VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 222 of 512
  • CVE-2025-37104HigJul 16, 2025
    risk 0.46cvss 7.1epss 0.00

    A security vulnerability has been identified in HPE Telco Service Orchestrator software. The vulnerability could allow authenticated clients to to perform a SQL Injection attack when sending a service request, and potentially exfiltrate the database's vendor name to unauthorized…

  • CVE-2025-3751HigMay 21, 2025
    risk 0.46cvss epss 0.00

    The component listed above contains a vulnerability that can be exploited by an attacker to perform a SQL Injection attack. This could lead to unauthorised access to the database and exposure of sensitive information

  • CVE-2024-54447HigMar 14, 2025
    risk 0.46cvss epss 0.00

    Saved search functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof…

  • CVE-2024-54446HigMar 14, 2025
    risk 0.46cvss epss 0.00

    Document history functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack…

  • CVE-2025-26533HigFeb 24, 2025
    risk 0.46cvss 8.1epss 0.00

    An SQL injection risk was identified in the module list filter within course search.

  • CVE-2025-22976HigJan 15, 2025
    risk 0.46cvss 7.1epss 0.00

    SQL Injection vulnerability in dingfanzuCMS v.1.0 allows a local attacker to execute arbitrary code via not filtering the content correctly at the "checkOrder.php" shopId module.

  • CVE-2024-36263HigJun 12, 2024
    risk 0.46cvss 8.1epss 0.01

    ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: all versions. As this project is retired, we do not plan to…

  • CVE-2024-32655HigMay 14, 2024
    risk 0.46cvss 8.1epss 0.02

    Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` uses `int` variables to store the message length and the sum of parameter lengths. Both variables overflow when the sum of parameter lengths…

  • CVE-2024-28816HigMar 11, 2024
    risk 0.46cvss 7.1epss 0.00

    Student Information Chatbot a0196ab allows SQL injection via the username to the login function in index.php.

  • CVE-2024-27289HigMar 6, 2024
    risk 0.46cvss 8.1epss 0.01

    pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a…

  • CVE-2023-28788HigDec 20, 2023
    risk 0.46cvss 7.1epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Page Visit Counter Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress.This issue affects Advanced Page Visit Counter – Most Wanted Analytics Plugin for…

  • CVE-2023-25990HigNov 3, 2023
    risk 0.46cvss 7.1epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.1.10.

  • CVE-2023-26015HigNov 3, 2023
    risk 0.46cvss 7.1epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Chris Richardson MapPress Maps for WordPress mappress-google-maps-for-wordpress allows SQL Injection.This issue affects MapPress Maps for WordPress: from n/a through 2.85.4.

  • CVE-2023-35782HigJun 16, 2023
    risk 0.46cvss 8.2epss 0.01

    The ipandlanguageredirect extension before 5.1.2 for TYPO3 allows SQL Injection.

  • CVE-2023-33967HigMay 31, 2023
    risk 0.46cvss 8.2epss 0.01

    EaseProbe is a tool that can do health/status checking. An SQL injection issue was discovered in EaseProbe before 2.1.0 when using MySQL/PostgreSQL data checking. This problem has been fixed in v2.1.0.

  • CVE-2022-24815HigApr 11, 2022
    risk 0.46cvss 8.1epss 0.01

    JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservice architectures. SQL Injection vulnerability in entities for applications generated with the option "reactive with Spring WebFlux" enabled and an SQL database using…

  • CVE-2021-39165HigAug 26, 2021
    risk 0.46cvss 8.1epss 0.10

    Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as…

  • CVE-2020-24400HigNov 9, 2020
    risk 0.46cvss 7.1epss 0.02

    Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the…

  • CVE-2016-9994HigMar 1, 2017
    risk 0.46cvss 7.1epss 0.01

    IBM Kenexa LCMS Premier on Cloud 9.0, and 10.0.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM Reference #: 1976805.

  • CVE-2016-9993HigMar 1, 2017
    risk 0.46cvss 7.1epss 0.01

    IBM Kenexa LCMS Premier on Cloud 9.0, and 10.0.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM Reference #: 1992067.