CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
BaseStableLikelihood: High
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,799)
page 11 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-3694 | Cri | 0.67 | 9.8 | 0.01 | Feb 15, 2017 | Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678, when the easybill-module is not installed, allow remote attackers to execute arbitrary SQL commands via the (1) orders_status or (2) customers_status parameter to api/easybill/easybillcsv.php. | |
| CVE-2016-1000125 | Cri | 0.67 | 9.8 | 0.02 | Oct 6, 2016 | Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla | |
| CVE-2016-1000124 | Cri | 0.67 | 9.8 | 0.02 | Oct 6, 2016 | Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6 | |
| CVE-2016-1000123 | Cri | 0.67 | 9.8 | 0.06 | Oct 6, 2016 | Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla | |
| CVE-2016-0710 | Hig | 0.67 | 8.8 | 0.79 | Apr 11, 2016 | Multiple SQL injection vulnerabilities in the User Manager service in Apache Jetspeed before 2.3.1 allow remote attackers to execute arbitrary SQL commands via the (1) role or (2) user parameter to services/usermanager/users/. | |
| CVE-2015-8261 | Cri | 0.67 | 9.8 | 0.04 | Jan 8, 2016 | The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request. | |
| CVE-2008-3604 | Cri | 0.67 | 9.8 | 0.03 | Aug 12, 2008 | SQL injection vulnerability in bannerclick.php in ZeeBuddy 2.1 allows remote attackers to execute arbitrary SQL commands via the adid parameter. | |
| CVE-2006-5603 | Cri | 0.67 | 9.8 | 0.01 | Oct 30, 2006 | SQL injection vulnerability in pop_mail.asp in Snitz Forums 2000 3.4.06 allows remote attackers to execute arbitrary SQL commands via the RC parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | |
| CVE-2024-6265 | Cri | 0.66 | 9.8 | 0.33 | Jun 29, 2024 | The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uwp_sort_by’ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |
| CVE-2023-3197 | Cri | 0.66 | 9.8 | 0.32 | Jun 24, 2023 | The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |
| CVE-2016-8027 | Cri | 0.66 | 10.0 | 0.13 | Mar 14, 2017 | SQL injection vulnerability in core services in Intel Security McAfee ePolicy Orchestrator (ePO) 5.3.2 and earlier and 5.1.3 and earlier allows attackers to alter a SQL query, which can result in disclosure of information within the database or impersonation of an agent without authentication via a specially crafted HTTP post. | |
| CVE-2026-42287 | Cri | 0.65 | — | 0.00 | May 8, 2026 | Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been patched in version 2.6.11. | |
| CVE-2026-3325 | Cri | 0.65 | — | 0.00 | Apr 29, 2026 | SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries. | |
| CVE-2025-50567 | Cri | 0.65 | 10.0 | 0.00 | Aug 19, 2025 | Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution. | |
| CVE-2025-4285 | Cri | 0.65 | 10.0 | 0.00 | Jul 22, 2025 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolantis Information Technologies Agentis allows SQL Injection.This issue affects Agentis: before 4.32. | |
| CVE-2024-13152 | Cri | 0.65 | 10.0 | 0.00 | Feb 14, 2025 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSS Software Mobuy Online Machinery Monitoring Panel allows SQL Injection.This issue affects Mobuy Online Machinery Monitoring Panel: before 2.0. | |
| CVE-2024-55971 | Cri | 0.65 | 10.0 | 0.01 | Jan 23, 2025 | SQL Injection vulnerability in the default configuration of the Logitime WebClock application <= 5.43.0 allows an unauthenticated user to run arbitrary code on the backend database server. | |
| CVE-2024-54261 | Cri | 0.65 | 10.0 | 0.01 | Dec 13, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HK Digital Agency LLC TAX SERVICE Electronic HDM virtual-hdm-for-taxservice-am allows SQL Injection.This issue affects TAX SERVICE Electronic HDM: from n/a through <= 1.2.2. | |
| CVE-2024-49681 | Cri | 0.65 | 9.3 | 0.51 | Oct 24, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows SQL Injection.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.0.9. | |
| CVE-2024-40498 | Cri | 0.65 | 9.8 | 0.12 | Aug 5, 2024 | SQL Injection vulnerability in PuneethReddyHC Online Shopping sysstem advanced v.1.0 allows an attacker to execute arbitrary code via the register.php |