VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 352 of 641
  • CVE-2026-3806MedMar 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in SourceCodester/janobe Resort Reservation System 1.0. This issue affects some unknown processing of the file /room_rates.php. This manipulation of the argument q causes sql injection. The attack can be initiated remotely. The exploit has been…

  • CVE-2026-3793MedMar 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file sales_invoice1.php of the component GET Parameter Handler. This manipulation of the argument sellid causes sql injection. It is possible to…

  • CVE-2026-3792MedMar 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown part of the file purchase_invoice.php of the component GET Parameter Handler. The manipulation of the argument purchaseid results in sql injection. The attack may be performed…

  • CVE-2026-3791MedMar 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in SourceCodester Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file dashboard.php of the component Search. The manipulation of the argument searchtxt leads to sql injection. The attack is possible to…

  • CVE-2026-3790MedMar 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in SourceCodester Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file check_supplier_details.php of the component POST Parameter Handler. Executing a manipulation of the argument stock_name1 can lead to sql…

  • CVE-2026-3786MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in EasyCMS up to 1.6. The impacted element is an unknown function of the file /RbacuserAction.class.php of the component Request Parameter Handler. The manipulation of the argument _order results in sql injection. The attack can be launched…

  • CVE-2026-3785MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in EasyCMS up to 1.6. The affected element is an unknown function of the file /RbacnodeAction.class.php of the component Request Parameter Handler. The manipulation of the argument _order leads to sql injection. The attack can be initiated…

  • CVE-2026-3771MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in SourceCodester/janobe Resort Reservation System 1.0. This vulnerability affects unknown code of the file /accomodation.php. Such manipulation of the argument q leads to sql injection. The attack may be performed from remote. The exploit has been…

  • CVE-2026-3767MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in itsourcecode sanitize or validate this input 1.0. Affected is an unknown function of the file /admin/teacher-attendance.php. Executing a manipulation of the argument teacher_id can lead to sql injection. The attack may be launched remotely. The…

  • CVE-2026-3756MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in SourceCodester Sales and Inventory System up to 1.0. Affected is an unknown function of the file /check_item_details.php. The manipulation of the argument stock_name1 leads to sql injection. The attack may be initiated remotely. The exploit is…

  • CVE-2026-3755MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This impacts an unknown function of the file /check_customer_details.php of the component POST Handler. Executing a manipulation of the argument stock_name1 can lead to sql injection. The attack can…

  • CVE-2026-3754MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown function of the file /add_stock.php. Performing a manipulation of the argument cost results in sql injection. The attack can be initiated remotely. The exploit has been made…

  • CVE-2026-3753MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in SourceCodester Sales and Inventory System up to 1.0. The impacted element is an unknown function of the file /add_sales_print.php. Such manipulation of the argument sid leads to sql injection. It is possible to launch the attack remotely. The…

  • CVE-2026-3745MedMar 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in code-projects Student Web Portal 1.0. Affected is an unknown function of the file profile.php. The manipulation of the argument User results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.

  • CVE-2026-3672MedMar 7, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in JeecgBoot up to 3.9.1. Affected is the function isExistSqlInjectKeyword of the file /jeecg-boot/sys/api/getDictItems. Such manipulation leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public…

  • CVE-2026-3616MedMar 6, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in DefaultFuction Jeson Customer Relationship Management System 1.0.0. Impacted is an unknown function of the file /modules/customers/edit.php. Performing a manipulation of the argument ID results in sql injection. The attack may be initiated…

  • CVE-2026-3292MedFeb 27, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in jizhiCMS up to 2.5.6. Affected is the function findAll in the library frphp/lib/Model.php of the component Batch Interface. The manipulation of the argument data leads to sql injection. The attack is possible to be carried out…

  • CVE-2026-3287MedFeb 27, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in youlaitech youlai-mall 2.0.0. This affects the function listPagedSpuForApp of the file mall-pms/pms-boot/src/main/java/com/youlai/mall/pms/controller/app/SpuController.java of the component App-side Product Pagination Endpoint. Performing a…

  • CVE-2026-3150MedFeb 25, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in itsourcecode College Management System 1.0. This affects an unknown part of the file /admin/display-teacher.php. The manipulation of the argument teacher_id leads to sql injection. The attack is possible to be carried out remotely.…

  • CVE-2026-3149MedFeb 25, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in itsourcecode College Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/asign-single-student-subjects.php. Executing a manipulation of the argument course_code can lead to sql injection. The attack can…