VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 353 of 641
  • CVE-2026-3057MedFeb 24, 2026
    risk 0.41cvss 6.3epss 0.01

    A security flaw has been discovered in a54552239 pearProjectApi up to 2.8.10. Affected is the function dateTotalForProject of the file application/common/Model/Task.php of the component Backend Interface. The manipulation of the argument projectCode results in sql injection. The…

  • CVE-2026-2963MedFeb 23, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in Jinher OA C6 up to 20260210. This issue affects some unknown processing of the file /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx. This manipulation of the argument id/offsnum causes sql injection. It is possible to initiate the attack…

  • CVE-2026-2822MedFeb 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file /jeecgboot/sys/dict/loadDict/airag_app,1,create_by of the component Backend Interface. Such manipulation of the argument keyword leads to sql injection.…

  • CVE-2026-2706MedFeb 19, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in code-projects Patient Record Management System 1.0. This affects an unknown function of the file /fecalysis_not.php. This manipulation of the argument comp_id causes sql injection. The attack can be initiated remotely. The exploit has been published and…

  • CVE-2026-2682MedFeb 18, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). Impacted is an unknown function of the file /mine/PublicReport/prinReport.html?token=java. Such manipulation of the argument comid leads to sql injection. The attack can be…

  • CVE-2026-2663MedFeb 18, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in Alixhan xh-admin-backend up to 1.7.0. This issue affects some unknown processing of the file /frontend-api/system-service/api/system/role/query of the component Database Query Handler. Such manipulation of the argument prop leads to…

  • CVE-2026-2553MedFeb 16, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. This affects an unknown part of the file /home.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Name/Email results…

  • CVE-2026-2122MedFeb 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in Xiaopi Panel up to 20260126. This impacts an unknown function of the file /demo.php of the component WAF Firewall. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been…

  • CVE-2026-1746MedFeb 2, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in JeecgBoot 3.9.0. This vulnerability affects unknown code of the file /JeecgBoot/sys/api/loadDictItemByKeyword of the component Online Report API. Such manipulation of the argument keyword leads to sql injection. The attack can be executed…

  • CVE-2026-1552MedJan 29, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in SEMCMS 5.0. This vulnerability affects unknown code of the file /SEMCMS_Info.php. The manipulation of the argument searchml leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed…

  • CVE-2026-1551MedJan 29, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/course/controller.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been…

  • CVE-2026-1546MedJan 28, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the…

  • CVE-2026-1118MedJan 18, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. It is possible to initiate the attack remotely. The exploit…

  • CVE-2026-0843MedJan 11, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can…

  • CVE-2025-15496MedJan 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be…

  • CVE-2025-15494MedJan 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been…

  • CVE-2025-15493MedJan 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in RainyGao DocSys up to 2.02.36. The impacted element is an unknown function of the file src/com/DocSystem/mapping/ReposAuthMapper.xml. Executing a manipulation of the argument searchWord can lead to sql injection. It is possible to launch the attack…

  • CVE-2026-0803MedJan 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in PHPGurukul Online Course Registration System up to 3.1. This affects an unknown part of the file /enroll.php. The manipulation of the argument studentregno/Pincode/session/department/level/course/sem results in sql injection. The attack may be…

  • CVE-2025-15492MedJan 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. Performing a manipulation of the argument searchWord results in sql injection. It is possible to initiate the…

  • CVE-2026-0733MedJan 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible to initiate the attack…