CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 107 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-49491 | Hig | 0.53 | 8.2 | 0.00 | Jun 1, 2026 | Pixa Bank 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter. Attackers can send POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads to retrieve user… | ||
| CVE-2018-25434 | Hig | 0.53 | 8.2 | 0.00 | Jun 1, 2026 | WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Attackers can send GET requests to autosuggest.php with crafted wpas_keys values to… | ||
| CVE-2018-25433 | Hig | 0.53 | 8.2 | 0.00 | Jun 1, 2026 | Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the categoryid parameter. Attackers can send GET requests to index.php with crafted… | ||
| CVE-2018-25428 | Hig | 0.53 | 8.2 | 0.00 | Jun 1, 2026 | Paroiciel 11.20 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter. Attackers can send GET requests to the trec.php endpoint with crafted SQL payloads to… | ||
| CVE-2026-49490 | Hig | 0.53 | 8.1 | 0.00 | May 31, 2026 | OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable… | ||
| CVE-2018-25425 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Attackers can send GET requests to index.php with crafted SQL payloads in the aid or cid… | ||
| CVE-2018-25424 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Attackers can submit crafted POST requests to login-exec.php with SQL injection… | ||
| CVE-2018-25422 | — | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Attackers can send GET requests to play.php with crafted SQL payloads in the id… | |
| CVE-2018-25420 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to watch.php with crafted SQL payloads to extract sensitive… | ||
| CVE-2018-25419 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Attackers can send GET requests to genre.php with crafted SQL payloads in the genre… | ||
| CVE-2018-25418 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Attackers can send GET requests to year.php with crafted SQL payloads in the year parameter… | ||
| CVE-2018-25417 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Attackers can send GET requests to quality.php with crafted SQL payloads in the quality… | ||
| CVE-2018-25416 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Attackers can send GET requests to country.php with crafted SQL payloads in the country… | ||
| CVE-2018-25415 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Attackers can send GET requests to director.php with crafted SQL payloads in the… | ||
| CVE-2018-25414 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Attackers can send GET requests to actor.php with crafted SQL payloads in the actor… | ||
| CVE-2018-25413 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to search.php with crafted SQL payloads to extract sensitive… | ||
| CVE-2018-25411 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to email.php with crafted SQL payloads in the… | ||
| CVE-2018-25407 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid… | ||
| CVE-2018-25406 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid… | ||
| CVE-2018-25405 | Hig | 0.53 | 8.2 | 0.00 | May 30, 2026 | eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid… |
- risk 0.53cvss 8.2epss 0.00
Pixa Bank 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter. Attackers can send POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads to retrieve user…
- risk 0.53cvss 8.2epss 0.00
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Attackers can send GET requests to autosuggest.php with crafted wpas_keys values to…
- risk 0.53cvss 8.2epss 0.00
Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the categoryid parameter. Attackers can send GET requests to index.php with crafted…
- risk 0.53cvss 8.2epss 0.00
Paroiciel 11.20 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter. Attackers can send GET requests to the trec.php endpoint with crafted SQL payloads to…
- risk 0.53cvss 8.1epss 0.00
OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable…
- risk 0.53cvss 8.2epss 0.00
Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Attackers can send GET requests to index.php with crafted SQL payloads in the aid or cid…
- risk 0.53cvss 8.2epss 0.00
Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Attackers can submit crafted POST requests to login-exec.php with SQL injection…
- risk 0.53cvss 8.2epss 0.00
MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Attackers can send GET requests to play.php with crafted SQL payloads in the id…
- risk 0.53cvss 8.2epss 0.00
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to watch.php with crafted SQL payloads to extract sensitive…
- risk 0.53cvss 8.2epss 0.00
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Attackers can send GET requests to genre.php with crafted SQL payloads in the genre…
- risk 0.53cvss 8.2epss 0.00
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Attackers can send GET requests to year.php with crafted SQL payloads in the year parameter…
- risk 0.53cvss 8.2epss 0.00
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Attackers can send GET requests to quality.php with crafted SQL payloads in the quality…
- risk 0.53cvss 8.2epss 0.00
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Attackers can send GET requests to country.php with crafted SQL payloads in the country…
- risk 0.53cvss 8.2epss 0.00
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Attackers can send GET requests to director.php with crafted SQL payloads in the…
- risk 0.53cvss 8.2epss 0.00
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Attackers can send GET requests to actor.php with crafted SQL payloads in the actor…
- risk 0.53cvss 8.2epss 0.00
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to search.php with crafted SQL payloads to extract sensitive…
- risk 0.53cvss 8.2epss 0.00
MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to email.php with crafted SQL payloads in the…
- risk 0.53cvss 8.2epss 0.00
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid…
- risk 0.53cvss 8.2epss 0.00
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid…
- risk 0.53cvss 8.2epss 0.00
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid…