CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 213 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-4191 | Hig | 0.47 | 7.3 | 0.01 | May 2, 2025 | A vulnerability has been found in PHPGurukul Employee Record Management System 1.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /editmyeducation.php. The manipulation of the argument coursepg/yophsc leads to sql injection.… | ||
| CVE-2025-32550 | Hig | 0.47 | 7.2 | 0.01 | Apr 9, 2025 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1. | ||
| CVE-2025-2655 | Hig | 0.47 | 7.3 | 0.01 | Mar 23, 2025 | A vulnerability was detected in SourceCodester AC Repair and Services System 1.0. The affected element is the function save_users/delete_users of the file /classes/Users.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the… | ||
| CVE-2025-2353 | Hig | 0.47 | 7.3 | 0.00 | Mar 17, 2025 | A vulnerability, which was classified as critical, was found in VAM Virtual Airlines Manager up to 2.6.2. Affected is an unknown function of the file /vam/index.php of the component HTTP GET Parameter Handler. The manipulation of the argument ID/registry_id/plane_icao leads to… | ||
| CVE-2025-2351 | Hig | 0.47 | 7.3 | 0.00 | Mar 16, 2025 | A vulnerability classified as critical was found in DayCloud StudentManage 1.0. This vulnerability affects unknown code of the file /admin/adminScoreUrl of the component Login Endpoint. The manipulation of the argument query leads to sql injection. The attack can be initiated… | ||
| CVE-2025-2118 | Hig | 0.47 | 7.3 | 0.00 | Mar 9, 2025 | A vulnerability was found in Quantico Tecnologia PRMV 6.48. It has been classified as critical. This affects an unknown part of the file /admin/login.php of the component Login Endpoint. The manipulation of the argument username leads to sql injection. It is possible to initiate… | ||
| CVE-2025-2030 | Hig | 0.47 | 7.3 | 0.00 | Mar 6, 2025 | A vulnerability was found in Seeyon Zhiyuan Interconnect FE Collaborative Office Platform up to 20250224. It has been rated as critical. Affected by this issue is some unknown functionality of the file /security/addUser.jsp. The manipulation of the argument groupId leads to sql… | ||
| CVE-2025-1811 | Hig | 0.47 | 7.3 | 0.01 | Mar 2, 2025 | A vulnerability was found in AT Software Solutions ATSVD up to 3.4.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /login.aspx of the component Login Endpoint. The manipulation of the argument txtUsuario leads to sql… | ||
| CVE-2025-1809 | Hig | 0.47 | 7.3 | 0.01 | Mar 2, 2025 | A vulnerability was found in Pixsoft Sol up to 7.6.6c and classified as critical. This issue affects some unknown processing of the file /pix_projetos/servlet?act=login&submit=1&evento=0&pixrnd=0125021816444195731041 of the component Login Endpoint. The manipulation of the… | ||
| CVE-2025-1808 | Hig | 0.47 | 7.3 | 0.01 | Mar 2, 2025 | A vulnerability has been found in Pixsoft E-Saphira 1.7.24 and classified as critical. This vulnerability affects unknown code of the file /servlet?act=login&tipo=1 of the component Login Endpoint. The manipulation of the argument txtUsuario leads to sql injection. The attack… | ||
| CVE-2025-1535 | Hig | 0.47 | 7.3 | 0.00 | Feb 21, 2025 | A vulnerability was found in Baiyi Cloud Asset Management System 8.142.100.161. It has been classified as critical. This affects an unknown part of the file /wuser/admin.ticket.close.php. The manipulation of the argument ticket_id leads to sql injection. It is possible to… | ||
| CVE-2025-1464 | Hig | 0.47 | 7.3 | 0.00 | Feb 19, 2025 | A vulnerability, which was classified as critical, has been found in Baiyi Cloud Asset Management System up to 20250204. This issue affects some unknown processing of the file /wuser/admin.house.collect.php. The manipulation of the argument project_id leads to sql injection. The… | ||
