MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2026-56034 | Unauthenticated SQL Injection in Library Management System <= 3.5.7 versions. | 9.3 | 0.29% | 2026-06-26 | 2026-06-26 |
| CVE-2026-54831 | Unauthenticated SQL Injection in GeoDirectory <= 2.8.162 versions. | 9.3 | 0.28% | 2026-06-26 | 2026-06-26 |
| CVE-2026-54827 | Unauthenticated SQL Injection in Real Estate 7 <= 3.5.9 versions. | 9.3 | 0.28% | 2026-06-26 | 2026-06-26 |
| CVE-2026-54825 | Unauthenticated SQL Injection in wpDataTables <= 7.4 versions. | 9.3 | 0.28% | 2026-06-26 | 2026-06-26 |
| CVE-2026-54820 | Unauthenticated SQL Injection in JetBooking <= 4.0.4.1 versions. | 9.3 | 0.28% | 2026-06-26 | 2026-06-26 |
| CVE-2026-13226 | The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract se | 6.5 | 0.28% | 2026-06-25 | 2026-06-26 |
| CVE-2026-40083 | Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The cacti_unserialize() function calls unserialize() with allowed_classes set to false, which prevents object injection but still allows arbitrary string arrays to be deserialized. Th | 7.2 | 0.26% | 2026-06-25 | 2026-06-27 |
| CVE-2026-37149 | GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement. | 7.7 | 0.24% | 2026-06-25 | 2026-06-26 |
| CVE-2026-57588 | A SQL injection vulnerability in Nessus allows an attacker to craft a malicious scan result file that, when imported by a privileged user, injects malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data. | 1.8 | 0.16% | 2026-06-25 | 2026-06-26 |
| CVE-2026-57587 | A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data. | 2.9 | 0.34% | 2026-06-25 | 2026-06-26 |
| CVE-2026-54849 | Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions. | 9.3 | 0.23% | 2026-06-25 | 2026-06-25 |
| CVE-2026-54843 | Unauthenticated SQL Injection in MDTF <= 1.3.7 versions. | 9.3 | 0.23% | 2026-06-25 | 2026-06-25 |
| CVE-2026-54838 | Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions. | 8.5 | 0.27% | 2026-06-25 | 2026-06-25 |
| CVE-2026-54836 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection. This issue affects YMC Filter: from n/a through 3.11.5. | 9.3 | 0.23% | 2026-06-25 | 2026-06-25 |
| CVE-2026-54829 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jacob N. Breetvelt WP Photo Album Plus allows Blind SQL Injection. This issue affects WP Photo Album Plus: from n/a through 9.1.13.005. | 7.5 | 0.19% | 2026-06-25 | 2026-06-25 |
| CVE-2026-54822 | Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions. | 8.5 | 0.27% | 2026-06-25 | 2026-06-25 |
| CVE-2026-12937 | The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'post_id' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive inform | 7.5 | 0.30% | 2026-06-25 | 2026-06-25 |
| CVE-2026-2508 | The Gravity Forms Booking plugin for WordPress is vulnerable to time-based SQL Injection via the ‘staff_id’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the d | 6.5 | 0.24% | 2026-06-25 | 2026-06-25 |
| CVE-2026-12079 | The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the ’orderby’ parameter in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 6.5 | 0.22% | 2026-06-25 | 2026-06-25 |
| CVE-2026-12077 | The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the via 'latitude' and 'longitude' parameters in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 7.5 | 0.27% | 2026-06-25 | 2026-06-25 |