A05 - Injection 33

• XXE Injection via Envelope Import Leads to Arbitrary File Read | Foldmark Jun 9, 2026
• NoSQL Injection Leads to Treasury Account Takeover | Coined Jun 7, 2026
• NoSQL Injection via Search Filter Object Leads to Hidden Rental Disclosure | SwiftSearch Hotels Jun 3, 2026
• SQL Injection in Voucher Search Leads to Executive Voucher Disclosure | Voucher Vault Jun 2, 2026
• SQL Injection via Issue Identifier Parameter | Trace Control Jun 2, 2026
• OS Command Injection via Archive Export Filename | Parchive Jun 1, 2026
• Cross-Site Scripting (XSS) – Inadequate Input Filter Bypass | Palisade May 30, 2026
• Cross-Site Scripting (XSS) – HTML Tag Breakout | Rivet & Tack May 30, 2026
• Cross-Site Scripting (XSS) – HTML Comment Breakout | Fermata May 29, 2026
• NoSQL Injection Authentication Bypass | Herbalist Remedies May 28, 2026
• Cross-Site Scripting (XSS) – Attribute Breakout | Sandpiper Stationery May 28, 2026
• Cross-Site Scripting (XSS) – Reflected Search Injection | Ember Kettle May 28, 2026
• Arbitrary File Read – image Parameter Leading to file:// Injection | Suited May 26, 2026
• SQL Injection – Full Database Extraction via UNION Attack | Versed May 24, 2026
• OS Command Injection – Remote Command Execution via Legacy CGI Endpoint | Slash & Sons May 23, 2026
• OS Command Injection in Network Diagnostics | Netcheck May 23, 2026
• SQL Injection – Secret Extraction from Internal Logs Console | Vibed May 21, 2026
• Stored XSS – Internal Endpoint Enumeration Through Comment Injection | Crate & Sleeve May 18, 2026
• SQL Injection – Authentication Bypass on Employee Portal | Gatekeeper May 18, 2026
• SQL Injection to Admin Access – Hidden Identity Exposure | The Caretaker May 17, 2026
• LDAP Injection – Hidden Registrar Archive Disclosure | Saint Croix University May 15, 2026
• Command Injection & Broken Function Level Authorization | NewsForge May 15, 2026
• Command Injection via Filename Parameter Leading to Remote Code Execution | Quotin May 14, 2026
• Server-Side Template Injection Leading to Remote Code Execution | Outbox May 12, 2026
• NoSQL Injection Authentication Bypass – Admin Panel Access | SnickerDoodle May 11, 2026
• Jinja2 SSTI to Remote Code Execution | SunnySide May 8, 2026
• SQL Injection – UNION-Based Credential Extraction via Profile API | Ottergram May 2, 2026
• SQL Injection – Database Extraction via Boolean-Based Blind Technique | Stock Check Lab May 2, 2026
• SQL Injection – Credential Extraction via UNION Attack | Search Functionality Lab May 2, 2026
• SQL Injection – Full Database Extraction via Search Function | Flower Apr 30, 2026
• Command Injection – Remote Code Execution via rollOptions Parameter | Diceforge Apr 26, 2026
• Server-Side Template Injection – Remote Code Execution & Data Exposure | Leaf Mar 29, 2026
• Server-Side Template Injection – Remote Code Execution via Twig & Bind Shell | Leaf Mar 29, 2026