| CVE-2025-1156 | Hig | 0.47 | 7.3 | 0.00 | Feb 10, 2025 | A vulnerability has been found in Pix Software Vivaz 6.0.10 and classified as critical. This vulnerability affects unknown code of the file /servlet?act=login. The manipulation of the argument usuario leads to sql injection. The attack can be initiated remotely. The exploit has… | ||
| CVE-2025-1116 | Hig | 0.47 | 7.3 | 0.00 | Feb 8, 2025 | A vulnerability, which was classified as critical, has been found in Dreamvention Live AJAX Search Free up to 1.0.6 on OpenCart. Affected by this issue is the function searchresults/search of the file /?route=extension/live_search/module/live_search.searchresults. The… | ||
| CVE-2024-57238 | Hig | 0.47 | 7.3 | 0.00 | Feb 3, 2025 | Prolink 4G LTE Mobile Wi-Fi DL-7203E V4.0.0B05 is vulnerable to SQL Injection in in the /reqproc/proc_get endpoint. The vulnerability allows an attacker to manipulate SQL queries by injecting malicious SQL code into the order_by parameter. | ||
| CVE-2025-0579 | Hig | 0.47 | 7.3 | 0.00 | Jan 20, 2025 | A vulnerability was found in Shiprocket Module 3/4 on OpenCart. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /index.php?route=extension/shiprocket/module/restapi of the component REST API Module. The manipulation of the… | ||
| CVE-2024-45757 | Hig | 0.47 | 7.2 | 0.00 | Dec 3, 2024 | An issue was discovered in Centreon centreon-bam 24.04, 23.10, 23.04, and 22.10. SQL injection can occur in the user-settings form. Exploitation is only accessible to authenticated users with high-privileged access. | ||
| CVE-2024-45756 | Hig | 0.47 | 7.2 | 0.00 | Nov 25, 2024 | An issue was discovered in Centreon centreon-open-tickets 24.10.x before 24.10.0, 24.04.x before 24.04.2, 23.10.x before 23.10.1, 23.04.x before 23.04.3, and 22.10.x before 22.10.2. SQL injection can occur in the form to create a ticket. Exploitation is only accessible to… | ||
| CVE-2024-9887 | Hig | 0.47 | 7.2 | 0.00 | Nov 16, 2024 | The Login using WordPress Users ( WP as SAML IDP ) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.15.6 due to insufficient escaping on the user supplied parameter and lack of sufficient… | ||
| CVE-2024-45794 | — | Hig | 0.47 | 8.3 | 0.01 | Nov 7, 2024 | devtron is an open source tool integration platform for Kubernetes. In affected versions an authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). This issue… |
- risk 0.47cvss 7.3epss 0.01
A vulnerability has been found in PHPGurukul Employee Record Management System 1.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /editmyeducation.php. The manipulation of the argument coursepg/yophsc leads to sql injection.…
- risk 0.47cvss 7.2epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
- risk 0.47cvss 7.3epss 0.01
A vulnerability was detected in SourceCodester AC Repair and Services System 1.0. The affected element is the function save_users/delete_users of the file /classes/Users.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the…
- risk 0.47cvss 7.3epss 0.00
A vulnerability, which was classified as critical, was found in VAM Virtual Airlines Manager up to 2.6.2. Affected is an unknown function of the file /vam/index.php of the component HTTP GET Parameter Handler. The manipulation of the argument ID/registry_id/plane_icao leads to…
- risk 0.47cvss 7.3epss 0.00
A vulnerability classified as critical was found in DayCloud StudentManage 1.0. This vulnerability affects unknown code of the file /admin/adminScoreUrl of the component Login Endpoint. The manipulation of the argument query leads to sql injection. The attack can be initiated…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was found in Quantico Tecnologia PRMV 6.48. It has been classified as critical. This affects an unknown part of the file /admin/login.php of the component Login Endpoint. The manipulation of the argument username leads to sql injection. It is possible to initiate…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was found in Seeyon Zhiyuan Interconnect FE Collaborative Office Platform up to 20250224. It has been rated as critical. Affected by this issue is some unknown functionality of the file /security/addUser.jsp. The manipulation of the argument groupId leads to sql…
