SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
Max CVSS
9.8
EPSS Score
1.33%
Published
2019-11-26
Updated
2019-12-10
An SQL Injection vulnerability exists in MiniDLNA prior to 1.1.0
Max CVSS
9.8
EPSS Score
2.53%
Published
2019-12-04
Updated
2020-08-18
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
Max CVSS
9.8
EPSS Score
96.03%
Published
2014-03-14
Updated
2021-02-26
The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.
Max CVSS
9.8
EPSS Score
0.52%
Published
2017-12-29
Updated
2018-01-17
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 does not properly handle errors while reading a protocol message, which allows remote attackers to conduct SQL injection attacks via crafted binary data in a parameter and causing an error, which triggers the loss of synchronization and part of the protocol message to be treated as a new message, as demonstrated by causing a timeout or query cancellation.
Max CVSS
9.8
EPSS Score
0.50%
Published
2020-01-27
Updated
2020-01-31
The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query.
Max CVSS
9.8
EPSS Score
1.63%
Published
2016-06-07
Updated
2016-11-28
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.
Max CVSS
9.8
EPSS Score
0.32%
Published
2017-01-30
Updated
2021-01-30
An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.
Max CVSS
9.8
EPSS Score
0.28%
Published
2019-02-05
Updated
2022-06-07
SchedMD Slurm before 17.02.10 and 17.11.x before 17.11.5 allows SQL Injection attacks against SlurmDBD.
Max CVSS
9.8
EPSS Score
0.16%
Published
2018-03-15
Updated
2019-02-28
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
Max CVSS
9.8
EPSS Score
1.35%
Published
2019-02-20
Updated
2021-12-03
SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL Injection.
Max CVSS
9.8
EPSS Score
1.01%
Published
2019-07-11
Updated
2022-04-06
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
Max CVSS
9.8
EPSS Score
0.54%
Published
2019-08-09
Updated
2019-08-28
Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
Max CVSS
9.8
EPSS Score
0.27%
Published
2022-09-02
Updated
2023-02-16
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.
Max CVSS
9.8
EPSS Score
0.75%
Published
2020-10-10
Updated
2023-01-31

CVE-2021-44026

Known exploited
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
Max CVSS
9.8
EPSS Score
0.59%
Published
2021-11-19
Updated
2021-12-16
CISA KEV Added
2023-06-22
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
Max CVSS
9.8
EPSS Score
0.74%
Published
2022-04-15
Updated
2023-02-02
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
Max CVSS
9.8
EPSS Score
0.30%
Published
2022-04-12
Updated
2023-04-28
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
Max CVSS
9.8
EPSS Score
0.32%
Published
2022-04-12
Updated
2023-04-28
In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.
Max CVSS
9.8
EPSS Score
1.10%
Published
2022-05-04
Updated
2022-10-06
An authenticated remote attacker can execute arbitrary code in Firebird SQL Server versions 2.5.7 and 3.0.2 by executing a malformed SQL statement.
Max CVSS
9.0
EPSS Score
0.88%
Published
2018-03-28
Updated
2021-11-23
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
Max CVSS
8.8
EPSS Score
0.33%
Published
2020-01-09
Updated
2020-11-10
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Max CVSS
8.8
EPSS Score
14.12%
Published
2020-03-05
Updated
2022-10-08
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Max CVSS
8.8
EPSS Score
2.58%
Published
2020-11-16
Updated
2022-10-19
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
Max CVSS
8.8
EPSS Score
0.47%
Published
2022-01-06
Updated
2022-04-12
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
Max CVSS
8.8
EPSS Score
0.29%
Published
2022-02-24
Updated
2022-11-07
53 vulnerabilities found
1 2 3
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!