VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 89 of 512
  • CVE-2024-13174HigSep 16, 2025
    risk 0.56cvss 8.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in E1 Informatics Web Application allows SQL Injection. This issue affects Web Application: through 20250916.  NOTE: The vendor did not inform about the completion of the fixing…

  • CVE-2025-49485HigJul 18, 2025
    risk 0.56cvss epss 0.00

    A SQL injection vulnerability in the Balbooa Forms plugin 1.0.0-2.3.1.1 for Joomla allows privileged users to execute arbitrary SQL commands via the 'id' parameter.

  • CVE-2025-49468HigJun 13, 2025
    risk 0.56cvss epss 0.00

    A SQL injection vulnerability in No Boss Calendar component before 5.0.7 for Joomla was discovered. The vulnerability allows remote authenticated users to execute arbitrary SQL commands via the id_module parameter.

  • CVE-2025-3893HigMay 23, 2025
    risk 0.56cvss epss 0.00

    While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability.  Version 5.20 of MegaBIP fixes this issue.

  • CVE-2025-0942HigApr 7, 2025
    risk 0.56cvss 8.6epss 0.00

    The DB chooser functionality in Jalios JPlatform 10 SP6 before 10.0.6 improperly neutralizes special elements used in an SQL command allows for unauthenticated users to trigger SQL Injection. This issue affects JPlatform before 10.0.6 and a PatchPlugin release 10.0.6 was…

  • CVE-2024-11504HigMar 28, 2025
    risk 0.56cvss epss 0.00

    Input from multiple fields in Streamsoft Prestiż is not sanitized properly, leading to an SQL injection vulnerability, which might be exploited by an authenticated remote attacker.  This issue was fixed in 18.1.376.37 version of the software.

  • CVE-2024-9149HigMar 4, 2025
    risk 0.56cvss 8.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wind Media E-Commerce Website Template allows SQL Injection. This issue affects E-Commerce Website Template: before v1.5.

  • CVE-2025-22217HigJan 28, 2025
    risk 0.56cvss 8.6epss 0.01

    Avi Load Balancer contains an unauthenticated blind SQL Injection vulnerability which was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.  A malicious user with network access may be able to use specially crafted…

  • CVE-2024-3370HigNov 18, 2024
    risk 0.56cvss 8.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Egebilgi Software Website Template allows SQL Injection. This issue affects Website Template: before 29.04.2024.

  • CVE-2024-6748HigJul 29, 2024
    risk 0.56cvss 8.3epss 0.24

    Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are vulnerable to authenticated SQL injection in the URL monitoring.

  • CVE-2022-47151HigApr 17, 2024
    risk 0.56cvss 8.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1.

  • CVE-2024-0637HigApr 1, 2024
    risk 0.56cvss 8.8epss 0.72

    Centreon updateDirectory SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the…

  • CVE-2021-26830CriApr 16, 2021
    risk 0.56cvss 9.1epss 0.05

    SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.

  • CVE-2020-5504HigJan 9, 2020
    risk 0.56cvss 8.8epss 0.39

    In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

  • CVE-2018-10915HigAug 9, 2018
    risk 0.56cvss 8.5epss 0.05

    A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could…

  • CVE-2015-3314HigSep 7, 2017
    risk 0.56cvss 8.1epss 0.05

    SQL injection vulnerability in WordPress Tune Library plugin before 1.5.5.

  • CVE-2016-0249HigOct 16, 2016
    risk 0.56cvss 8.6epss 0.01

    SQL injection vulnerability in IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2026-39581HigJun 16, 2026
    risk 0.55cvss 8.5epss 0.00

    Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions.

  • CVE-2026-52700HigJun 15, 2026
    risk 0.55cvss 8.5epss 0.00

    Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.

  • CVE-2026-52697HigJun 15, 2026
    risk 0.55cvss 8.5epss 0.00

    Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions.