Explore CVEs related to SQL Injection vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing SQL Injection CVEs published in 2018. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2018-20061 | A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This i | 7.5 | 1.43% | 2018-12-11 | 2026-06-16 |
| CVE-2018-20018 | S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by the /1/?type=productinfo&S_id=140 URI. | 7.5 | 1.21% | 2018-12-10 | 2026-06-16 |
| CVE-2018-7065 | An authenticated SQL injection vulnerability in Aruba ClearPass Policy Manager can lead to privilege escalation. All versions of ClearPass are affected by multiple authenticated SQL injection vulnerabilities. In each case, an authenticated administrative user of any type could exploit this vulnerability to gain access to "appadmin" credentials, leading to complete cluster compromise. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix. | 7.2 | 0.91% | 2018-12-07 | 2026-06-16 |
| CVE-2018-19925 | An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. It has SQL injection via the member/member_order.php type parameter, related to the O_state parameter. | 9.8 | 1.14% | 2018-12-06 | 2026-06-16 |
| CVE-2018-19898 | ThinkCMF X2.2.2 has SQL Injection via the method edit_post in ArticleController.class.php and is exploitable by normal authenticated users via the post[id][1] parameter in an article edit_post action. | 8.8 | 1.39% | 2018-12-05 | 2026-06-16 |
| CVE-2018-19897 | ThinkCMF X2.2.2 has SQL Injection via the function _listorders() in AdminbaseController.class.php and is exploitable with the manager privilege via the listorders[key][1] parameter in a Link listorders action. | 7.2 | 1.33% | 2018-12-05 | 2026-06-16 |
| CVE-2018-19896 | ThinkCMF X2.2.2 has SQL Injection via the function delete() in SlideController.class.php and is exploitable with the manager privilege via the ids[] parameter in a slide action. | 7.2 | 1.33% | 2018-12-05 | 2026-06-16 |
| CVE-2018-19895 | ThinkCMF X2.2.2 has SQL Injection via the function edit_post() in NavController.class.php and is exploitable with the manager privilege via the parentid parameter in a nav action. | 7.2 | 1.33% | 2018-12-05 | 2026-06-16 |
| CVE-2018-19894 | ThinkCMF X2.2.2 has SQL Injection via the functions check() and delete() in CommentadminController.class.php and is exploitable with the manager privilege via the ids[] parameter in a commentadmin action. | 7.2 | 1.33% | 2018-12-05 | 2026-06-16 |
| CVE-2018-19893 | SearchController.php in PbootCMS 1.2.1 has SQL injection via the index.php/Search/index.html query string. | 9.8 | 1.14% | 2018-12-05 | 2026-06-16 |
| CVE-2018-1002000 | There is blind SQL injection in WordPress Arigato Autoresponder and Newsletter v2.5.1.8 These vulnerabilities require administrative privileges to exploit. There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request. | 7.2 | 4.35% | 2018-12-03 | 2026-06-16 |
| CVE-2018-18619 | internal/advanced_comment_system/admin.php in Advanced Comment System 1.0 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query, allowing remote attackers to execute the sqli attack via a URL in the "page" parameter. NOTE: The product is discontinued. | 9.8 | 4.18% | 2018-11-29 | 2026-06-16 |
| CVE-2018-15441 | A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM da | 9.4 | 3.65% | 2018-11-28 | 2026-06-16 |
| CVE-2018-13350 | SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter. | 9.8 | 16.66% | 2018-11-27 | 2026-06-16 |
| CVE-2018-18982 | NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution. | 8.8 | 60.79% | 2018-11-27 | 2026-06-16 |
| CVE-2018-19559 | CuppaCMS before 2018-11-12 has SQL Injection in administrator/classes/ajax/functions.php via the reference_id parameter. | 9.8 | 1.04% | 2018-11-26 | 2026-06-16 |
| CVE-2018-19558 | An issue was discovered in arcms through 2018-03-19. SQL injection exists via the json/newslist limit parameter because of ctl/main/Json.php, ctl/main/service/Data.php, and comp/Db/Mysql.php. | 9.8 | 1.14% | 2018-11-26 | 2026-06-16 |
| CVE-2018-19557 | An issue was discovered in arcms through 2018-03-19. No authentication is required for index/main, user/useradd, or img/images. | 9.8 | 1.46% | 2018-11-26 | 2026-06-16 |
| CVE-2018-19553 | Interspire Email Marketer through 6.1.6 has SQL Injection via an updateblock sortorder request to Dynamiccontenttags.php | 8.8 | 0.98% | 2018-11-26 | 2026-06-16 |
| CVE-2018-19552 | Interspire Email Marketer through 6.1.6 has SQL Injection via a deleteblock blockid[] request to Dynamiccontenttags.php. | 8.8 | 0.98% | 2018-11-26 | 2026-06-16 |