VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 114 of 512
  • CVE-2020-37083HigFeb 3, 2026
    risk 0.53cvss 8.2epss 0.00

    PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times…

  • CVE-2019-25260HigFeb 3, 2026
    risk 0.53cvss 8.2epss 0.00

    OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database…

  • CVE-2021-47909HigFeb 1, 2026
    risk 0.53cvss 8.1epss 0.00

    Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database…

  • CVE-2020-37035HigJan 30, 2026
    risk 0.53cvss 8.2epss 0.00

    e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. Attackers can inject malicious SQL code in the 'search' parameter to potentially extract, modify,…

  • CVE-2020-37033HigJan 30, 2026
    risk 0.53cvss 8.2epss 0.00

    Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'usr_name' parameter to…

  • CVE-2020-37006HigJan 29, 2026
    risk 0.53cvss 8.2epss 0.00

    berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify…

  • CVE-2020-37004HigJan 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Ultimate Project Manager CRM PRO version 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting…

  • CVE-2020-36999HigJan 29, 2026
    risk 0.53cvss 8.2epss 0.00

    Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by sending crafted email and password parameters with '=''or' payload to…

  • CVE-2020-36945HigJan 28, 2026
    risk 0.53cvss 8.2epss 0.00

    WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inject the payload '' OR '1'='1' in both username and password fields to…

  • CVE-2021-47902HigJan 27, 2026
    risk 0.53cvss 8.2epss 0.00

    Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. Attackers can inject malicious SQL code in the search field to extract database information, potentially…

  • CVE-2020-36951HigJan 27, 2026
    risk 0.53cvss 8.2epss 0.00

    Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays,…

  • CVE-2021-47848HigJan 21, 2026
    risk 0.53cvss 8.2epss 0.00

    Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain…

  • CVE-2021-47846HigJan 21, 2026
    risk 0.53cvss 8.2epss 0.00

    Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending crafted SQL injection payloads in email…

  • CVE-2021-47801HigJan 16, 2026
    risk 0.53cvss 8.2epss 0.00

    Vianeos OctoPUS 5 contains a time-based blind SQL injection vulnerability in the 'login_user' parameter during authentication requests. Attackers can exploit this vulnerability by crafting malicious POST requests with specially constructed SQL payloads that trigger database…

  • CVE-2021-47782HigJan 16, 2026
    risk 0.53cvss 8.2epss 0.00

    Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. Attackers can exploit the vulnerability by sending crafted payloads to the /rass/api/v1/trafficCycle/…

  • CVE-2021-47777HigJan 15, 2026
    risk 0.53cvss 8.2epss 0.00

    Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database queries and potentially…

  • CVE-2021-47763HigJan 15, 2026
    risk 0.53cvss 8.2epss 0.00

    Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the…

  • CVE-2023-54340HigJan 13, 2026
    risk 0.53cvss 8.2epss 0.00

    WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. Attackers can inject malicious SQL queries using techniques like OR '1'='1' and stacked queries to access database…

  • CVE-2023-54333HigJan 13, 2026
    risk 0.53cvss 8.2epss 0.00

    Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and…

  • CVE-2022-50805HigJan 13, 2026
    risk 0.53cvss 8.2epss 0.00

    Senayan Library Management System 9.0.0 contains a SQL injection vulnerability in the 'class' parameter that allows attackers to inject malicious SQL queries. Attackers can exploit the vulnerability by submitting crafted payloads to manipulate database queries and potentially…