VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 159 of 512
  • CVE-2026-4237HigMar 16, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /hotel/admin/mod_reports/index.php. Executing a manipulation of the argument Home can lead to sql injection. The attack may be performed from remote. The…

  • CVE-2026-4236HigMar 16, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in itsourcecode Online Enrollment System 1.0. Impacted is an unknown function of the file /enrollment/index.php?view=add. Such manipulation of the argument txtsearch/deptname/name leads to sql injection. The attack may be performed from…

  • CVE-2026-4235HigMar 16, 2026
    risk 0.47cvss 7.3epss 0.00

    A weakness has been identified in itsourcecode Online Enrollment System 1.0. This issue affects some unknown processing of the file /sms/login.php. This manipulation of the argument user_email causes sql injection. The attack is possible to be carried out remotely. The exploit…

  • CVE-2026-4232HigMar 16, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was determined in Tiandy Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /rest/user/getAuthorityByUserId. Executing a manipulation of the argument userId can lead to sql injection. The attack may be launched…

  • CVE-2026-4229HigMar 16, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in vanna-ai vanna up to 2.0.2. This impacts the function remove_training_data of the file src/vanna/legacy/google/bigquery_vector.py. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been…

  • CVE-2026-4223HigMar 16, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was identified in itsourcecode Payroll Management System 1.0. This issue affects some unknown processing of the file /manage_employee.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly…

  • CVE-2026-4190HigMar 16, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.…

  • CVE-2026-25076HigMar 13, 2026
    risk 0.47cvss 7.3epss 0.00

    Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore…

  • CVE-2026-4014HigMar 12, 2026
    risk 0.47cvss 7.3epss 0.00

    A security flaw has been discovered in itsourcecode Cafe Reservation System 1.0. This impacts an unknown function of the file /curvus2/signup.php of the component Registration. Performing a manipulation of the argument Username results in sql injection. Remote exploitation of…

  • CVE-2026-3981HigMar 12, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in itsourcecode Online Doctor Appointment System 1.0. Affected is an unknown function of the file /admin/doctor_action.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit…

  • CVE-2026-3980HigMar 12, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in itsourcecode Online Doctor Appointment System 1.0. This impacts an unknown function of the file /admin/patient_action.php. Such manipulation of the argument patient_id leads to sql injection. The attack may be launched remotely. The exploit has…

  • CVE-2026-3969HigMar 12, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was detected in FeMiner wms up to 1.0. This impacts an unknown function of the file /wms-master/src/basic/depart/depart_add_bg.php of the component Basic Organizational Structure Module. Performing a manipulation of the argument Name results in sql injection. The…

  • CVE-2026-3944HigMar 11, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was determined in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /att_add.php. This manipulation of the argument Name causes sql injection. The attack may be initiated remotely. The exploit has been publicly…

  • CVE-2026-3818HigMar 9, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in Tiandy Easy7 CMS Windows 7.17.0. Impacted is an unknown function of the file /Easy7/apps/WebService/GetDBData.jsp. This manipulation of the argument strTBName causes sql injection. The attack may be initiated remotely. The exploit has been published and…

  • CVE-2026-3765HigMar 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was identified in itsourcecode University Management System 1.0. This affects an unknown function of the file /att_single_view.php. Such manipulation of the argument dt leads to sql injection. The attack can be launched remotely. The exploit is publicly available…

  • CVE-2026-3760HigMar 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was detected in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /view_result.php. Performing a manipulation of the argument seme results in sql injection. The attack is possible to be carried out remotely. The…

  • CVE-2026-3759HigMar 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in projectworlds Online Art Gallery Shop 1.0. This affects an unknown part of the file /admin/adminHome.php. Such manipulation of the argument reach_nm leads to sql injection. The attack can be executed remotely. The exploit has been…

  • CVE-2026-3758HigMar 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A weakness has been identified in projectworlds Online Art Gallery Shop 1.0. Affected by this issue is some unknown functionality of the file /admin/adminHome.php. This manipulation of the argument Info causes sql injection. Remote exploitation of the attack is possible. The…

  • CVE-2026-3757HigMar 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A security flaw has been discovered in projectworlds Online Art Gallery Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /?pass=1. The manipulation of the argument fnm results in sql injection. The attack may be launched remotely. The exploit has…

  • CVE-2026-3747HigMar 8, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was identified in itsourcecode University Management System 1.0. Affected by this issue is some unknown functionality of the file /add_result.php. Such manipulation of the argument subject leads to sql injection. The attack may be launched remotely. The exploit…