffuxx_configurator' shortcode. | |||||
| CVE-2025-10743 | 2025-10-16 | N/A | 7.5 HIGH | ||
| The Outdoor plugin for WordPress is vulnerable to SQL Injection via the 'edit' action in all versions up to, and including, 1.3.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-41019 | 2025-10-16 | N/A | N/A | ||
| SQL injection in Sergestec's SISTICK v7.2. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'id' parameter in '/index.php?view=ticket_detail'. | |||||
| CVE-2025-10310 | 2025-10-16 | N/A | 4.9 MEDIUM | ||
| The Rich Snippet Site Report plugin for WordPress is vulnerable to SQL Injection via the 'last' parameter in all versions up to, and including, 2.0.0105 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This can also be exploited via CSRF. | |||||
| CVE-2025-10575 | 2025-10-16 | N/A | 6.5 MEDIUM | ||
| The WP jQuery Pager plugin for WordPress is vulnerable to SQL Injection via the 'ids' shortcode attribute parameter handled by the WPJqueryPaged::get_gallery_page_imgs() function in all versions up to, and including, 1.4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-11365 | 2025-10-16 | N/A | 6.5 MEDIUM | ||
| The WP Google Map Plugin plugin for WordPress is vulnerable to blind SQL Injection via the 'id' parameter of the 'google_map' shortcode in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-10730 | 2025-10-16 | N/A | 6.5 MEDIUM | ||
| The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-60265 | 1 Bestfeng | 1 Xckk | 2025-10-16 | N/A | 6.5 MEDIUM |
| In xckk v9.6, there is a SQL injection vulnerability in which the orderBy parameter in user/list is not securely filtered, resulting in a SQL injection vulnerability. | |||||
| CVE-2025-60311 | 1 Projectworlds | 1 Gym Management System | 2025-10-16 | N/A | 8.8 HIGH |
| ProjectWorlds Gym Management System1.0 is vulnerable to SQL Injection via the "id" parameter in the profile/edit.php page | |||||
| CVE-2025-60266 | 1 Bestfeng | 1 Xckk | 2025-10-16 | N/A | 6.5 MEDIUM |
| In xckk v9.6, there is a SQL injection vulnerability in which the orderBy parameter in address/list is not securely filtered, resulting in a SQL injection vulnerability. | |||||
| CVE-2025-60267 | 1 Bestfeng | 1 Xckk | 2025-10-16 | N/A | 6.5 MEDIUM |
| In xckk v9.6, there is a SQL injection vulnerability in which the cond parameter in notice/list is not securely filtered, resulting in a SQL injection vulnerability. | |||||
| CVE-2025-60316 | 1 Mayurik | 1 Pet Grooming Management Software | 2025-10-16 | N/A | 9.4 CRITICAL |
| SourceCodester Pet Grooming Management Software 1.0 is vulnerable to SQL Injection in admin/view_customer.php via the ID parameter. | |||||
| CVE-2025-11736 | 1 Angeljudesuarez | 1 Online Examination System | 2025-10-16 | 7.5 HIGH | 7.3 HIGH |
| A flaw has been found in itsourcecode Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /index.php. This manipulation of the argument Username causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | |||||
| CVE-2025-11668 | 1 Fabian | 1 Automated Voting System | 2025-10-16 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was determined in code-projects Automated Voting System 1.0. Affected by this issue is some unknown functionality of the file /admin/update_user.php. This manipulation of the argument Password causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | |||||