CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 53 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-32590 | Cri | 0.61 | 9.3 | 0.02 | Dec 20, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category.This issue affects Subscribe to Category: from n/a through 2.7.4. | ||
| CVE-2023-49750 | Cri | 0.61 | 9.3 | 0.01 | Dec 19, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoonthemes Couponis - Affiliate & Submitting Coupons WordPress Theme.This issue affects Couponis - Affiliate & Submitting Coupons WordPress Theme: from n/a before 2.2. | ||
| CVE-2023-48738 | Cri | 0.61 | 9.3 | 0.01 | Dec 19, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Porto Theme Porto Theme - Functionality.This issue affects Porto Theme - Functionality: from n/a before 2.12.1. | ||
| CVE-2022-0495 | Cri | 0.61 | 9.4 | 0.01 | Sep 21, 2022 | The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01. | ||
| CVE-2022-2315 | Cri | 0.61 | 9.4 | 0.01 | Sep 21, 2022 | Database Software Accreditation Tracking/Presentation Module product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2. | ||
| CVE-2022-2177 | Cri | 0.61 | 9.4 | 0.01 | Sep 20, 2022 | Kayrasoft product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2. | ||
| CVE-2022-1277 | Cri | 0.61 | 9.4 | 0.01 | Jul 29, 2022 | Inavitas Solar Log product has an unauthenticated SQL Injection vulnerability. | ||
| CVE-2021-44427 | — | Cri | 0.61 | 9.8 | 0.51 | Nov 29, 2021 | An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter. | |
| CVE-2021-42325 | — | Cri | 0.61 | 9.8 | 0.12 | Oct 12, 2021 | Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name. | |
| CVE-2019-14234 | — | Cri | 0.61 | 9.8 | 0.48 | Aug 9, 2019 | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField,… | |
| CVE-2018-3606 | Hig | 0.61 | 8.8 | 0.49 | Feb 9, 2018 | XXXStatusXXX, XXXSummary, TemplateXXX and XXXCompliance method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | ||
| CVE-2017-16542 | Hig | 0.61 | 8.8 | 0.05 | Nov 5, 2017 | Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request. | ||
| CVE-2017-9603 | Hig | 0.61 | 8.8 | 0.05 | Jun 13, 2017 | SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress allows authenticated users to execute arbitrary SQL commands via the jobid parameter to wp-admin/edit.php. | ||
| CVE-2017-7221 | Hig | 0.61 | 8.8 | 0.04 | Apr 25, 2017 | OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created… | ||
| CVE-2016-1914 | Hig | 0.61 | 8.8 | 0.04 | Apr 13, 2017 | Multiple SQL injection vulnerabilities in the com.rim.mdm.ui.server.ImageServlet servlet in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to execute arbitrary SQL commands via the imageName parameter to (1) mydevice/client/image, (2)… | ||
| CVE-2016-5843 | Cri | 0.61 | 9.4 | 0.03 | Sep 17, 2016 | Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) allow remote attackers to execute arbitrary SQL commands via crafted search parameters. | ||
| CVE-2026-52715 | Cri | 0.60 | 9.3 | 0.00 | Jun 16, 2026 | Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions. | ||
| CVE-2026-39574 | Cri | 0.60 | 9.3 | 0.00 | Jun 16, 2026 | Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions. | ||
| CVE-2026-52693 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions. | ||
| CVE-2026-49776 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions. |
- risk 0.61cvss 9.3epss 0.02
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category.This issue affects Subscribe to Category: from n/a through 2.7.4.
- risk 0.61cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoonthemes Couponis - Affiliate & Submitting Coupons WordPress Theme.This issue affects Couponis - Affiliate & Submitting Coupons WordPress Theme: from n/a before 2.2.
- risk 0.61cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Porto Theme Porto Theme - Functionality.This issue affects Porto Theme - Functionality: from n/a before 2.12.1.
- risk 0.61cvss 9.4epss 0.01
The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.
- risk 0.61cvss 9.4epss 0.01
Database Software Accreditation Tracking/Presentation Module product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2.
- risk 0.61cvss 9.4epss 0.01
Kayrasoft product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2.
- risk 0.61cvss 9.4epss 0.01
Inavitas Solar Log product has an unauthenticated SQL Injection vulnerability.
- risk 0.61cvss 9.8epss 0.51
An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
- risk 0.61cvss 9.8epss 0.12
Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.
- risk 0.61cvss 9.8epss 0.48
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField,…
- risk 0.61cvss 8.8epss 0.49
XXXStatusXXX, XXXSummary, TemplateXXX and XXXCompliance method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations.
- risk 0.61cvss 8.8epss 0.05
Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request.
- risk 0.61cvss 8.8epss 0.05
SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress allows authenticated users to execute arbitrary SQL commands via the jobid parameter to wp-admin/edit.php.
- risk 0.61cvss 8.8epss 0.04
OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created…
- risk 0.61cvss 8.8epss 0.04
Multiple SQL injection vulnerabilities in the com.rim.mdm.ui.server.ImageServlet servlet in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to execute arbitrary SQL commands via the imageName parameter to (1) mydevice/client/image, (2)…
- risk 0.61cvss 9.4epss 0.03
Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) allow remote attackers to execute arbitrary SQL commands via crafted search parameters.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions.