VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 20 of 512
  • CVE-2026-33088CriApr 8, 2026
    risk 0.64cvss 9.8epss 0.00

    Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement.

  • CVE-2024-36058CriApr 7, 2026
    risk 0.64cvss 9.8epss 0.00

    The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database.

  • CVE-2025-62319CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.00

    Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently…

  • CVE-2026-21708CriMar 12, 2026
    risk 0.64cvss 9.9epss 0.01

    A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.

  • CVE-2025-70024CriMar 11, 2026
    risk 0.64cvss 9.8epss 0.01

    An issue pertaining to CWE-89: Improper Neutralization of Special Elements used in an SQL Command was discovered in benkeen generatedata 4.0.14.

  • CVE-2026-3843CriMar 10, 2026
    risk 0.64cvss 9.8epss 0.01

    Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter…

  • CVE-2025-11252CriFeb 27, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection. This issue affects windesk.Fm: before v2.3.4.  NOTE:  The vendor patched the vulnerability…

  • CVE-2025-11251CriFeb 27, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dayneks Software Industry and Trade Inc. E-Commerce Platform allows SQL Injection. This issue affects E-Commerce Platform: through 27022026. NOTE: The vendor was contacted…

  • CVE-2026-27847CriFeb 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and use the protected service.…

  • CVE-2026-24494CriFeb 23, 2026
    risk 0.64cvss 9.8epss 0.00

    SQL Injection vulnerability in the /api/integrations/getintegrations endpoint of Order Up Online Ordering System 1.0 allows an unauthenticated attacker to access sensitive backend database data via a crafted store_id parameter in a POST request.

  • CVE-2025-10970CriFeb 20, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kolay Software Inc. Talentics allows Blind SQL Injection. This issue affects Talentics: through 20022026. NOTE: The vendor was contacted early about this disclosure but did…

  • CVE-2025-69633CriFeb 13, 2026
    risk 0.64cvss 9.8epss 0.00

    A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup…

  • CVE-2025-10969CriFeb 12, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Blind SQL Injection. This issue affects E-Commerce Package: through 27112025.

  • CVE-2025-6830CriFeb 9, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpoda Türkiye Information Technology Inc. Password Module allows SQL Injection. This issue affects Password Module: through 11022026.

  • CVE-2025-5329CriFeb 4, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martcode Software Inc. Delta Course Automation allows SQL Injection. This issue affects Delta Course Automation: through 04022026. NOTE: The vendor was contacted early about…

  • CVE-2025-5319CriFeb 3, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Emit Informatics and Communication Technologies Industry and Trade Ltd. Co. DIGITA Efficiency Management System allows SQL Injection. This issue affects DIGITA Efficiency…

  • CVE-2026-0501CriJan 13, 2026
    risk 0.64cvss 9.9epss 0.00

    Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity,…

  • CVE-2025-67147CriJan 12, 2026
    risk 0.64cvss 9.8epss 0.00

    Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the 'name', 'email', and 'comment' parameters in (1) submit_contact.php, the 'username' and 'pass_key' parameters in (2) secure_login.php, and the 'login_id', 'pwfield', and…

  • CVE-2025-10738CriDec 13, 2025
    risk 0.64cvss 9.8epss 0.00

    The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘analytic_id’ parameter in all versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the…

  • CVE-2025-12504CriDec 9, 2025
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Talent Software UNIS allows SQL Injection. This issue affects UNIS: before 42321.