- risk 0.47cvss 7.3epss 0.01
A vulnerability was found in AT Software Solutions ATSVD up to 3.4.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /login.aspx of the component Login Endpoint. The manipulation of the argument txtUsuario leads to sql…
- risk 0.47cvss 7.3epss 0.01
A vulnerability was found in Pixsoft Sol up to 7.6.6c and classified as critical. This issue affects some unknown processing of the file /pix_projetos/servlet?act=login&submit=1&evento=0&pixrnd=0125021816444195731041 of the component Login Endpoint. The manipulation of the…
- risk 0.47cvss 7.3epss 0.01
A vulnerability has been found in Pixsoft E-Saphira 1.7.24 and classified as critical. This vulnerability affects unknown code of the file /servlet?act=login&tipo=1 of the component Login Endpoint. The manipulation of the argument txtUsuario leads to sql injection. The attack…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was found in Baiyi Cloud Asset Management System 8.142.100.161. It has been classified as critical. This affects an unknown part of the file /wuser/admin.ticket.close.php. The manipulation of the argument ticket_id leads to sql injection. It is possible to…
- risk 0.47cvss 7.3epss 0.00
A vulnerability, which was classified as critical, has been found in Baiyi Cloud Asset Management System up to 20250204. This issue affects some unknown processing of the file /wuser/admin.house.collect.php. The manipulation of the argument project_id leads to sql injection. The…
- risk 0.47cvss 7.3epss 0.00
A vulnerability has been found in Pix Software Vivaz 6.0.10 and classified as critical. This vulnerability affects unknown code of the file /servlet?act=login. The manipulation of the argument usuario leads to sql injection. The attack can be initiated remotely. The exploit has…
- risk 0.47cvss 7.3epss 0.00
A vulnerability, which was classified as critical, has been found in Dreamvention Live AJAX Search Free up to 1.0.6 on OpenCart. Affected by this issue is the function searchresults/search of the file /?route=extension/live_search/module/live_search.searchresults. The…
- risk 0.47cvss 7.3epss 0.00
Prolink 4G LTE Mobile Wi-Fi DL-7203E V4.0.0B05 is vulnerable to SQL Injection in in the /reqproc/proc_get endpoint. The vulnerability allows an attacker to manipulate SQL queries by injecting malicious SQL code into the order_by parameter.
- risk 0.47cvss 7.3epss 0.00
A vulnerability was found in Shiprocket Module 3/4 on OpenCart. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /index.php?route=extension/shiprocket/module/restapi of the component REST API Module. The manipulation of the…
- risk 0.47cvss 7.2epss 0.00
An issue was discovered in Centreon centreon-bam 24.04, 23.10, 23.04, and 22.10. SQL injection can occur in the user-settings form. Exploitation is only accessible to authenticated users with high-privileged access.
- risk 0.47cvss 7.2epss 0.00
An issue was discovered in Centreon centreon-open-tickets 24.10.x before 24.10.0, 24.04.x before 24.04.2, 23.10.x before 23.10.1, 23.04.x before 23.04.3, and 22.10.x before 22.10.2. SQL injection can occur in the form to create a ticket. Exploitation is only accessible to…
- risk 0.47cvss 7.2epss 0.00
The Login using WordPress Users ( WP as SAML IDP ) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.15.6 due to insufficient escaping on the user supplied parameter and lack of sufficient…
- risk 0.47cvss 8.3epss 0.01
devtron is an open source tool integration platform for Kubernetes. In affected versions an authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). This issue…