CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ClassIncompleteLikelihood: High

Description

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Hierarchy (View 1000)

Parents

CWE-707

Children

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-105 · CAPEC-108 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-14 · CAPEC-24 · CAPEC-250 · CAPEC-267 · CAPEC-273 · CAPEC-28 · CAPEC-3 · CAPEC-34 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-51 · CAPEC-52 · CAPEC-53 · CAPEC-6 · CAPEC-64 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-76 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-83 · CAPEC-84 · CAPEC-9

CVEs mapped to this weakness (2,531)

page 34 of 127

CVE	Vendor / Product	Sev	Risk	CVSS	Published	Description
CVE-2025-12308	Code Projects Social Networking Site	Hig	0.47	7.3	Oct 27, 2025	A security flaw has been discovered in code-projects Nero Social Networking Site 1.0. Affected by this issue is some unknown functionality of the file /deletemessage.php. Performing manipulation of the argument message_id results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.
CVE-2025-12307	Code Projects Social Networking Site	Hig	0.47	7.3	Oct 27, 2025	A vulnerability was identified in code-projects Nero Social Networking Site 1.0. Affected by this vulnerability is an unknown functionality of the file /addfriend.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.
CVE-2025-12306	Code Projects Social Networking Site	Hig	0.47	7.3	Oct 27, 2025	A vulnerability was determined in code-projects Nero Social Networking Site 1.0. Affected is an unknown function of the file /acceptoffres.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2025-12293	Janobe Point Of Sales	Hig	0.47	7.3	Oct 27, 2025	A vulnerability was identified in SourceCodester Point of Sales 1.0. This issue affects some unknown processing of the file /category.php. Such manipulation of the argument Category leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
CVE-2025-12292	Janobe Point Of Sales	Hig	0.47	7.3	Oct 27, 2025	A vulnerability was determined in SourceCodester Point of Sales 1.0. This vulnerability affects unknown code of the file /index.php. This manipulation of the argument Username causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2025-12277	DaoYunXinShang Reports	Hig	0.47	7.3	Oct 27, 2025	A flaw has been found in Abdullah-Hasan-Sajjad Online-School up to f09dda77b4c29aa083ff57f4b1eb991b98b68883. This affects an unknown part of the file /studentLogin.php. This manipulation of the argument Email causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-12257	Oretnom23 Online Student Result System	Hig	0.47	7.3	Oct 27, 2025	A security vulnerability has been detected in SourceCodester Online Student Result System 1.0. This issue affects some unknown processing of the file /view_result.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
CVE-2025-12253	Amttgroup Hibos	Hig	0.47	7.3	Oct 27, 2025	A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected by this vulnerability is an unknown functionality of the file /user/portal/get_expiredtime.php. This manipulation of the argument uid causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-12248	CLTPHP CLTPHP	Hig	0.47	7.3	Oct 27, 2025	A security vulnerability has been detected in CLTPHP 3.0. The affected element is an unknown function of the file /home/search.html. Such manipulation of the argument keyword leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
