Security Risk Category

sql-injection Security Risks

Published vulnerability pages connected to sql-injection. One risk can appear in multiple categories while keeping one canonical page.

sql-injection risks

Showing 8 of 8 published risks.

mediumEPSS 0.003

CodeAstro Simple Online Leave Management System SQL Injection Vulnerability

A vulnerability was determined in CodeAstro Simple Online Leave Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /SimpleOnlineLeave/index.php. Executing a manipulation of the argument email can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

CVE-2026-15134phpcodeastroleave-managementsql-injection

Updated Jul 10, 2026

mediumEPSS 0.003

code-projects Online Food Order System SQL Injection Vulnerability

A security flaw has been discovered in code-projects Online Food Order System 1.0. This affects an unknown part of the file /edit_food_items.php. The manipulation of the argument update results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

CVE-2026-15135phpcode-projectsonline-food-order-systemsql-injection

Updated Jul 10, 2026

mediumEPSS 0.003

code-projects Interview Management System SQL Injection Vulnerability

A weakness has been identified in code-projects Interview Management System 1.0. This vulnerability affects unknown code of the file \inc\classes\View.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

CVE-2026-15137phpcode-projectsinterview-management-systemsql-injection

Updated Jul 10, 2026

mediumEPSS 0.003

WP ERP WordPress Plugin SQL Injection Vulnerability

The ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 1.17.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the erp_list_employee capability, which is granted to HR Manager-level users and above within the WP ERP plugin.

CVE-2026-13011wordpresswp-erpsql-injectionplugin

Updated Jul 10, 2026

mediumEPSS 0.003

Mail Mint WordPress Plugin Time-Based SQL Injection Vulnerability

The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to time-based SQL Injection via the 'contact_ids' parameter in all versions up to, and including, 1.24.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE-2026-14342wordpresswoocommercemail-mintsql-injection

Updated Jul 10, 2026

criticalEPSS 0.004

BiEticaret SQL Injection Vulnerability

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Inrove Software and Internet Services BiEticaret allows SQL Injection. This issue affects BiEticaret: before v3.3.57.

CVE-2026-5955bieticaretsql-injectionweb-application

Updated Jul 10, 2026

high

SOPlanning Audit Retention SQL Injection Vulnerability

SOPlanning is vulnerable to SQL injection in the audit retention configuration. An attacker holding parameters_all rights can inject SQL commands into the audit configuration form which is then saved. The execution is triggered when the audit functionality is accessed (by the attacker or another user). This issue was fixed in version 1.56.01.

CVE-2026-50644soplanningphpsql-injectionweb-application

Updated Jul 10, 2026

critical

AcyMailing Joomla Component SQL Injection Vulnerability

A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting this flaw can lead to unauthorized database access and data leakage.

CVE-2026-56292joomlaphpacymailingsql-injection

Updated Jul 10, 2026