CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 218 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-6570 | Hig | 0.47 | 7.2 | 0.02 | Mar 9, 2017 | A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/campaign/view-campaign-list.php with the GET Parameter: id. | ||
| CVE-2017-6492 | Hig | 0.47 | 7.2 | 0.01 | Mar 5, 2017 | SQL Injection was discovered in adm_program/modules/dates/dates_function.php in Admidio 3.2.5. The POST parameter dat_cat_id is concatenated into a SQL query without any input validation/sanitization. | ||
| CVE-2017-5347 | Hig | 0.47 | 7.2 | 0.01 | Jan 12, 2017 | SQL injection vulnerability in inc/mod/newsletter/options.php in GeniXCMS 0.0.8 allows remote authenticated administrators to execute arbitrary SQL commands via the recipient parameter to gxadmin/index.php. | ||
| CVE-2016-1000122 | Hig | 0.47 | 7.2 | 0.02 | Oct 27, 2016 | XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension | ||
| CVE-2016-1000120 | Hig | 0.47 | 7.2 | 0.02 | Oct 27, 2016 | SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla | ||
| CVE-2016-1000119 | Hig | 0.47 | 7.2 | 0.02 | Oct 21, 2016 | SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla | ||
| CVE-2016-1000118 | Hig | 0.47 | 7.2 | 0.02 | Oct 21, 2016 | XSS & SQLi in HugeIT slideshow v1.0.4 | ||
| CVE-2016-1000117 | Hig | 0.47 | 7.2 | 0.02 | Oct 21, 2016 | XSS & SQLi in HugeIT slideshow v1.0.4 | ||
| CVE-2016-1000116 | Hig | 0.47 | 7.2 | 0.02 | Oct 21, 2016 | Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS | ||
| CVE-2016-1000115 | Hig | 0.47 | 7.2 | 0.03 | Oct 21, 2016 | Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS | ||
| CVE-2016-2174 | Hig | 0.47 | 7.2 | 0.02 | Jun 13, 2016 | SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands via the eventTime parameter to service/plugins/policies/eventTime. | ||
| CVE-2016-4040 | Hig | 0.47 | 7.2 | 0.01 | Apr 19, 2016 | SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2006-5738 | Hig | 0.47 | 7.2 | 0.01 | Nov 6, 2006 | Multiple SQL injection vulnerabilities in PunBB before 1.2.14 allow remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2019-25746 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with… | ||
| CVE-2016-20063 | Hig | 0.46 | 7.1 | 0.00 | Jun 9, 2026 | Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attackers can access the admin interface and supply crafted SQL statements in the… | ||
| CVE-2018-25431 | Hig | 0.46 | 7.1 | 0.00 | Jun 1, 2026 | No-Cms 1.0 contains an SQL injection vulnerability in the order_by parameter of the manage_privilege export endpoint that allows authenticated attackers to manipulate database queries. Attackers can submit POST requests to /nocms/main/manage_privilege/index/export with malicious… | ||
| CVE-2018-25430 | Hig | 0.46 | 7.1 | 0.00 | Jun 1, 2026 | Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Attackers can send GET requests to the egeq.php endpoint with crafted SQL payloads to… | ||
| CVE-2018-25429 | Hig | 0.46 | 7.1 | 0.00 | Jun 1, 2026 | Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Attackers can send GET requests to zpro.php with crafted SQL payloads in the zProIdPro… | ||
| CVE-2026-45545 | Hig | 0.46 | 8.2 | 0.00 | Jun 1, 2026 | Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long… | ||
| CVE-2018-25410 | Hig | 0.46 | 7.1 | 0.00 | May 30, 2026 | SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus… |
- risk 0.47cvss 7.2epss 0.02
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/campaign/view-campaign-list.php with the GET Parameter: id.
- risk 0.47cvss 7.2epss 0.01
SQL Injection was discovered in adm_program/modules/dates/dates_function.php in Admidio 3.2.5. The POST parameter dat_cat_id is concatenated into a SQL query without any input validation/sanitization.
- risk 0.47cvss 7.2epss 0.01
SQL injection vulnerability in inc/mod/newsletter/options.php in GeniXCMS 0.0.8 allows remote authenticated administrators to execute arbitrary SQL commands via the recipient parameter to gxadmin/index.php.
- risk 0.47cvss 7.2epss 0.02
XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension
- risk 0.47cvss 7.2epss 0.02
SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla
- risk 0.47cvss 7.2epss 0.02
SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla
- risk 0.47cvss 7.2epss 0.02
XSS & SQLi in HugeIT slideshow v1.0.4
- risk 0.47cvss 7.2epss 0.02
XSS & SQLi in HugeIT slideshow v1.0.4
- risk 0.47cvss 7.2epss 0.02
Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS
- risk 0.47cvss 7.2epss 0.03
Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS
- risk 0.47cvss 7.2epss 0.02
SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands via the eventTime parameter to service/plugins/policies/eventTime.
- risk 0.47cvss 7.2epss 0.01
SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter.
- risk 0.47cvss 7.2epss 0.01
Multiple SQL injection vulnerabilities in PunBB before 1.2.14 allow remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors.
- risk 0.46cvss 7.1epss 0.00
WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with…
- risk 0.46cvss 7.1epss 0.00
Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attackers can access the admin interface and supply crafted SQL statements in the…
- risk 0.46cvss 7.1epss 0.00
No-Cms 1.0 contains an SQL injection vulnerability in the order_by parameter of the manage_privilege export endpoint that allows authenticated attackers to manipulate database queries. Attackers can submit POST requests to /nocms/main/manage_privilege/index/export with malicious…
- risk 0.46cvss 7.1epss 0.00
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Attackers can send GET requests to the egeq.php endpoint with crafted SQL payloads to…
- risk 0.46cvss 7.1epss 0.00
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Attackers can send GET requests to zpro.php with crafted SQL payloads in the zProIdPro…
- risk 0.46cvss 8.2epss 0.00
Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long…
- risk 0.46cvss 7.1epss 0.00
SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus…