VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 53 of 512
  • CVE-2023-32590CriDec 20, 2023
    risk 0.61cvss 9.3epss 0.02

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category.This issue affects Subscribe to Category: from n/a through 2.7.4.

  • CVE-2023-49750CriDec 19, 2023
    risk 0.61cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoonthemes Couponis - Affiliate & Submitting Coupons WordPress Theme.This issue affects Couponis - Affiliate & Submitting Coupons WordPress Theme: from n/a before 2.2.

  • CVE-2023-48738CriDec 19, 2023
    risk 0.61cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Porto Theme Porto Theme - Functionality.This issue affects Porto Theme - Functionality: from n/a before 2.12.1.

  • CVE-2022-0495CriSep 21, 2022
    risk 0.61cvss 9.4epss 0.01

    The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.

  • CVE-2022-2315CriSep 21, 2022
    risk 0.61cvss 9.4epss 0.01

    Database Software Accreditation Tracking/Presentation Module product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2.

  • CVE-2022-2177CriSep 20, 2022
    risk 0.61cvss 9.4epss 0.01

    Kayrasoft product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2.

  • CVE-2022-1277CriJul 29, 2022
    risk 0.61cvss 9.4epss 0.01

    Inavitas Solar Log product has an unauthenticated SQL Injection vulnerability.

  • CVE-2021-44427CriNov 29, 2021
    risk 0.61cvss 9.8epss 0.51

    An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.

  • CVE-2021-42325CriOct 12, 2021
    risk 0.61cvss 9.8epss 0.12

    Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.

  • CVE-2019-14234CriAug 9, 2019
    risk 0.61cvss 9.8epss 0.48

    An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField,…

  • CVE-2018-3606HigFeb 9, 2018
    risk 0.61cvss 8.8epss 0.49

    XXXStatusXXX, XXXSummary, TemplateXXX and XXXCompliance method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations.

  • CVE-2017-16542HigNov 5, 2017
    risk 0.61cvss 8.8epss 0.05

    Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request.

  • CVE-2017-9603HigJun 13, 2017
    risk 0.61cvss 8.8epss 0.05

    SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress allows authenticated users to execute arbitrary SQL commands via the jobid parameter to wp-admin/edit.php.

  • CVE-2017-7221HigApr 25, 2017
    risk 0.61cvss 8.8epss 0.04

    OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created…

  • CVE-2016-1914HigApr 13, 2017
    risk 0.61cvss 8.8epss 0.04

    Multiple SQL injection vulnerabilities in the com.rim.mdm.ui.server.ImageServlet servlet in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to execute arbitrary SQL commands via the imageName parameter to (1) mydevice/client/image, (2)…

  • CVE-2016-5843CriSep 17, 2016
    risk 0.61cvss 9.4epss 0.03

    Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) allow remote attackers to execute arbitrary SQL commands via crafted search parameters.

  • CVE-2026-52715CriJun 16, 2026
    risk 0.60cvss 9.3epss 0.00

    Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions.

  • CVE-2026-39574CriJun 16, 2026
    risk 0.60cvss 9.3epss 0.00

    Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions.

  • CVE-2026-52693CriJun 15, 2026
    risk 0.60cvss 9.3epss 0.00

    Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions.

  • CVE-2026-49776CriJun 15, 2026
    risk 0.60cvss 9.3epss 0.00

    Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions.