Export limit exceeded: 364448 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (19752 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-25750 | 1 Cmsjunkie | 1 Multiplehotelreservation | 2026-06-22 | 8.2 High |
| Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hotel_id parameter. Attackers can send POST requests to the search-hotels endpoint with crafted SQL UNION SELECT statements to extract sensitive database information including table names and column data. | ||||
| CVE-2026-12789 | 1 Ilias | 1 Learning Management System | 2026-06-22 | 4.7 Medium |
| A vulnerability was identified in ILIAS Learning Management System 11.0. This issue affects the function ilTrQuery::executeQueries of the file components/ILIAS/Tracking/classes/class.ilTrQuery.php of the component Learning Progress Tracking. Such manipulation of the argument troup_table_nav leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-39438 | 2 Emraan Cheema, Wordpress | 2 Listingpro, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in ListingPro <= 2.9.10 versions. | ||||
| CVE-2026-49080 | 2 Tms, Wordpress | 2 Wpdatatables, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions. | ||||
| CVE-2025-69135 | 2 Curlythemes, Wordpress | 2 Events Schedule - Wordpress Events Calendar Plugin, Wordpress | 2026-06-20 | 8.5 High |
| Subscriber SQL Injection in Events Schedule - WordPress Events Calendar Plugin <= 2.7.2 versions. | ||||
| CVE-2026-22335 | 2 Wc Lovers., Wordpress | 2 Woocommerce Frontend Manager – Ultimate, Wordpress | 2026-06-20 | 8.5 High |
| Subscriber SQL Injection in WooCommerce Frontend Manager – Ultimate < 6.7.7 versions. | ||||
| CVE-2026-22340 | 2 Jobster Marketplace, Wordpress | 2 Wpjobster, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in WPJobster <= 6.3.5 versions. | ||||
| CVE-2026-48875 | 2 Jetimpex Inc., Wordpress | 2 Jetsmartfilters, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions. | ||||
| CVE-2026-49076 | 2 Jetimpex Inc., Wordpress | 2 Jetengine, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions. | ||||
| CVE-2026-49079 | 2 Jetimpex Inc., Wordpress | 2 Jetsearch, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions. | ||||
| CVE-2026-49084 | 2 Jetimpex Inc., Wordpress | 2 Jetengine, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions. | ||||
| CVE-2026-54185 | 2 Themeco, Wordpress | 2 Cornerstone, Wordpress | 2026-06-20 | 8.5 High |
| Subscriber SQL Injection in Cornerstone < 7.8.8 versions. | ||||
| CVE-2026-54187 | 2 Jetimpex Inc., Wordpress | 2 Jetengine, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions. | ||||
| CVE-2025-59554 | 2 Advanced Ads Gmbh, Wordpress | 2 Advanced Ads – Tracking, Wordpress | 2026-06-20 | 9.3 Critical |
| Unauthenticated SQL Injection in Advanced Ads – Tracking < 3.0.7 versions. | ||||
| CVE-2026-54819 | 2 Webilia Inc., Wordpress | 2 Listdom, Wordpress | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Webilia Inc. Listdom allows Blind SQL Injection. This issue affects Listdom: from n/a through 5.4.0. | ||||
| CVE-2026-54815 | 2 Cargo Rd, Wordpress | 2 Cargo Shipping Location For Woocommerce, Wordpress | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection. This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6. | ||||
| CVE-2026-54808 | 2 Wordpress, Wp Travel | 2 Wordpress, Wp Travel Gutenberg Blocks | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel Gutenberg Blocks allows Blind SQL Injection. This issue affects WP Travel Gutenberg Blocks: from n/a through 3.9.4. | ||||
| CVE-2026-54809 | 2 Villatheme, Wordpress | 2 Gift4u, Wordpress | 2026-06-20 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme GIFT4U allows Blind SQL Injection. This issue affects GIFT4U: from n/a through 1.0.10. | ||||
| CVE-2026-55740 | 1 Nur-alam39 | 1 Bus-ticket | 2026-06-20 | 9.8 Critical |
| Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements. | ||||
| CVE-2026-54419 | 1 Claudiopizzillo | 1 Piaf-hms | 2026-06-20 | 9.8 Critical |
| claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include rooms.php (DELETE FROM Rooms WHERE ID = $_GET['ID'], unquoted numeric context), checkuser.php (WHERE Ext = '$_GET["Ext"]'), ec.php (date/extension parameters in a WHERE), checkin.php and wakeup.php ($_POST values into INSERT statements), bills.php ($_POST fields built into a WHERE clause), and rates.php and checkout.php. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. rooms.php?ID=1 OR 1=1 deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements. | ||||