VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 218 of 512
  • CVE-2017-6570HigMar 9, 2017
    risk 0.47cvss 7.2epss 0.02

    A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/campaign/view-campaign-list.php with the GET Parameter: id.

  • CVE-2017-6492HigMar 5, 2017
    risk 0.47cvss 7.2epss 0.01

    SQL Injection was discovered in adm_program/modules/dates/dates_function.php in Admidio 3.2.5. The POST parameter dat_cat_id is concatenated into a SQL query without any input validation/sanitization.

  • CVE-2017-5347HigJan 12, 2017
    risk 0.47cvss 7.2epss 0.01

    SQL injection vulnerability in inc/mod/newsletter/options.php in GeniXCMS 0.0.8 allows remote authenticated administrators to execute arbitrary SQL commands via the recipient parameter to gxadmin/index.php.

  • CVE-2016-1000122HigOct 27, 2016
    risk 0.47cvss 7.2epss 0.02

    XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension

  • CVE-2016-1000120HigOct 27, 2016
    risk 0.47cvss 7.2epss 0.02

    SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla

  • CVE-2016-1000119HigOct 21, 2016
    risk 0.47cvss 7.2epss 0.02

    SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla

  • CVE-2016-1000118HigOct 21, 2016
    risk 0.47cvss 7.2epss 0.02

    XSS & SQLi in HugeIT slideshow v1.0.4

  • CVE-2016-1000117HigOct 21, 2016
    risk 0.47cvss 7.2epss 0.02

    XSS & SQLi in HugeIT slideshow v1.0.4

  • CVE-2016-1000116HigOct 21, 2016
    risk 0.47cvss 7.2epss 0.02

    Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS

  • CVE-2016-1000115HigOct 21, 2016
    risk 0.47cvss 7.2epss 0.03

    Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS

  • CVE-2016-2174HigJun 13, 2016
    risk 0.47cvss 7.2epss 0.02

    SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands via the eventTime parameter to service/plugins/policies/eventTime.

  • CVE-2016-4040HigApr 19, 2016
    risk 0.47cvss 7.2epss 0.01

    SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter.

  • CVE-2006-5738HigNov 6, 2006
    risk 0.47cvss 7.2epss 0.01

    Multiple SQL injection vulnerabilities in PunBB before 1.2.14 allow remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2019-25746HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with…

  • CVE-2016-20063HigJun 9, 2026
    risk 0.46cvss 7.1epss 0.00

    Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attackers can access the admin interface and supply crafted SQL statements in the…

  • CVE-2018-25431HigJun 1, 2026
    risk 0.46cvss 7.1epss 0.00

    No-Cms 1.0 contains an SQL injection vulnerability in the order_by parameter of the manage_privilege export endpoint that allows authenticated attackers to manipulate database queries. Attackers can submit POST requests to /nocms/main/manage_privilege/index/export with malicious…

  • CVE-2018-25430HigJun 1, 2026
    risk 0.46cvss 7.1epss 0.00

    Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Attackers can send GET requests to the egeq.php endpoint with crafted SQL payloads to…

  • CVE-2018-25429HigJun 1, 2026
    risk 0.46cvss 7.1epss 0.00

    Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Attackers can send GET requests to zpro.php with crafted SQL payloads in the zProIdPro…

  • CVE-2026-45545HigJun 1, 2026
    risk 0.46cvss 8.2epss 0.00

    Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long…

  • CVE-2018-25410HigMay 30, 2026
    risk 0.46cvss 7.1epss 0.00

    SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus…