VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 326 of 641
  • CVE-2025-30062MedMar 2, 2026
    risk 0.45cvss epss 0.00

    In the "CheckUnitCodeAndKey.pl" service, the "validateOrgUnit" function is vulnerable to SQL injection.

  • CVE-2025-30061MedAug 27, 2025
    risk 0.45cvss epss 0.00

    In the "utils/Reporter/OpenReportWindow.pl" service, there is an SQL injection vulnerability through the "UserID" parameter.

  • CVE-2025-30060MedAug 27, 2025
    risk 0.45cvss epss 0.00

    In the ReturnUserUnitsXML.pl service, the "getUserInfo" function is vulnerable to SQL injection through the "UserID" parameter.

  • CVE-2025-30059MedAug 27, 2025
    risk 0.45cvss epss 0.00

    In the PrepareCDExportJSON.pl service, the "getPerfServiceIds" function is vulnerable to SQL injection.

  • CVE-2025-30058MedAug 27, 2025
    risk 0.45cvss epss 0.00

    In the PatientService.pl service, the "getPatientIdentifier" function is vulnerable to SQL injection through the "pesel" parameter.

  • CVE-2025-34136MedJul 25, 2025
    risk 0.45cvss epss 0.00

    An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server…

  • CVE-2025-53122MedJun 26, 2025
    risk 0.45cvss epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenNMS Horizon and Meridian applications allows SQL Injection.  Users should upgrade to Meridian 2024.2.6 or newer, or Horizon 33.16 or newer. Meridian and Horizon…

  • CVE-2025-1520HigApr 23, 2025
    risk 0.45cvss 8.0epss 0.00

    PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw…

  • CVE-2024-12745HigDec 24, 2024
    risk 0.45cvss 8.0epss 0.01

    A SQL injection in the Amazon Redshift Python Connector v2.1.4 allows a user to gain escalated privileges via the get_schemas, get_tables, or get_columns Metadata APIs. Users are recommended to upgrade to the driver version 2.1.5 or revert to driver version 2.1.3.

  • CVE-2024-12744HigDec 24, 2024
    risk 0.45cvss 8.0epss 0.01

    A SQL injection in the Amazon Redshift JDBC Driver in v2.1.0.31 allows a user to gain escalated privileges via the getSchemas, getTables, or getColumns Metadata APIs. Users should upgrade to the driver version 2.1.0.32 or revert to driver version 2.1.0.30.

  • CVE-2024-4658MedOct 10, 2024
    risk 0.45cvss epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TE Informatics Nova CMS allows SQL Injection. This issue affects Nova CMS: before 5.0.

  • CVE-2024-23115HigApr 1, 2024
    risk 0.45cvss 7.2epss 0.67

    Centreon updateGroups SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the…

  • CVE-2023-1545HigMar 21, 2023
    risk 0.45cvss 7.5epss 0.08

    SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.

  • CVE-2021-36300MedNov 23, 2021
    risk 0.45cvss 6.5epss 0.33

    iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to crash the webserver or cause information disclosure.

  • CVE-2019-17357MedJan 21, 2020
    risk 0.45cvss 6.5epss 0.35

    Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data…

  • CVE-2026-9617MedMay 27, 2026
    risk 0.44cvss 6.8epss 0.00

    PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a table and placing malicious code inside a column identifier. If a superuser calls the k-anonymity function, the malicious code is executed with superuser privileges. The…

  • CVE-2026-32687HigMay 12, 2026
    risk 0.44cvss 7.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection. The channel argument passed to 'Elixir.Postgrex.Notifications':listen/3 and…

  • CVE-2026-32176MedApr 14, 2026
    risk 0.44cvss 6.7epss 0.00

    Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

  • CVE-2026-32167MedApr 14, 2026
    risk 0.44cvss 6.7epss 0.00

    Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

  • CVE-2026-39809MedApr 14, 2026
    risk 0.44cvss 6.7epss 0.00

    A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5, FortiClientEMS 7.2.0 through 7.2.12, FortiClientEMS 7.0 all versions may allow attacker to execute unauthorized code or commands…