VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 19 of 512
  • CVE-2025-50229CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.00

    Jizhicms v2.5.4 is vulnerable to SQL injection in the product editing module.

  • CVE-2026-41460CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.01

    SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can…

  • CVE-2026-6887CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.00

    Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

  • CVE-2026-5964CriApr 20, 2026
    risk 0.64cvss 9.8epss 0.00

    EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

  • CVE-2026-5963CriApr 20, 2026
    risk 0.64cvss 9.8epss 0.00

    EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

  • CVE-2026-37749CriApr 17, 2026
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability in CodeAstro Simple Attendance Management System v1.0 allows remote unauthenticated attackers to bypass authentication via the username parameter in index.php.

  • CVE-2025-15625CriApr 17, 2026
    risk 0.64cvss 9.8epss 0.00

    Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.

  • CVE-2026-37345CriApr 16, 2026
    risk 0.64cvss 9.8epss 0.00

    SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php.

  • CVE-2026-37340CriApr 16, 2026
    risk 0.64cvss 9.8epss 0.00

    SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/edit_music.php.

  • CVE-2026-37339CriApr 16, 2026
    risk 0.64cvss 9.8epss 0.00

    SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_genre.php.

  • CVE-2025-65135CriApr 14, 2026
    risk 0.64cvss 9.8epss 0.00

    In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter.

  • CVE-2025-65133CriApr 14, 2026
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database…

  • CVE-2025-63939CriApr 14, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter.

  • CVE-2026-27681CriApr 14, 2026
    risk 0.64cvss 9.9epss 0.01

    Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and…

  • CVE-2026-36236CriApr 10, 2026
    risk 0.64cvss 9.8epss 0.00

    SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter.

  • CVE-2026-36235CriApr 10, 2026
    risk 0.64cvss 9.8epss 0.00

    A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or…

  • CVE-2026-36234CriApr 10, 2026
    risk 0.64cvss 9.8epss 0.00

    itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter.

  • CVE-2026-36233CriApr 10, 2026
    risk 0.64cvss 9.8epss 0.00

    A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries without…

  • CVE-2026-36232CriApr 10, 2026
    risk 0.64cvss 9.8epss 0.00

    A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly concatenated into the SQL query without any sanitization…

  • CVE-2026-29861CriApr 10, 2026
    risk 0.64cvss 9.8epss 0.00

    PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.