Export limit exceeded: 19866 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (19866 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-13331 | 2 Trainingbusinesspros, Wordpress | 2 Groundhogg — Crm, Newsletters, And Marketing Automation, Wordpress | 2026-06-27 | 6.5 Medium |
| The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with marketer-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-40083 | 1 Cacti | 1 Cacti | 2026-06-27 | 7.2 High |
| Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The cacti_unserialize() function calls unserialize() with allowed_classes set to false, which prevents object injection but still allows arbitrary string arrays to be deserialized. Then, at lines 760 to 766, the deserialized array values are passed directly into db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',', $selected_items) . ')'), where they are imploded into the SQL statement without any integer validation, resulting in SQL Injection when using SNMP agent management permissions. This issue has been fixed in version 1.2.31. | ||||
| CVE-2026-57643 | 2 Afthemes, Wordpress | 2 Wp Post Author, Wordpress | 2026-06-26 | 8.5 High |
| Contributor SQL Injection in WP Post Author <= 3.9.1 versions. | ||||
| CVE-2026-57653 | 2 Wordpress, Wpjobportal | 2 Wordpress, Wp Job Portal | 2026-06-26 | 8.5 High |
| Contributor SQL Injection in WP Job Portal <= 2.5.2 versions. | ||||
| CVE-2026-54825 | 2 Wordpress, Wpdatatables | 2 Wordpress, Wpdatatables | 2026-06-26 | 9.3 Critical |
| Unauthenticated SQL Injection in wpDataTables <= 7.4 versions. | ||||
| CVE-2026-56064 | 2 Themefic, Wordpress | 2 Tourfic, Wordpress | 2026-06-26 | 8.5 High |
| Subscriber SQL Injection in Tourfic <= 2.22.5 versions. | ||||
| CVE-2026-57631 | 2 Ays-pro, Wordpress | 2 Popup Box, Wordpress | 2026-06-26 | 7.6 High |
| Administrator SQL Injection in Popup box <= 6.0.1 versions. | ||||
| CVE-2026-57636 | 2 Tomdever, Wordpress | 2 Wpforo Forum, Wordpress | 2026-06-26 | 8.5 High |
| Contributor SQL Injection in wpForo Forum <= 3.0.9 versions. | ||||
| CVE-2026-57662 | 2 Wasiliy Strecker, Wordpress | 2 Contest Gallery, Wordpress | 2026-06-26 | 8.5 High |
| Contributor SQL Injection in Contest Gallery <= 30.0.0 versions. | ||||
| CVE-2026-54831 | 2 Paolo, Wordpress | 2 Geodirectory, Wordpress | 2026-06-26 | 9.3 Critical |
| Unauthenticated SQL Injection in GeoDirectory <= 2.8.162 versions. | ||||
| CVE-2026-56070 | 2 Themehunk, Wordpress | 2 Advance Product Search, Wordpress | 2026-06-26 | 9.3 Critical |
| Unauthenticated SQL Injection in Advance Product Search <= 1.4.4 versions. | ||||
| CVE-2026-39951 | 1 Cacti | 1 Cacti | 2026-06-26 | 7.6 High |
| Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31. | ||||
| CVE-2026-37149 | 1 Anirudhkannanvp | 1 Grocery Store Management System | 2026-06-26 | 7.7 High |
| GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement. | ||||
| CVE-2026-13226 | 2 Trainingbusinesspros, Wordpress | 2 Groundhogg — Crm, Newsletters, And Marketing Automation, Wordpress | 2026-06-26 | 6.5 Medium |
| The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, meaning any authenticated user regardless of role can reach the vulnerable code path. | ||||
| CVE-2026-39502 | 2 10web, Wordpress | 2 Form Maker, Wordpress | 2026-06-26 | 9.3 Critical |
| Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions. | ||||
| CVE-2026-54813 | 2 Brainstorm Force, Wordpress | 2 Suredash, Wordpress | 2026-06-26 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force SureDash allows Blind SQL Injection. This issue affects SureDash: from n/a through 1.8.0. | ||||
| CVE-2026-35068 | 1 Dell | 1 Powerflex | 2026-06-26 | 3.5 Low |
| Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure. | ||||
| CVE-2026-35069 | 1 Dell | 1 Powerflex | 2026-06-26 | 5.7 Medium |
| Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. | ||||
| CVE-2026-12937 | 2 Themefic, Wordpress | 2 Tourfic – Ai Powered Travel Booking, Hotel Booking & Car Rental Wordpress Plugin, Wordpress | 2026-06-26 | 7.5 High |
| The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'post_id' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler is registered for unauthenticated users via wp_ajax_nopriv_tf_room_availability, and the required nonce is emitted on the public single-hotel page template, allowing unauthenticated attackers to freely obtain a valid nonce and reach the vulnerable code path. | ||||
| CVE-2026-54838 | 2 Rymera Web Co, Wordpress | 2 Wc Vendors Marketplace, Wordpress | 2026-06-26 | 8.5 High |
| Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions. | ||||