CVE-2025-12237	Projectworlds Advanced Library Management System	Hig	0.47	7.3	Oct 27, 2025	A vulnerability was identified in projectworlds Advanced Library Management System 1.0. Impacted is an unknown function of the file /index.php. Such manipulation of the argument keywords leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
CVE-2025-12215	Projectworlds Online Shopping System	Hig	0.47	7.3	Oct 27, 2025	A flaw has been found in projectworlds Online Shopping System 1.0. Impacted is an unknown function of the file /login_submit.php. Executing a manipulation of the argument keywords can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.
CVE-2025-12208	Mayurik Best House Rental Management System	Hig	0.47	7.3	Oct 27, 2025	A vulnerability was found in SourceCodester Best House Rental Management System 1.0. This impacts the function login2 of the file /admin_class.php. Performing manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
CVE-2025-11736	Angeljudesuarez Online Examination System	Hig	0.47	7.3	Oct 14, 2025	A flaw has been found in itsourcecode Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /index.php. This manipulation of the argument Username causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
CVE-2025-11662	Mayurik Best Salon Management System	Hig	0.47	7.3	Oct 13, 2025	A security flaw has been discovered in SourceCodester Best Salon Management System 1.0. Impacted is an unknown function of the file /booking.php. The manipulation of the argument serv_id results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.
CVE-2025-11654	Mhszed Report	Hig	0.47	7.3	Oct 13, 2025	A vulnerability was identified in yousaf530 Inferno Online Clothing Store up to 827dd42bfbe380e8de76fdc67958c24cf1246208. The affected element is an unknown function of the file /log.php. Such manipulation of the argument cemail/password leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-11615	Mayurik Best Salon Management System	Hig	0.47	7.3	Oct 11, 2025	A security flaw has been discovered in SourceCodester Best Salon Management System 1.0. This affects an unknown part of the file /panel/add_invoice.php. Performing manipulation of the argument ServiceId results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.
CVE-2025-11614	Mayurik Best Salon Management System	Hig	0.47	7.3	Oct 11, 2025	A vulnerability was identified in SourceCodester Best Salon Management System 1.0. Affected by this issue is some unknown functionality of the file /panel/edit-appointment.php. Such manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
CVE-2025-11608	Oretnom23 Banking System	Hig	0.47	7.3	Oct 11, 2025	A security vulnerability has been detected in code-projects E-Banking System 1.0. This affects an unknown function of the file /register.php of the component POST Parameter Handler. The manipulation of the argument username/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
CVE-2025-11604	Projectworlds Online Food Ordering System	Hig	0.47	7.3	Oct 11, 2025	A vulnerability was determined in projectworlds Online Ordering Food System 1.0. This issue affects some unknown processing of the file /all-orders.php. This manipulation of the argument Status causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
CVE-2025-11601	Oretnom23 Online Student Result System	Hig	0.47	7.3	Oct 11, 2025	A vulnerability was detected in SourceCodester Online Student Result System 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing manipulation of the argument Username results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.

