CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ClassIncompleteLikelihood: High
Description
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-105 · CAPEC-108 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-14 · CAPEC-24 · CAPEC-250 · CAPEC-267 · CAPEC-273 · CAPEC-28 · CAPEC-3 · CAPEC-34 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-51 · CAPEC-52 · CAPEC-53 · CAPEC-6 · CAPEC-64 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-76 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-83 · CAPEC-84 · CAPEC-9
CVEs mapped to this weakness (2,523)
page 122 of 127| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-12294 | Med | 0.31 | 4.7 | 0.00 | Oct 27, 2025 | A security flaw has been discovered in SourceCodester Point of Sales 1.0. Impacted is an unknown function of the file /delete_category.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | |
| CVE-2025-12287 | Med | 0.31 | 4.7 | 0.00 | Oct 27, 2025 | A security vulnerability has been detected in Bdtask Wholesale Inventory Control and Inventory Management System up to 20251013. This impacts an unknown function of the file /Admin_dashboard/edit_profile. Such manipulation of the argument first_name/last_name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-12226 | Med | 0.31 | 4.7 | 0.00 | Oct 27, 2025 | A vulnerability was found in SourceCodester Best House Rental Management System 1.0. Impacted is the function save_house of the file /admin_class.php. Performing manipulation of the argument house_no results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | |
| CVE-2025-11668 | Med | 0.31 | 4.7 | 0.00 | Oct 13, 2025 | A vulnerability was determined in code-projects Automated Voting System 1.0. Affected by this issue is some unknown functionality of the file /admin/update_user.php. This manipulation of the argument Password causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | |
| CVE-2025-11664 | Med | 0.31 | 4.7 | 0.00 | Oct 13, 2025 | A security vulnerability has been detected in Campcodes Online Beauty Parlor Management System 1.0. The impacted element is an unknown function of the file /admin/search-appointment.php. Such manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | |
| CVE-2025-11663 | Med | 0.31 | 4.7 | 0.00 | Oct 13, 2025 | A weakness has been identified in Campcodes Online Beauty Parlor Management System 1.0. The affected element is an unknown function of the file /admin/manage-services.php. This manipulation of the argument sername causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | |
| CVE-2025-11628 | Med | 0.31 | 4.7 | 0.00 | Oct 12, 2025 | A flaw has been found in jimit105 Project-Online-Shopping-Website up to 7d892f442bd8a96dd242dbe2b9bd5ed641e13e64. This affects an unknown function of the file /delete.php of the component Product Inventory Handler. This manipulation of the argument product_code causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-11595 | Med | 0.31 | 4.7 | 0.00 | Oct 11, 2025 | A vulnerability was found in Campcodes Online Apartment Visitor Management System 1.0. Impacted is an unknown function of the file /admin-profile.php. Performing a manipulation of the argument mobilenumber results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | |
| CVE-2025-11342 | Med | 0.31 | 4.7 | 0.00 | Oct 6, 2025 | A weakness has been identified in code-projects Online Course Registration 1.0. This impacts an unknown function of the file /admin/edit-course.php. Executing manipulation of the argument coursecode can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | |
| CVE-2025-11335 | Med | 0.31 | 4.7 | 0.00 | Oct 6, 2025 | A weakness has been identified in D-Link DI-7100G C1 up to 20250928. Affected by this vulnerability is the function sub_46409C of the file /msp_info.htm?flag=qos of the component jhttpd. This manipulation of the argument iface causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | |
| CVE-2025-11331 | Med | 0.31 | 4.7 | 0.00 | Oct 6, 2025 | A vulnerability was found in IdeaCMS up to 1.8. The impacted element is an unknown function of the file app/common/logic/admin/Config.php of the component Website Name Handler. Performing manipulation of the argument 网站名称 results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-11073 | Med | 0.31 | 4.7 | 0.00 | Sep 27, 2025 | A vulnerability was detected in Keyfactor RG-EW5100BE EW_3.0B11P280_EW5100BE-PRO_12183019. The affected element is an unknown function of the file /cgi-bin/luci/api/cmd of the component HTTP POST Request Handler. The manipulation of the argument url results in command injection. The attack can be launched remotely. The exploit is now public and may be used. | |
| CVE-2025-11071 | Med | 0.31 | 4.7 | 0.00 | Sep 27, 2025 | A security vulnerability has been detected in SeaCMS 13.3.20250820. Impacted is an unknown function of the file /admin_cron.php of the component Cron Task Management Module. The manipulation of the argument resourcefrom/collectID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | |
| CVE-2025-10662 | Med | 0.31 | 4.7 | 0.00 | Sep 18, 2025 | A vulnerability has been found in SeaCMS up to 13.3. The impacted element is an unknown function of the file /admin_members.php?ac=editsave. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This affects another injection point than CVE-2025-25513. | |
| CVE-2025-10394 | Med | 0.31 | 4.7 | 0.00 | Sep 14, 2025 | A vulnerability has been found in fcba_zzm ics-park Smart Park Management System 2.0. Affected is an unknown function of the file ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/JobController.java of the component Scheduled Task Module. Such manipulation leads to code injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | |
| CVE-2025-10107 | Med | 0.31 | 4.7 | 0.00 | Sep 9, 2025 | A vulnerability has been found in TRENDnet TEW-831DR 1.0 (601.130.1.1410). Impacted is an unknown function of the file /boafrm/formSysCmd. The manipulation of the argument sysHost leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-10122 | Med | 0.31 | 4.7 | 0.00 | Sep 9, 2025 | A vulnerability was found in Maccms10 2025.1000.4050. Affected is the function rep of the file application/admin/controller/Database.php. Performing manipulation of the argument where results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | |
| CVE-2025-10087 | Med | 0.31 | 4.7 | 0.00 | Sep 8, 2025 | A security vulnerability has been detected in SourceCodester Pet Grooming Management Software 1.0. Impacted is an unknown function of the file /admin/profit_report.php. Such manipulation of the argument product_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | |
| CVE-2025-6785 | Med | 0.31 | — | 0.00 | Sep 4, 2025 | Securing externally available CAN wires can easily allow physical access to the CAN bus, allowing possible injection of specially formed CAN messages to control remote start functions of the vehicle. Testing completed on Tesla Model 3 vehicles with software version v11.1 (2023.20.9 ee6de92ddac5). This issue affects Model 3: With software versions from 2023.Xx before 2023.44. | |
| CVE-2025-9802 | Med | 0.31 | 4.7 | 0.00 | Sep 2, 2025 | A vulnerability was detected in RemoteClinic 2.0. This vulnerability affects unknown code of the file /staff/profile.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. |