VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 72 of 512
  • CVE-2026-23696CriApr 7, 2026
    risk 0.57cvss 9.9epss 0.05

    Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data…

  • CVE-2026-35184CriApr 6, 2026
    risk 0.57cvss 9.8epss 0.00

    EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0.

  • CVE-2026-34934CriApr 3, 2026
    risk 0.57cvss 9.8epss 0.01

    PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via update_thread. When the application…

  • CVE-2026-34612CriApr 3, 2026
    risk 0.57cvss 9.9epss 0.01

    Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a…

  • CVE-2026-27634CriApr 3, 2026
    risk 0.57cvss 9.8epss 0.01

    Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without…

  • CVE-2026-34717CriApr 2, 2026
    risk 0.57cvss 9.9epss 0.00

    OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version…

  • CVE-2026-34400CriMar 31, 2026
    risk 0.57cvss 9.8epss 0.01

    Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been…

  • CVE-2026-34220CriMar 31, 2026
    risk 0.57cvss 9.8epss 0.00

    MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been…

  • CVE-2026-32714CriMar 31, 2026
    risk 0.57cvss 9.8epss 0.00

    SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This…

  • CVE-2026-27697CriMar 31, 2026
    risk 0.57cvss 9.8epss 0.00

    baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in version 5.2.3.

  • CVE-2026-33770CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared…

  • CVE-2026-3334HigMar 21, 2026
    risk 0.57cvss 8.8epss 0.00

    The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of…

  • CVE-2026-32888HigMar 20, 2026
    risk 0.57cvss 8.8epss 0.00

    Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input…

  • CVE-2026-30711HigMar 19, 2026
    risk 0.57cvss 8.8epss 0.00

    Devome GRR v4.5.0 was discovered to contain multiple authenticated SQL injection vulnerabilities in the include/session.inc.php file via the referer and user-agent.

  • CVE-2026-22730HigMar 18, 2026
    risk 0.57cvss 8.8epss 0.01

    A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands. The vulnerability exists due to missing input sanitization.

  • CVE-2026-31844HigMar 11, 2026
    risk 0.57cvss 8.8epss 0.00

    An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can…

  • CVE-2026-30930CriMar 10, 2026
    risk 0.57cvss 9.8epss 0.00

    Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not…

  • CVE-2025-10350HigMar 2, 2026
    risk 0.57cvss epss 0.00

    SQL Injection vulnerability in "imageserver" module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in…

  • CVE-2025-7636HigFeb 10, 2026
    risk 0.57cvss 8.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ergosis Security Systems Computer Industry and Trade Inc. ZEUS PDKS allows SQL Injection. This issue affects ZEUS PDKS: from <1.0.5.10 through 10022026. NOTE: The vendor was…

  • CVE-2026-2094HigFeb 10, 2026
    risk 0.57cvss 8.8epss 0.00

    Docpedia developed by Flowring has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.