CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,799)

page 18 of 440

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-6169	Cri	0.64	9.8	0.00	Jun 16, 2025	The WIMP website co-construction management platform from HAMASTAR Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2023-49641	Cri	0.64	9.8	0.00	May 13, 2025	Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'username' parameter of the loginCheck.php resource does not validate the characters received and they are sent unfiltered to the database.
CVE-2025-4559	Cri	0.64	9.8	0.00	May 12, 2025	The ISOinsight from Netvision has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2025-25403	Cri	0.64	9.8	0.00	Apr 29, 2025	Slims (Senayan Library Management Systems) 9 Bulian V9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/coll_type.php.
CVE-2025-43949	Cri	0.64	9.8	0.00	Apr 22, 2025	MuM (aka Mensch und Maschine) MapEdit (aka mapedit-web) 24.2.3 is vulnerable to SQL Injection that allows an attacker to execute malicious SQL statements that control a web application's database server.
CVE-2025-29085	Cri	0.64	9.8	0.06	Apr 2, 2025	SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.
CVE-2025-3011	Cri	0.64	9.8	0.01	Mar 31, 2025	SOOP-CLM from PiExtract has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2024-42533	Cri	0.64	9.8	0.01	Mar 25, 2025	SQL injection vulnerability in the authentication module in Convivance StandVoice 4.5 through 6.2 allows remote attackers to execute arbitrary code via the GEST_LOGIN parameter.
CVE-2024-12016	Cri	0.64	9.8	0.00	Mar 20, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CM Informatics CM News allows SQL Injection.This issue affects CM News: through 6.0. NOTE: The vendor was contacted and it was learned that the product is not supported.
CVE-2024-12144	Cri	0.64	9.8	0.00	Mar 6, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Finder Fire Safety Finder ERP/CRM (Old System) allows SQL Injection.This issue affects Finder ERP/CRM (Old System): before 18.12.2024.
CVE-2024-13147	Cri	0.64	9.8	0.00	Mar 5, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Merkur Software B2B Login Panel allows SQL Injection.This issue affects B2B Login Panel: before 15.01.2025.
CVE-2024-12097	Cri	0.64	9.8	0.00	Mar 5, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Boceksoft Informatics E-Travel allows SQL Injection.This issue affects E-Travel: before 15.12.2024.
CVE-2024-13148	Cri	0.64	9.8	0.00	Feb 27, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yukseloglu Filter B2B Login Platform allows SQL Injection.This issue affects B2B Login Platform: before 16.01.2025.
CVE-2025-1751	Cri	0.64	9.8	0.00	Feb 27, 2025	A SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint.
CVE-2024-53544	Cri	0.64	9.8	0.00	Feb 24, 2025	NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 was discovered to contain a SQL injection vulnerability via the getCookieNames method in the smarttimeplus/MySQLConnection endpoint.
CVE-2024-54820	Cri	0.64	9.8	0.02	Feb 24, 2025	XOne Web Monitor v02.10.2024.530 framework 1.0.4.9 was discovered to contain a SQL injection vulnerability in the login page. This vulnerability allows attackers to extract all usernames and passwords via a crafted input.
CVE-2024-55460	Cri	0.64	9.8	0.00	Feb 18, 2025	A time-based SQL injection vulnerability in the login page of BoardRoom Limited Dividend Distribution Tax Election System Version v2.0 allows attackers to execute arbitrary code via a crafted input.
CVE-2025-0929	Cri	0.64	9.8	0.01	Jan 31, 2025	SQL injection vulnerability in TeamCal Neo, version 3.8.2. This could allow an attacker to retrieve, update and delete all database information by injecting a malicious SQL statement via the ‘abs’ parameter in ‘/teamcal/src/index.php’.
CVE-2023-37777	Cri	0.64	9.8	0.00	Jan 22, 2025	A SQL injection vulnerability exists in Synnefo Internet Management Software (IMS) version 2023 and earlier. This vulnerability occurs due to improper input validation in a specific API endpoint parameter allowing an attacker to manipulate SQL queries via crafted input. Successful exploitation could lead to unauthorized access to database records with DB administrator privileges which can be leveraged to escalate privileges further and execute arbitrary OS commands.
CVE-2025-0455	Cri	0.64	9.8	0.02	Jan 16, 2025	The airPASS from NetVision Information has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

