Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (19433 CVEs found)

Export CSV
CVE Vendors Products Updated CVSS v3.1
CVE-2026-39438 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in ListingPro <= 2.9.10 versions.
CVE-2026-12360 2 Crocoblock, Wordpress 2 Jetengine, Wordpress 2026-06-17 7.5 High
The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page.
CVE-2026-49080 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.
CVE-2026-49073 2026-06-17 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3.
CVE-2026-54811 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in WP eMember < v10.9.4 versions.
CVE-2026-54187 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions.
CVE-2026-54186 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in JobSearch <= 3.2.9 versions.
CVE-2026-54185 2026-06-17 8.5 High
Subscriber SQL Injection in Cornerstone < 7.8.8 versions.
CVE-2026-49084 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions.
CVE-2026-49079 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions.
CVE-2026-49076 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions.
CVE-2026-48967 2026-06-17 8.5 High
Subscriber SQL Injection in Geo Mashup <= 1.13.19 versions.
CVE-2026-48875 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.
CVE-2026-39596 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in Blocksy Companion Pro < 2.1.29 versions.
CVE-2026-22340 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in WPJobster <= 6.3.5 versions.
CVE-2026-22335 2026-06-17 8.5 High
Subscriber SQL Injection in WooCommerce Frontend Manager – Ultimate < 6.7.7 versions.
CVE-2026-22332 2026-06-17 9.3 Critical
Unauthenticated SQL Injection in Tutor LMS Pro <= 3.9.6 versions.
CVE-2025-69135 2026-06-17 8.5 High
Subscriber SQL Injection in Events Schedule - WordPress Events Calendar Plugin <= 2.7.2 versions.
CVE-2026-42167 1 Proftpd 1 Proftpd 2026-06-17 8.1 High
mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).
CVE-2026-36670 2026-06-17 8.8 High
A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in alias_management.php.