VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 224 of 512
  • CVE-2026-32687HigMay 12, 2026
    risk 0.44cvss 7.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection. The channel argument passed to 'Elixir.Postgrex.Notifications':listen/3 and…

  • CVE-2026-32176MedApr 14, 2026
    risk 0.44cvss 6.7epss 0.00

    Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

  • CVE-2026-32167MedApr 14, 2026
    risk 0.44cvss 6.7epss 0.00

    Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

  • CVE-2026-39809MedApr 14, 2026
    risk 0.44cvss 6.7epss 0.00

    A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5, FortiClientEMS 7.2.0 through 7.2.12, FortiClientEMS 7.0 all versions may allow attacker to execute unauthorized code or commands…

  • CVE-2025-15441MedApr 13, 2026
    risk 0.44cvss 6.8epss 0.00

    The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts.

  • CVE-2026-3396HigApr 8, 2026
    risk 0.44cvss 7.5epss 0.01

    WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing…

  • CVE-2025-62846MedMar 20, 2026
    risk 0.44cvss 6.7epss 0.00

    An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: QuRouter…

  • CVE-2026-2413HigMar 11, 2026
    risk 0.44cvss 7.5epss 0.02

    The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where…

  • CVE-2025-15585MedFeb 19, 2026
    risk 0.44cvss epss 0.00

    Fileflows versions before 25.05.2 are affected by an authenticated SQL injection vulnerability in the library-file search function. Successful exploitation requires the system to use MySQL as the underlying database and could result in privilege escalation or data exfiltration.

  • CVE-2025-14973MedJan 26, 2026
    risk 0.44cvss 6.8epss 0.00

    The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks.

  • CVE-2025-9140MedAug 19, 2025
    risk 0.44cvss 6.3epss 0.00

    A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of the file /crm/crmapi/erp/tabdetail_moduleSave.php. The manipulation of the argument getvaluestring leads to sql…

  • CVE-2025-55156HigAug 11, 2025
    risk 0.44cvss epss 0.00

    pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This…

  • CVE-2025-41233MedJun 12, 2025
    risk 0.44cvss 6.8epss 0.00

    Description: VMware AVI Load Balancer contains an authenticated blind SQL Injection vulnerability. VMware has evaluated the severity of the issue to be in the Moderate severity range https://www.broadcom.com/support/vmware-services/security-response  with a maximum CVSSv3…

  • CVE-2025-32466MedJun 11, 2025
    risk 0.44cvss epss 0.00

    A SQL injection vulnerability in RSMediaGallery! component 1.7.4 - 2.1.7 for Joomla was discovered. The issue occurs within the dashboard component, where user-supplied input is not properly sanitized before being stored and rendered. An attacker can inject malicious JavaScript…

  • CVE-2025-22207MedFeb 18, 2025
    risk 0.44cvss epss 0.00

    Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of com_scheduler.

  • CVE-2024-49588MedNov 21, 2024
    risk 0.44cvss 6.8epss 0.00

    Multiple endpoints in `oracle-sidecar` in versions 0.347.0 to 0.543.0 were found to be vulnerable to SQL injections.

  • CVE-2024-33272MedApr 29, 2024
    risk 0.44cvss 6.8epss 0.00

    SQL injection vulnerability in KnowBand for PrestaShop autosuggest before 2.0.0 allows an attacker to run arbitrary SQL commands via the AutosuggestSearchModuleFrontController::initContent(), and AutosuggestSearchModuleFrontController::getKbProducts() components.

  • CVE-2024-23118HigApr 1, 2024
    risk 0.44cvss 7.2epss 0.53

    Centreon updateContactHostCommands SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists…

  • CVE-2024-23117HigApr 1, 2024
    risk 0.44cvss 7.2epss 0.53

    Centreon updateContactServiceCommands SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw…

  • CVE-2024-23116HigApr 1, 2024
    risk 0.44cvss 7.2epss 0.53

    Centreon updateLCARelation SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within…