CVE-2025-6169CriJun 16, 2025
risk 0.64cvss 9.8epss 0.00
The WIMP website co-construction management platform from HAMASTAR Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2023-49641CriMay 13, 2025
risk 0.64cvss 9.8epss 0.00
Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'username' parameter of the loginCheck.php resource does not validate the characters received and they are sent unfiltered to the database.
CVE-2025-4559CriMay 12, 2025
risk 0.64cvss 9.8epss 0.00
The ISOinsight from Netvision has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2025-25403CriApr 29, 2025
risk 0.64cvss 9.8epss 0.00
Slims (Senayan Library Management Systems) 9 Bulian V9.6.1 is vulnerable to SQL Injection in admin/modules/master_file/coll_type.php.
CVE-2025-43949CriApr 22, 2025
risk 0.64cvss 9.8epss 0.00
MuM (aka Mensch und Maschine) MapEdit (aka mapedit-web) 24.2.3 is vulnerable to SQL Injection that allows an attacker to execute malicious SQL statements that control a web application's database server.
CVE-2025-29085CriApr 2, 2025
risk 0.64cvss 9.8epss 0.06
SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.
CVE-2025-3011CriMar 31, 2025
risk 0.64cvss 9.8epss 0.01
SOOP-CLM from PiExtract has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVE-2024-42533CriMar 25, 2025
risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in the authentication module in Convivance StandVoice 4.5 through 6.2 allows remote attackers to execute arbitrary code via the GEST_LOGIN parameter.
CVE-2024-12016CriMar 20, 2025
risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CM Informatics CM News allows SQL Injection.This issue affects CM News: through 6.0. NOTE: The vendor was contacted and it was learned that the product is not supported.
CVE-2024-12144CriMar 6, 2025
risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Finder Fire Safety Finder ERP/CRM (Old System) allows SQL Injection.This issue affects Finder ERP/CRM (Old System): before 18.12.2024.
CVE-2024-13147CriMar 5, 2025
risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Merkur Software B2B Login Panel allows SQL Injection.This issue affects B2B Login Panel: before 15.01.2025.
CVE-2024-12097CriMar 5, 2025
risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Boceksoft Informatics E-Travel allows SQL Injection.This issue affects E-Travel: before 15.12.2024.
CVE-2024-13148CriFeb 27, 2025
risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yukseloglu Filter B2B Login Platform allows SQL Injection.This issue affects B2B Login Platform: before 16.01.2025.
CVE-2025-1751CriFeb 27, 2025
risk 0.64cvss 9.8epss 0.00
A SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint.
CVE-2024-53544CriFeb 24, 2025
risk 0.64cvss 9.8epss 0.00
NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 was discovered to contain a SQL injection vulnerability via the getCookieNames method in the smarttimeplus/MySQLConnection endpoint.
CVE-2024-54820CriFeb 24, 2025
risk 0.64cvss 9.8epss 0.02
XOne Web Monitor v02.10.2024.530 framework 1.0.4.9 was discovered to contain a SQL injection vulnerability in the login page. This vulnerability allows attackers to extract all usernames and passwords via a crafted input.
CVE-2024-55460CriFeb 18, 2025
risk 0.64cvss 9.8epss 0.00
A time-based SQL injection vulnerability in the login page of BoardRoom Limited Dividend Distribution Tax Election System Version v2.0 allows attackers to execute arbitrary code via a crafted input.
CVE-2025-0929CriJan 31, 2025
risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in TeamCal Neo, version 3.8.2. This could allow an attacker to retrieve, update and delete all database information by injecting a malicious SQL statement via the ‘abs’ parameter in ‘/teamcal/src/index.php’.
CVE-2023-37777CriJan 22, 2025
risk 0.64cvss 9.8epss 0.00
A SQL injection vulnerability exists in Synnefo Internet Management Software (IMS) version 2023 and earlier. This vulnerability occurs due to improper input validation in a specific API endpoint parameter allowing an attacker to manipulate SQL queries via crafted input. Successful exploitation could lead to unauthorized access to database records with DB administrator privileges which can be leveraged to escalate privileges further and execute arbitrary OS commands.
CVE-2025-0455CriJan 16, 2025
risk 0.64cvss 9.8epss 0.02
The airPASS from NetVision Information has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.