CVE-2025-12308HigOct 27, 2025
Code Projects
Social Networking Site
risk 0.47cvss 7.3epss 0.00
A security flaw has been discovered in code-projects Nero Social Networking Site 1.0. Affected by this issue is some unknown functionality of the file /deletemessage.php. Performing manipulation of the argument message_id results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.
CVE-2025-12307HigOct 27, 2025
Code Projects
Social Networking Site
risk 0.47cvss 7.3epss 0.00
A vulnerability was identified in code-projects Nero Social Networking Site 1.0. Affected by this vulnerability is an unknown functionality of the file /addfriend.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.
CVE-2025-12306HigOct 27, 2025
Code Projects
Social Networking Site
risk 0.47cvss 7.3epss 0.00
A vulnerability was determined in code-projects Nero Social Networking Site 1.0. Affected is an unknown function of the file /acceptoffres.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2025-12293HigOct 27, 2025
Janobe
Point Of Sales
risk 0.47cvss 7.3epss 0.00
A vulnerability was identified in SourceCodester Point of Sales 1.0. This issue affects some unknown processing of the file /category.php. Such manipulation of the argument Category leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
CVE-2025-12292HigOct 27, 2025
Janobe
Point Of Sales
risk 0.47cvss 7.3epss 0.00
A vulnerability was determined in SourceCodester Point of Sales 1.0. This vulnerability affects unknown code of the file /index.php. This manipulation of the argument Username causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2025-12277HigOct 27, 2025
DaoYunXinShang
Reports
risk 0.47cvss 7.3epss 0.00
A flaw has been found in Abdullah-Hasan-Sajjad Online-School up to f09dda77b4c29aa083ff57f4b1eb991b98b68883. This affects an unknown part of the file /studentLogin.php. This manipulation of the argument Email causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-12257HigOct 27, 2025
Oretnom23
Online Student Result System
risk 0.47cvss 7.3epss 0.00
A security vulnerability has been detected in SourceCodester Online Student Result System 1.0. This issue affects some unknown processing of the file /view_result.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
CVE-2025-12253HigOct 27, 2025
Amttgroup
Hibos
risk 0.47cvss 7.3epss 0.00
A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected by this vulnerability is an unknown functionality of the file /user/portal/get_expiredtime.php. This manipulation of the argument uid causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-12248HigOct 27, 2025
CLTPHP
CLTPHP
risk 0.47cvss 7.3epss 0.00
A security vulnerability has been detected in CLTPHP 3.0. The affected element is an unknown function of the file /home/search.html. Such manipulation of the argument keyword leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
CVE-2025-12237HigOct 27, 2025
Projectworlds
Advanced Library Management System
risk 0.47cvss 7.3epss 0.00
A vulnerability was identified in projectworlds Advanced Library Management System 1.0. Impacted is an unknown function of the file /index.php. Such manipulation of the argument keywords leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
CVE-2025-12215HigOct 27, 2025
Projectworlds
Online Shopping System
risk 0.47cvss 7.3epss 0.00
A flaw has been found in projectworlds Online Shopping System 1.0. Impacted is an unknown function of the file /login_submit.php. Executing a manipulation of the argument keywords can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.
CVE-2025-12208HigOct 27, 2025
Mayurik
Best House Rental Management System
risk 0.47cvss 7.3epss 0.00
A vulnerability was found in SourceCodester Best House Rental Management System 1.0. This impacts the function login2 of the file /admin_class.php. Performing manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
CVE-2025-11736HigOct 14, 2025
Angeljudesuarez
Online Examination System
risk 0.47cvss 7.3epss 0.00
A flaw has been found in itsourcecode Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /index.php. This manipulation of the argument Username causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
CVE-2025-11662HigOct 13, 2025
Mayurik
Best Salon Management System
risk 0.47cvss 7.3epss 0.00
A security flaw has been discovered in SourceCodester Best Salon Management System 1.0. Impacted is an unknown function of the file /booking.php. The manipulation of the argument serv_id results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.
CVE-2025-11654HigOct 13, 2025
Mhszed
Report
risk 0.47cvss 7.3epss 0.00
A vulnerability was identified in yousaf530 Inferno Online Clothing Store up to 827dd42bfbe380e8de76fdc67958c24cf1246208. The affected element is an unknown function of the file /log.php. Such manipulation of the argument cemail/password leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-11615HigOct 11, 2025
Mayurik
Best Salon Management System
risk 0.47cvss 7.3epss 0.00
A security flaw has been discovered in SourceCodester Best Salon Management System 1.0. This affects an unknown part of the file /panel/add_invoice.php. Performing manipulation of the argument ServiceId results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.
CVE-2025-11614HigOct 11, 2025
Mayurik
Best Salon Management System
risk 0.47cvss 7.3epss 0.00
A vulnerability was identified in SourceCodester Best Salon Management System 1.0. Affected by this issue is some unknown functionality of the file /panel/edit-appointment.php. Such manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
CVE-2025-11608HigOct 11, 2025
Oretnom23
Banking System
risk 0.47cvss 7.3epss 0.00
A security vulnerability has been detected in code-projects E-Banking System 1.0. This affects an unknown function of the file /register.php of the component POST Parameter Handler. The manipulation of the argument username/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
CVE-2025-11604HigOct 11, 2025
Projectworlds
Online Food Ordering System
risk 0.47cvss 7.3epss 0.00
A vulnerability was determined in projectworlds Online Ordering Food System 1.0. This issue affects some unknown processing of the file /all-orders.php. This manipulation of the argument Status causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
CVE-2025-11601HigOct 11, 2025
Oretnom23
Online Student Result System
risk 0.47cvss 7.3epss 0.00
A vulnerability was detected in SourceCodester Online Student Result System 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing manipulation of the argument Username results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.