VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 117 of 512
  • CVE-2017-17920HigDec 29, 2017
    risk 0.53cvss 8.1epss 0.02

    SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for…

  • CVE-2017-17919HigDec 29, 2017
    risk 0.53cvss 8.1epss 0.02

    SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for…

  • CVE-2017-17917HigDec 29, 2017
    risk 0.53cvss 8.1epss 0.02

    SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use…

  • CVE-2017-17916HigDec 29, 2017
    risk 0.53cvss 8.1epss 0.02

    SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for…

  • CVE-2015-3637HigDec 28, 2017
    risk 0.53cvss 8.1epss 0.01

    SQL injection vulnerability in phpMyBackupPro when run in multi-user mode before 2.5 allows remote attackers to execute arbitrary SQL commands via the username and password parameters.

  • CVE-2017-12276HigNov 2, 2017
    risk 0.53cvss 8.1epss 0.01

    A vulnerability in the web framework code for the SQL database interface of the Cisco Prime Collaboration Provisioning application could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries, aka…

  • CVE-2017-14743HigSep 26, 2017
    risk 0.53cvss 8.1epss 0.01

    Faleemi FSC-880 00.01.01.0048P2 devices allow unauthenticated SQL injection via the Username element in an XML document to /onvif/device_service, as demonstrated by reading the admin password.

  • CVE-2016-6617HigDec 11, 2016
    risk 0.53cvss 8.1epss 0.02

    An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4) are affected.

  • CVE-2016-6611HigDec 11, 2016
    risk 0.53cvss 8.1epss 0.02

    An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17)…

  • CVE-2015-7999HigApr 14, 2016
    risk 0.53cvss 8.1epss 0.02

    Multiple SQL injection vulnerabilities in the Administration Web UI servlets in Citrix Command Center before 5.1 Build 36.7 and 5.2 before Build 44.11 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-3675HigApr 11, 2016
    risk 0.53cvss 8.1epss 0.01

    SQL injection vulnerability in Huawei Policy Center with software before V100R003C10SPC020 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to system databases.

  • CVE-2015-3947HigJan 15, 2016
    risk 0.53cvss 8.1epss 0.02

    SQL injection vulnerability in Advantech WebAccess before 8.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2026-46670criMay 22, 2026
    risk 0.52cvss epss 0.00

    ### Summary An unauthenticated SQL injection in the Bazar form-import path (`FormManager::create()`) allows any unauthenticated visitor of a default YesWiki install to inject arbitrary SQL into an `INSERT` statement and read the full database, including `yeswiki_users.password`…

  • CVE-2026-41167CriApr 22, 2026
    risk 0.52cvss 9.1epss 0.01

    Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via…

  • CVE-2026-3180HigMar 2, 2026
    risk 0.52cvss 7.5epss 0.01

    The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cgl_mail’ parameter in all versions up to, and including, 28.1.4 due to insufficient escaping…

  • CVE-2025-4764HigJan 22, 2026
    risk 0.52cvss 8.0epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection. This issue affects Hotel Guest Hotspot: through 22012026.  NOTE: The vendor was contacted…

  • CVE-2025-8264CriJul 29, 2025
    risk 0.52cvss 9.0epss 0.00

    Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the username field in basic authentication. This allows the attacker to access and…

  • CVE-2025-24587HigJan 24, 2025
    risk 0.52cvss 7.6epss 0.32

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nks Email Subscription Popup email-subscribe allows Blind SQL Injection.This issue affects Email Subscription Popup: from n/a through <= 1.2.23.

  • CVE-2024-53900CriDec 2, 2024
    risk 0.52cvss 9.1epss 0.04

    Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

  • CVE-2024-39368HigNov 13, 2024
    risk 0.52cvss 8.0epss 0.00

    Improper neutralization of special elements used in an SQL command ('SQL Injection') in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.