VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 219 of 512
  • CVE-2018-25392HigMay 29, 2026
    risk 0.46cvss 7.1epss 0.00

    MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with…

  • CVE-2026-4776HigMay 29, 2026
    risk 0.46cvss 7.1epss 0.00

    An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.

  • CVE-2026-40836HigMay 27, 2026
    risk 0.46cvss 7.1epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the inmessage model due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table.…

  • CVE-2026-40834HigMay 27, 2026
    risk 0.46cvss 7.1epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash_layout.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting…

  • CVE-2026-40833HigMay 27, 2026
    risk 0.46cvss 7.1epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting…

  • CVE-2026-48842HigMay 25, 2026
    risk 0.46cvss 8.1epss 0.01

    Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.

  • CVE-2018-25381HigMay 25, 2026
    risk 0.46cvss 7.1epss 0.00

    Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search…

  • CVE-2018-25380HigMay 25, 2026
    risk 0.46cvss 7.1epss 0.00

    Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and filter_search parameters. Attackers can submit POST requests to the extroformfield view…

  • CVE-2018-25352HigMay 23, 2026
    risk 0.46cvss 7.1epss 0.00

    WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter. Attackers can send POST requests to the…

  • CVE-2018-25347HigMay 23, 2026
    risk 0.46cvss 7.1epss 0.00

    WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the 'name' and…

  • CVE-2018-25346HigMay 23, 2026
    risk 0.46cvss 7.1epss 0.00

    WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with…

  • CVE-2026-48235HigMay 21, 2026
    risk 0.46cvss 8.2epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are…

  • CVE-2026-8726HigMay 19, 2026
    risk 0.46cvss epss 0.00

    The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news…

  • CVE-2018-25319HigMay 17, 2026
    risk 0.46cvss 7.1epss 0.00

    Redaxo CMS Addon MyEvents 2.2.1 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the myevents_id parameter. Attackers can send GET requests to the event_add.php page with malicious…

  • CVE-2021-47980HigMay 16, 2026
    risk 0.46cvss 7.1epss 0.00

    Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL…

  • CVE-2026-42847HigMay 14, 2026
    risk 0.46cvss epss 0.00

    ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #122, there is a critical SQL Injection (SQLi) vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint admin_area/action_logs.php. The endpoint…

  • CVE-2020-37226HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'…

  • CVE-2020-37224HigMay 13, 2026
    risk 0.46cvss 7.1epss 0.00

    Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby'…

  • CVE-2026-8207HigMay 9, 2026
    risk 0.46cvss epss 0.00

    Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation…

  • CVE-2026-41496HigMay 8, 2026
    risk 0.46cvss 8.1epss 0.00

    PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso,…