Export limit exceeded: 17910 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (17910 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-1211 | 1 Phpipam | 1 Phpipam | 2026-02-16 | 7.2 High |
| SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2. | ||||
| CVE-2025-67736 | 2 Freepbx, Sangoma | 2 Freepbx, Freepbx | 2026-02-13 | 7.2 High |
| The FreePBX module tts (Text to Speech) for FreePBX, an open-source web-based graphical user interface (GUI) that manages Asterisk. Versions prior to 16.0.5 and 17.0.5 are vulnerable to SQL injection by authenticated users with administrator access. Authenticated users with administrative access to the Administrator Control Panel (ACP) can leverage this SQL injection vulnerability to extract sensitive information from the database and execute code on the system as the `asterisk` user with chained elevation to `root` privileges. Users should upgrade to version 16.0.5 or 17.0.5 to receive a fix. | ||||
| CVE-2025-62173 | 1 Freepbx | 1 Freepbx | 2026-02-13 | N/A |
| ## Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API | ||||
| CVE-2025-61675 | 1 Freepbx | 1 Endpoint Manager | 2026-02-13 | N/A |
| FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17. | ||||
| CVE-2025-57819 | 2 Freepbx, Sangoma | 2 Freepbx, Freepbx | 2026-02-13 | 9.8 Critical |
| FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3. | ||||
| CVE-2025-10969 | 1 Farktor Software E-commerce Services Inc. | 1 E-commerce Package | 2026-02-13 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Blind SQL Injection.This issue affects E-Commerce Package: through 27112025. | ||||
| CVE-2019-25346 | 1 Kostasmitroglou | 1 Thesystem | 2026-02-13 | 7.1 High |
| TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 to retrieve unauthorized database records and potentially access sensitive system information. | ||||
| CVE-2019-25347 | 1 Kostasmitroglou | 1 Thesystem | 2026-02-13 | 7.1 High |
| thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 to the username field to gain unauthorized access to user accounts. | ||||
| CVE-2019-25320 | 1 Amitkolloldey | 1 E-learning Script | 2026-02-13 | 6.5 Medium |
| E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. Attackers can exploit the /login.php file by sending a specific payload '=''or' to bypass authentication and gain unauthorized access to the system. | ||||
| CVE-2019-25325 | 1 Thrive | 1 Smart Home | 2026-02-13 | 8.2 High |
| Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code like ' or 1=1# to manipulate login queries and gain unauthorized access to the application. | ||||
| CVE-2019-25335 | 1 Websitem | 1 7070 Hazır Profesyonel Web Sitesi | 2026-02-13 | 7.5 High |
| PRO-7070 Hazır Profesyonel Web Sitesi version 1.0 contains an authentication bypass vulnerability in the administration panel login page. Attackers can bypass authentication by using '=' 'or' as both username and password to gain unauthorized access to the administrative interface. | ||||
| CVE-2025-59499 | 1 Microsoft | 5 Sql Server, Sql Server 2016, Sql Server 2017 and 2 more | 2026-02-13 | 8.8 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2024-51962 | 1 Esri | 1 Arcgis Server | 2026-02-13 | 8.7 High |
| A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability. | ||||
| CVE-2025-47178 | 1 Microsoft | 2 Configuration Manager, Configuration Manager 2503 | 2026-02-13 | 8 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to execute code over an adjacent network. | ||||
| CVE-2025-47954 | 1 Microsoft | 2 Sql Server, Sql Server 2022 | 2026-02-13 | 8.8 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-49759 | 1 Microsoft | 6 Server, Sql Server, Sql Server 2016 and 3 more | 2026-02-13 | 8.8 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-53727 | 1 Microsoft | 6 Sql 2016 Azure Connect Feature Pack, Sql Server, Sql Server 2016 and 3 more | 2026-02-13 | 8.8 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2020-37053 | 1 Naviwebs | 1 Navigate Cms | 2026-02-13 | 7.1 High |
| Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts. | ||||
| CVE-2025-59473 | 1 Expressionengine | 1 Expressionengine | 2026-02-13 | 7.2 High |
| SQL Injection vulnerability in the Structure for Admin authenticated user | ||||
| CVE-2024-43468 | 1 Microsoft | 4 Configuration Manager, Configuration Manager 2403, Configuration Manager 2409 and 1 more | 2026-02-13 | 9.8 Critical |
| Microsoft Configuration Manager Remote Code Execution Vulnerability | ||||