CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 89 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-13174 | Hig | 0.56 | 8.6 | 0.00 | Sep 16, 2025 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in E1 Informatics Web Application allows SQL Injection. This issue affects Web Application: through 20250916. NOTE: The vendor did not inform about the completion of the fixing… | ||
| CVE-2025-49485 | Hig | 0.56 | — | 0.00 | Jul 18, 2025 | A SQL injection vulnerability in the Balbooa Forms plugin 1.0.0-2.3.1.1 for Joomla allows privileged users to execute arbitrary SQL commands via the 'id' parameter. | ||
| CVE-2025-49468 | Hig | 0.56 | — | 0.00 | Jun 13, 2025 | A SQL injection vulnerability in No Boss Calendar component before 5.0.7 for Joomla was discovered. The vulnerability allows remote authenticated users to execute arbitrary SQL commands via the id_module parameter. | ||
| CVE-2025-3893 | Hig | 0.56 | — | 0.00 | May 23, 2025 | While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability. Version 5.20 of MegaBIP fixes this issue. | ||
| CVE-2025-0942 | Hig | 0.56 | 8.6 | 0.00 | Apr 7, 2025 | The DB chooser functionality in Jalios JPlatform 10 SP6 before 10.0.6 improperly neutralizes special elements used in an SQL command allows for unauthenticated users to trigger SQL Injection. This issue affects JPlatform before 10.0.6 and a PatchPlugin release 10.0.6 was… | ||
| CVE-2024-11504 | Hig | 0.56 | — | 0.00 | Mar 28, 2025 | Input from multiple fields in Streamsoft Prestiż is not sanitized properly, leading to an SQL injection vulnerability, which might be exploited by an authenticated remote attacker. This issue was fixed in 18.1.376.37 version of the software. | ||
| CVE-2024-9149 | Hig | 0.56 | 8.6 | 0.00 | Mar 4, 2025 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wind Media E-Commerce Website Template allows SQL Injection. This issue affects E-Commerce Website Template: before v1.5. | ||
| CVE-2025-22217 | Hig | 0.56 | 8.6 | 0.01 | Jan 28, 2025 | Avi Load Balancer contains an unauthenticated blind SQL Injection vulnerability which was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. A malicious user with network access may be able to use specially crafted… | ||
| CVE-2024-3370 | Hig | 0.56 | 8.6 | 0.00 | Nov 18, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Egebilgi Software Website Template allows SQL Injection. This issue affects Website Template: before 29.04.2024. | ||
| CVE-2024-6748 | Hig | 0.56 | 8.3 | 0.24 | Jul 29, 2024 | Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are vulnerable to authenticated SQL injection in the URL monitoring. | ||
| CVE-2022-47151 | Hig | 0.56 | 8.6 | 0.00 | Apr 17, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1. | ||
| CVE-2024-0637 | Hig | 0.56 | 8.8 | 0.72 | Apr 1, 2024 | Centreon updateDirectory SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the… | ||
| CVE-2021-26830 | — | Cri | 0.56 | 9.1 | 0.05 | Apr 16, 2021 | SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module. | |
| CVE-2020-5504 | — | Hig | 0.56 | 8.8 | 0.39 | Jan 9, 2020 | In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. | |
| CVE-2018-10915 | Hig | 0.56 | 8.5 | 0.05 | Aug 9, 2018 | A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could… | ||
| CVE-2015-3314 | Hig | 0.56 | 8.1 | 0.05 | Sep 7, 2017 | SQL injection vulnerability in WordPress Tune Library plugin before 1.5.5. | ||
| CVE-2016-0249 | Hig | 0.56 | 8.6 | 0.01 | Oct 16, 2016 | SQL injection vulnerability in IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2026-39581 | Hig | 0.55 | 8.5 | 0.00 | Jun 16, 2026 | Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions. | ||
| CVE-2026-52700 | Hig | 0.55 | 8.5 | 0.00 | Jun 15, 2026 | Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions. | ||
| CVE-2026-52697 | Hig | 0.55 | 8.5 | 0.00 | Jun 15, 2026 | Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions. |
- risk 0.56cvss 8.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in E1 Informatics Web Application allows SQL Injection. This issue affects Web Application: through 20250916. NOTE: The vendor did not inform about the completion of the fixing…
- risk 0.56cvss —epss 0.00
A SQL injection vulnerability in the Balbooa Forms plugin 1.0.0-2.3.1.1 for Joomla allows privileged users to execute arbitrary SQL commands via the 'id' parameter.
- risk 0.56cvss —epss 0.00
A SQL injection vulnerability in No Boss Calendar component before 5.0.7 for Joomla was discovered. The vulnerability allows remote authenticated users to execute arbitrary SQL commands via the id_module parameter.
- risk 0.56cvss —epss 0.00
While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability. Version 5.20 of MegaBIP fixes this issue.
- risk 0.56cvss 8.6epss 0.00
The DB chooser functionality in Jalios JPlatform 10 SP6 before 10.0.6 improperly neutralizes special elements used in an SQL command allows for unauthenticated users to trigger SQL Injection. This issue affects JPlatform before 10.0.6 and a PatchPlugin release 10.0.6 was…
- risk 0.56cvss —epss 0.00
Input from multiple fields in Streamsoft Prestiż is not sanitized properly, leading to an SQL injection vulnerability, which might be exploited by an authenticated remote attacker. This issue was fixed in 18.1.376.37 version of the software.
- risk 0.56cvss 8.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wind Media E-Commerce Website Template allows SQL Injection. This issue affects E-Commerce Website Template: before v1.5.
- risk 0.56cvss 8.6epss 0.01
Avi Load Balancer contains an unauthenticated blind SQL Injection vulnerability which was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. A malicious user with network access may be able to use specially crafted…
- risk 0.56cvss 8.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Egebilgi Software Website Template allows SQL Injection. This issue affects Website Template: before 29.04.2024.
- risk 0.56cvss 8.3epss 0.24
Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are vulnerable to authenticated SQL injection in the URL monitoring.
- risk 0.56cvss 8.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1.
- risk 0.56cvss 8.8epss 0.72
Centreon updateDirectory SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the…
- risk 0.56cvss 9.1epss 0.05
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.
- risk 0.56cvss 8.8epss 0.39
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
- risk 0.56cvss 8.5epss 0.05
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could…
- risk 0.56cvss 8.1epss 0.05
SQL injection vulnerability in WordPress Tune Library plugin before 1.5.5.
- risk 0.56cvss 8.6epss 0.01
SQL injection vulnerability in IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.55cvss 8.5epss 0.00
Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions.
- risk 0.55cvss 8.5epss 0.00
Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.
- risk 0.55cvss 8.5epss 0.00
Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions.