VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 88 of 512
  • CVE-2016-3172HigApr 12, 2016
    risk 0.57cvss 8.8epss 0.03

    SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action.

  • CVE-2015-8604HigApr 11, 2016
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via the cg_g parameter in a save action.

  • CVE-2016-3659HigApr 11, 2016
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQL commands via the host_group_data parameter.

  • CVE-2015-8153HigMar 18, 2016
    risk 0.57cvss 8.8epss 0.03

    SQL injection vulnerability in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6-MP4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2014-4627HigNov 7, 2014
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in EMC RSA Web Threat Detection 4.x before 4.6.1.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2026-3326HigJun 10, 2026
    risk 0.56cvss 8.6epss 0.00

    The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

  • CVE-2025-30028HigMay 27, 2026
    risk 0.56cvss 8.6epss 0.00

    A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files.

  • CVE-2026-6379HigMay 18, 2026
    risk 0.56cvss 8.6epss 0.00

    The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.

  • CVE-2026-4935HigMay 8, 2026
    risk 0.56cvss 8.6epss 0.00

    The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks.

  • CVE-2026-30995HigApr 15, 2026
    risk 0.56cvss 8.6epss 0.00

    Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint.

  • CVE-2026-3830HigApr 13, 2026
    risk 0.56cvss 8.6epss 0.00

    The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

  • CVE-2026-34885HigApr 6, 2026
    risk 0.56cvss 8.5epss 0.02

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.

  • CVE-2026-1198HigFeb 26, 2026
    risk 0.56cvss epss 0.00

    SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in "Obroty na kontach" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed. This issue was fixed in 6.30@A04.4_u06.

  • CVE-2025-59920HigFeb 18, 2026
    risk 0.56cvss epss 0.00

    When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request…

  • CVE-2025-7631HigFeb 17, 2026
    risk 0.56cvss 8.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. Co. Tumeva Prime News Software allows SQL Injection. This issue affects Tumeva…

  • CVE-2025-8587HigFeb 2, 2026
    risk 0.56cvss 8.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection. This issue affects SKSPro: through 07012026.

  • CVE-2025-4686HigJan 30, 2026
    risk 0.56cvss 8.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection. This issue affects Online Exam and Assessment:…

  • CVE-2023-36525HigDec 24, 2025
    risk 0.56cvss 8.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPJobBoard allows Blind SQL Injection.This issue affects WPJobBoard: from n/a through 5.9.0.

  • CVE-2025-62173HigDec 4, 2025
    risk 0.56cvss epss 0.00

    ## Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API

  • CVE-2025-12465HigDec 2, 2025
    risk 0.56cvss epss 0.00

    A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the…