SQL Server
by Microsoft
CVEs (109)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-49759 | 0.00 | — | 0.01 | Aug 12, 2025 | Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | |||
| CVE-2025-49758 | 0.00 | — | 0.01 | Aug 12, 2025 | Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | |||
| CVE-2024-49043 | 0.00 | — | 0.01 | Nov 12, 2024 | Microsoft.SqlServer.XEvent.Configuration.dll Remote Code Execution Vulnerability | |||
| CVE-2024-37980 | 0.00 | — | 0.01 | Sep 10, 2024 | Microsoft SQL Server Elevation of Privilege Vulnerability | |||
| CVE-2024-37341 | 0.00 | — | 0.01 | Sep 10, 2024 | Microsoft SQL Server Elevation of Privilege Vulnerability | |||
| CVE-2024-37965 | 0.00 | — | 0.02 | Sep 10, 2024 | Microsoft SQL Server Elevation of Privilege Vulnerability | |||
| CVE-2024-37339 | 0.00 | — | 0.02 | Sep 10, 2024 | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | |||
| CVE-2023-36728 | 0.00 | — | 0.01 | Oct 10, 2023 | Microsoft SQL Server Denial of Service Vulnerability | |||
| CVE-2023-23384 | 0.00 | — | 0.01 | Apr 11, 2023 | Microsoft SQL Server Remote Code Execution Vulnerability | |||
| CVE-2023-21713 | 0.00 | — | 0.02 | Feb 14, 2023 | Microsoft SQL Server Remote Code Execution Vulnerability | |||
| CVE-2023-21705 | 0.00 | — | 0.01 | Feb 14, 2023 | Microsoft SQL Server Remote Code Execution Vulnerability | |||
| CVE-2023-21528 | 0.00 | — | 0.00 | Feb 14, 2023 | Microsoft SQL Server Remote Code Execution Vulnerability | |||
| CVE-2022-29143 | 0.00 | — | 0.02 | Jun 15, 2022 | Microsoft SQL Server Remote Code Execution Vulnerability | |||
| CVE-2003-0230 | 0.00 | — | 0.02 | Aug 27, 2003 | Microsoft SQL Server 7, 2000, and MSDE allows local users to gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerability. | |||
| CVE-2002-1981 | 0.00 | — | 0.05 | Dec 31, 2002 | Microsoft SQL Server 2000 through SQL Server 2000 SP2 allows the "public" role to execute the (1) sp_MSSetServerProperties or (2) sp_MSsetalertinfo stored procedures, which allows attackers to modify configuration including SQL server startup and alert settings. | |||
| CVE-2002-1138 | 0.00 | — | 0.05 | Oct 11, 2002 | Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, writes output files for scheduled jobs under its own privileges instead of the entity that launched it, which allows attackers to overwrite system files, aka… | |||
| CVE-2002-0645 | 0.00 | — | 0.04 | Aug 12, 2002 | SQL injection vulnerability in stored procedures for Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 may allow authenticated users to execute arbitrary commands. | |||
| CVE-2002-0643 | 0.00 | — | 0.02 | Jul 23, 2002 | The installation of Microsoft Data Engine 1.0 (MSDE 1.0), and Microsoft SQL Server 2000 creates setup.iss files with insecure permissions and does not delete them after installation, which allows local users to obtain sensitive data, including weakly encrypted passwords, to gain… | |||
| CVE-2001-0344 | 0.00 | — | 0.02 | Jul 21, 2001 | An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account. | |||
| CVE-2000-1087 | 0.00 | — | 0.03 | Jan 9, 2001 | The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to… |
- CVE-2025-49759Aug 12, 2025risk 0.00cvss —epss 0.01
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
- CVE-2025-49758Aug 12, 2025risk 0.00cvss —epss 0.01
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
- CVE-2024-49043Nov 12, 2024risk 0.00cvss —epss 0.01
Microsoft.SqlServer.XEvent.Configuration.dll Remote Code Execution Vulnerability
- CVE-2024-37980Sep 10, 2024risk 0.00cvss —epss 0.01
Microsoft SQL Server Elevation of Privilege Vulnerability
- CVE-2024-37341Sep 10, 2024risk 0.00cvss —epss 0.01
Microsoft SQL Server Elevation of Privilege Vulnerability
- CVE-2024-37965Sep 10, 2024risk 0.00cvss —epss 0.02
Microsoft SQL Server Elevation of Privilege Vulnerability
- CVE-2024-37339Sep 10, 2024risk 0.00cvss —epss 0.02
Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability
- CVE-2023-36728Oct 10, 2023risk 0.00cvss —epss 0.01
Microsoft SQL Server Denial of Service Vulnerability
- CVE-2023-23384Apr 11, 2023risk 0.00cvss —epss 0.01
Microsoft SQL Server Remote Code Execution Vulnerability
- CVE-2023-21713Feb 14, 2023risk 0.00cvss —epss 0.02
Microsoft SQL Server Remote Code Execution Vulnerability
- CVE-2023-21705Feb 14, 2023risk 0.00cvss —epss 0.01
Microsoft SQL Server Remote Code Execution Vulnerability
- CVE-2023-21528Feb 14, 2023risk 0.00cvss —epss 0.00
Microsoft SQL Server Remote Code Execution Vulnerability
- CVE-2022-29143Jun 15, 2022risk 0.00cvss —epss 0.02
Microsoft SQL Server Remote Code Execution Vulnerability
- CVE-2003-0230Aug 27, 2003risk 0.00cvss —epss 0.02
Microsoft SQL Server 7, 2000, and MSDE allows local users to gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerability.
- CVE-2002-1981Dec 31, 2002risk 0.00cvss —epss 0.05
Microsoft SQL Server 2000 through SQL Server 2000 SP2 allows the "public" role to execute the (1) sp_MSSetServerProperties or (2) sp_MSsetalertinfo stored procedures, which allows attackers to modify configuration including SQL server startup and alert settings.
- CVE-2002-1138Oct 11, 2002risk 0.00cvss —epss 0.05
Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000, writes output files for scheduled jobs under its own privileges instead of the entity that launched it, which allows attackers to overwrite system files, aka…
- CVE-2002-0645Aug 12, 2002risk 0.00cvss —epss 0.04
SQL injection vulnerability in stored procedures for Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 may allow authenticated users to execute arbitrary commands.
- CVE-2002-0643Jul 23, 2002risk 0.00cvss —epss 0.02
The installation of Microsoft Data Engine 1.0 (MSDE 1.0), and Microsoft SQL Server 2000 creates setup.iss files with insecure permissions and does not delete them after installation, which allows local users to obtain sensitive data, including weakly encrypted passwords, to gain…
- CVE-2001-0344Jul 21, 2001risk 0.00cvss —epss 0.02
An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account.
- CVE-2000-1087Jan 9, 2001risk 0.00cvss —epss 0.03
The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to…
Page 5 of 6