Explore CVEs related to SQL Injection vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing SQL Injection CVEs published in 2018. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2018-20572 | WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL injection via the index.php?m=promote&f=index&v=search keywords parameter, a related issue to CVE-2018-15893. | 9.8 | 1.54% | 2018-12-28 | 2026-06-16 |
| CVE-2018-20569 | user/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass. | 9.8 | 1.64% | 2018-12-28 | 2026-06-16 |
| CVE-2018-20568 | Administrator/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass. | 9.8 | 1.64% | 2018-12-28 | 2026-06-16 |
| CVE-2018-1000890 | FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachments.php that can allow the attacker to grab the entire database of the application. | 7.5 | 1.78% | 2018-12-28 | 2026-06-16 |
| CVE-2018-1000631 | Battelle V2I Hub 3.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the tmx/TmxCtl/src/lib/PluginStatus.cpp and TmxControl::user_info() function, which could allow the attacker to view, add, modify or delete information in the back-end database. | 9.8 | 2.35% | 2018-12-28 | 2026-06-16 |
| CVE-2018-1000630 | Battelle V2I Hub 2.5.1 is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to /api/PluginStatusActions.php and /status/pluginStatus.php using the jtSorting or id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. | 7.2 | 1.86% | 2018-12-28 | 2026-06-16 |
| CVE-2018-20508 | CrashFix 1.0.4 has SQL Injection via the User[status] parameter. This is related to actionIndex in UserController.php, and the protected\models\User.php search() function. | 9.8 | 1.45% | 2018-12-27 | 2026-06-16 |
| CVE-2018-20480 | An issue was discovered in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter. | 9.8 | 1.14% | 2018-12-25 | 2026-06-16 |
| CVE-2018-20479 | An issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter. | 9.8 | 1.14% | 2018-12-25 | 2026-06-16 |
| CVE-2018-20477 | An issue was discovered in S-CMS 3.0. It allows SQL Injection via the bank/callback1.php P_no field. | 9.8 | 1.14% | 2018-12-25 | 2026-06-16 |
| CVE-2018-7802 | A SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could give access to the web interface with full privileges. | 8.8 | 2.31% | 2018-12-24 | 2026-06-16 |
| CVE-2018-20338 | Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section. | 9.8 | 11.53% | 2018-12-21 | 2026-06-16 |
| CVE-2018-20329 | Chamilo LMS version 1.11.8 contains a main/inc/lib/CoursesAndSessionsCatalog.class.php SQL injection, allowing users with access to the sessions catalogue (which may optionally be made public) to extract and/or modify database information. | 8.1 | 1.19% | 2018-12-21 | 2026-06-16 |
| CVE-2018-18399 | SQL injection vulnerability in the "ContentPlaceHolder1_uxTitle" component in ArchiveNews.aspx in jco.ir KARMA 6.0.0 allows a remote attacker to execute arbitrary SQL commands via the "id" parameter. | 9.8 | 2.77% | 2018-12-20 | 2026-06-16 |
| CVE-2018-1000871 | HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL Injection vulnerability in "id_utente_mod" parameter in gestione_utenti.php file that can result in An attacker can dump all the database records of backend webserver. This attack appear to be exploitable via the attack can be done by anyone via specially crafted sql query passed to the "id_utente_mod=1" parameter. | 9.8 | 1.62% | 2018-12-20 | 2026-06-16 |
| CVE-2018-1000869 | phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4. | 9.8 | 1.79% | 2018-12-20 | 2026-06-16 |
| CVE-2018-1000867 | WeBid version up to current version 1.2.2 contains a SQL Injection vulnerability in All five yourauctions*.php scripts that can result in Database Read via Blind SQL Injection. This attack appear to be exploitable via HTTP Request. This vulnerability appears to have been fixed in after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f. | 8.8 | 1.46% | 2018-12-20 | 2026-06-16 |
| CVE-2018-20173 | Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API. | 9.8 | 24.50% | 2018-12-17 | 2026-06-16 |
| CVE-2018-14623 | A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulnerable. | 4.3 | 1.43% | 2018-12-13 | 2026-06-16 |
| CVE-2018-18923 | AbiSoft Ticketly 1.0 is affected by multiple SQL Injection vulnerabilities through the parameters name, category_id and description in action/addproject.php; kind_id, priority_id, project_id, status_id and title in action/addticket.php; and kind_id and status_id in reports.php. | 9.8 | 3.21% | 2018-12-13 | 2026-06-16 |