Export limit exceeded: 17917 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (17917 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-1211 | 1 Phpipam | 1 Phpipam | 2026-02-16 | 7.2 High |
| SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2. | ||||
| CVE-2025-62173 | 1 Freepbx | 1 Freepbx | 2026-02-13 | N/A |
| ## Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API | ||||
| CVE-2025-61675 | 1 Freepbx | 1 Endpoint Manager | 2026-02-13 | N/A |
| FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the basestation, model, firmware, and custom extension configuration functionality areas. Authentication with a known username is required to exploit these vulnerabilities. Successful exploitation allows authenticated users to execute arbitrary SQL queries against the database, potentially enabling access to sensitive data or modification of database contents. This issue has been patched in version 16.0.92 for FreePBX 16 and version 17.0.6 for FreePBX 17. | ||||
| CVE-2025-10969 | 1 Farktor Software E-commerce Services Inc. | 1 E-commerce Package | 2026-02-13 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Blind SQL Injection.This issue affects E-Commerce Package: through 27112025. | ||||
| CVE-2019-25346 | 1 Kostasmitroglou | 1 Thesystem | 2026-02-13 | 7.1 High |
| TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 to retrieve unauthorized database records and potentially access sensitive system information. | ||||
| CVE-2019-25347 | 1 Kostasmitroglou | 1 Thesystem | 2026-02-13 | 7.1 High |
| thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 to the username field to gain unauthorized access to user accounts. | ||||
| CVE-2019-25320 | 1 Amitkolloldey | 1 E-learning Script | 2026-02-13 | 6.5 Medium |
| E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. Attackers can exploit the /login.php file by sending a specific payload '=''or' to bypass authentication and gain unauthorized access to the system. | ||||
| CVE-2019-25325 | 1 Thrive | 1 Smart Home | 2026-02-13 | 8.2 High |
| Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code like ' or 1=1# to manipulate login queries and gain unauthorized access to the application. | ||||
| CVE-2019-25335 | 1 Websitem | 1 7070 Hazır Profesyonel Web Sitesi | 2026-02-13 | 7.5 High |
| PRO-7070 Hazır Profesyonel Web Sitesi version 1.0 contains an authentication bypass vulnerability in the administration panel login page. Attackers can bypass authentication by using '=' 'or' as both username and password to gain unauthorized access to the administrative interface. | ||||
| CVE-2024-51962 | 1 Esri | 1 Arcgis Server | 2026-02-13 | 8.7 High |
| A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability. | ||||
| CVE-2025-49759 | 1 Microsoft | 6 Server, Sql Server, Sql Server 2016 and 3 more | 2026-02-13 | 8.8 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-53727 | 1 Microsoft | 6 Sql 2016 Azure Connect Feature Pack, Sql Server, Sql Server 2016 and 3 more | 2026-02-13 | 8.8 High |
| Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2020-37053 | 1 Naviwebs | 1 Navigate Cms | 2026-02-13 | 7.1 High |
| Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts. | ||||
| CVE-2025-59473 | 1 Expressionengine | 1 Expressionengine | 2026-02-13 | 7.2 High |
| SQL Injection vulnerability in the Structure for Admin authenticated user | ||||
| CVE-2024-43468 | 1 Microsoft | 4 Configuration Manager, Configuration Manager 2403, Configuration Manager 2409 and 1 more | 2026-02-13 | 9.8 Critical |
| Microsoft Configuration Manager Remote Code Execution Vulnerability | ||||
| CVE-2020-37112 | 2 Gunet, Openeclass | 2 Open Eclass Platform, Openeclass | 2026-02-12 | 7.1 High |
| GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. Attackers can exploit the 'month' parameter in the agenda module and other endpoints to extract sensitive database information using error-based or time-based injection techniques. | ||||
| CVE-2025-64092 | 1 Zenitel | 4 Icx500, Icx500 Firmware, Icx510 and 1 more | 2026-02-12 | 7.5 High |
| This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database. | ||||
| CVE-2025-10878 | 2 Insaat, Omran | 2 Fikir Odalari Adminpando, Fikir Odalari Adminpando | 2026-02-12 | 10 Critical |
| A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation). | ||||
| CVE-2025-6830 | 1 Xpoda Turkiye Information Technology | 1 Xpoda Studio | 2026-02-11 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpoda Türkiye Information Technology Inc. Password Module allows SQL Injection.This issue affects Password Module: through 11022026. | ||||
| CVE-2025-7636 | 1 Ergosis Security Systems Computer Industry And Trade Inc. | 1 Zeus Pdks | 2026-02-11 | 8.8 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ergosis Security Systems Computer Industry and Trade Inc. ZEUS PDKS allows SQL Injection.This issue affects ZEUS PDKS: from <1.0.5.10 through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||