VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 50 of 512
  • CVE-2015-1000011CriOct 6, 2016
    risk 0.64cvss 9.8epss 0.03

    Blind SQL Injection in wordpress plugin dukapress v2.5.9

  • CVE-2015-1000003CriOct 6, 2016
    risk 0.64cvss 9.8epss 0.03

    Blind SQL Injection in filedownload v1.4 wordpress plugin

  • CVE-2016-5048CriAug 26, 2016
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in chat/staff/default.aspx in ReadyDesk 9.1 allows remote attackers to execute arbitrary SQL commands via the user name field.

  • CVE-2016-5817CriAug 22, 2016
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in news pages in Cargotec Navis WebAccess before 2016-08-10 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-5792CriAug 8, 2016
    risk 0.64cvss 9.8epss 0.03

    SQL injection vulnerability in Moxa SoftCMS before 1.5 allows remote attackers to execute arbitrary SQL commands via unspecified fields.

  • CVE-2016-4999CriAug 5, 2016
    risk 0.64cvss 9.8epss 0.04

    SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set…

  • CVE-2016-4837CriAug 1, 2016
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in the Seed Coupon plugin before 1.6 for EC-CUBE allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-4522CriJul 28, 2016
    risk 0.64cvss 9.8epss 0.06

    SQL injection vulnerability in Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-5703CriJul 3, 2016
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query.

  • CVE-2016-0224CriJun 28, 2016
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in IBM Marketing Platform 8.5.x, 8.6.x, and 9.x before 9.1.2.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2015-7695CriJun 7, 2016
    risk 0.64cvss 9.8epss 0.03

    The PDO adapters in Zend Framework before 1.12.16 do not filer null bytes in SQL statements, which allows remote attackers to execute arbitrary SQL commands via a crafted query.

  • CVE-2016-2351CriMay 7, 2016
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in home/seos/courier/security_key2.api on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows remote attackers to execute arbitrary SQL commands via the client_id parameter.

  • CVE-2016-4351CriMay 5, 2016
    risk 0.64cvss 9.8epss 0.03

    SQL injection vulnerability in the authentication functionality in Trend Micro Email Encryption Gateway (TMEEG) 5.5 before build 1107 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-0710HigApr 11, 2016
    risk 0.64cvss 8.8epss 0.52

    Multiple SQL injection vulnerabilities in the User Manager service in Apache Jetspeed before 2.3.1 allow remote attackers to execute arbitrary SQL commands via the (1) role or (2) user parameter to services/usermanager/users/.

  • CVE-2015-6319CriJan 27, 2016
    risk 0.64cvss 9.8epss 0.03

    SQL injection vulnerability in the web-based management interface on Cisco RV220W devices allows remote attackers to execute arbitrary SQL commands via a crafted header in an HTTP request, aka Bug ID CSCuv29574.

  • CVE-2015-6537CriDec 27, 2015
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in the login page in Epiphany Cardio Server 3.3 allows remote attackers to execute arbitrary SQL commands via a crafted URL.

  • CVE-2007-3652CriJul 9, 2008
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in class/page.php in Farsi Script (aka FaScript) FaName 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: this might be the same issue as CVE-2008-0328.

  • CVE-2007-2534CriMay 9, 2007
    risk 0.64cvss 9.8epss 0.01

    Multiple SQL injection vulnerabilities in admin.php in phpHoo3 allow remote attackers to execute arbitrary SQL commands via the (1) ADMIN_USER (USER) and (2) ADMIN_PASS (PASS) parameters during a login. NOTE: CVE disputes this vulnerability, since ADMIN_USER/ADMIN_PASS are…

  • CVE-2026-26980CriFeb 20, 2026
    risk 0.63cvss 9.4epss 0.70

    Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

  • CVE-2024-55988CriDec 16, 2024
    risk 0.63cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Amol Nirmala Waman Navayan CSV Export navayan-csv-export allows Blind SQL Injection.This issue affects Navayan CSV Export: from n/a through <= 1.0.9.