VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 146 of 512
  • CVE-2026-31917HigMar 13, 2026
    risk 0.48cvss 8.5epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP erp allows SQL Injection.This issue affects WP ERP: from n/a through <= 1.16.10.

  • CVE-2025-10811HigSep 22, 2025
    risk 0.48cvss 7.3epss 0.01

    A flaw has been found in code-projects Hostel Management System 1.0. This affects an unknown function of the file /justines/admin/mod_comments/index.php?view=view. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The…

  • CVE-2025-10810HigSep 22, 2025
    risk 0.48cvss 7.3epss 0.01

    A vulnerability was detected in Campcodes Online Learning Management System 1.0. The impacted element is an unknown function of the file /admin/edit_user.php. Performing manipulation of the argument firstname results in sql injection. The attack is possible to be carried out…

  • CVE-2025-10090HigSep 8, 2025
    risk 0.48cvss 7.3epss 0.02

    A flaw has been found in Jinher OA up to 1.2. The impacted element is an unknown function of the file /C6/Jhsoft.Web.departments/GetTreeDate.aspx. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been…

  • CVE-2025-9744HigAug 31, 2025
    risk 0.48cvss 7.3epss 0.02

    A weakness has been identified in Campcodes Online Loan Management System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The…

  • CVE-2025-8329HigJul 30, 2025
    risk 0.48cvss 7.3epss 0.01

    A vulnerability, which was classified as critical, was found in code-projects Vehicle Management 1.0. This affects an unknown part of the file /filter3.php. The manipulation of the argument company leads to sql injection. It is possible to initiate the attack remotely. The…

  • CVE-2025-7160HigJul 8, 2025
    risk 0.48cvss 7.3epss 0.02

    A vulnerability classified as critical has been found in PHPGurukul Zoo Management System 2.1. This affects an unknown part of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. It is possible to initiate the attack remotely. The exploit…

  • CVE-2025-6403HigJun 21, 2025
    risk 0.48cvss 7.3epss 0.02

    A vulnerability was found in code-projects School Fees Payment System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /student.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The…

  • CVE-2024-48040HigOct 11, 2024
    risk 0.48cvss 8.5epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan tainacan allows SQL Injection.This issue affects Tainacan: from n/a through <= 0.21.8.

  • CVE-2024-7219HigJul 30, 2024
    risk 0.48cvss 7.3epss 0.01

    A vulnerability has been found in SourceCodester/Campcodes School Log Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=login. The manipulation of the argument Username leads to sql injection. It is possible to…

  • CVE-2024-36683HigJun 24, 2024
    risk 0.48cvss 7.3epss 0.01

    SQL injection vulnerability in the module "Products Alert" (productsalert) before 1.7.4 from Smart Modules for PrestaShop allows attackers to obtain sensitive information and cause other impacts via the ProductsAlertAjaxProcessModuleFrontController::initContent method.

  • CVE-2024-34412HigMay 6, 2024
    risk 0.48cvss 8.5epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Parcel Panel ParcelPanel.This issue affects ParcelPanel: from n/a through 3.8.1.

  • CVE-2021-43822HigDec 13, 2021
    risk 0.48cvss 8.5epss 0.01

    Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If…

  • CVE-2019-15658HigAug 26, 2019
    risk 0.48cvss 7.3epss 0.01

    connect-pg-simple before 6.0.1 allows SQL injection if tableName or schemaName is untrusted data.

  • CVE-2016-9048HigSep 10, 2018
    risk 0.48cvss 7.4epss 0.01

    Multiple exploitable SQL Injection vulnerabilities exists in ProcessMaker Enterprise Core 3.0.1.7-community. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this…

  • CVE-2018-8914HigMay 10, 2018
    risk 0.48cvss 7.3epss 0.01

    SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to execute arbitrary SQL commands via the ObjectID parameter.

  • CVE-2017-5151HigFeb 13, 2017
    risk 0.48cvss 7.3epss 0.02

    An issue was discovered in VideoInsight Web Client Version 6.3.5.11 and previous versions. A SQL Injection vulnerability has been identified, which may allow remote code execution.

  • CVE-2016-6453HigNov 3, 2016
    risk 0.48cvss 7.3epss 0.01

    A vulnerability in the web framework code of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary SQL commands on the database. More Information: CSCva46542. Known Affected Releases: 1.3(0.876).

  • CVE-2016-2299HigApr 22, 2016
    risk 0.48cvss 7.3epss 0.01

    SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2015-8769HigJan 12, 2016
    risk 0.48cvss 7.3epss 0.01

    SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attackers to execute arbitrary SQL commands via unspecified vectors.