VYPR
Medium severity6.7NVD Advisory· Published Apr 14, 2026· Updated May 7, 2026

CVE-2026-32176

CVE-2026-32176

Description

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

Affected products

5
  • cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*+ 4 more
    • cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*range: >=13.0.6300.2,<13.0.6485.1
    • cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*range: >=14.0.1000.169,<14.0.2105.1
    • cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*range: >=15.0.2000.5,<15.0.2165.1
    • cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*range: >=16.0.1000.6,<16.0.1175.1
    • cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*range: >=17.0.1000.7,<17.0.1110.1

Patches

Vulnerability mechanics

References

1

News mentions

1