VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 330 of 641
  • CVE-2026-40848MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the tag view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40847MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system_tag view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40846MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40845MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40844MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40843MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the alarming view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40842MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getWidgetTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40841MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40840MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40839MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getComponentScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40838MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDeviceScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40837MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40835MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the saveObjectFromData function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40832MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-40831MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the Easy View due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

  • CVE-2026-44923MedMay 20, 2026
    risk 0.42cvss 6.5epss 0.00

    SQL injection in InfoScale VIOM before v9.1.3 allows remote attackers to escalate privileges.

  • CVE-2026-8685MedMay 20, 2026
    risk 0.42cvss 6.5epss 0.00

    The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL…

  • CVE-2026-46359HigMay 15, 2026
    risk 0.42cvss 7.5epss 0.00

    phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or…

  • CVE-2026-5486MedMay 14, 2026
    risk 0.42cvss 6.5epss 0.00

    The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get_cat_addons AJAX action in versions up to and including 2.0.7. This is due to insufficient input sanitization and the use of deprecated…

  • CVE-2026-37429MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information (PII)…