CWE-564— SQL Injection: Hibernate
Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.— MITRE CWE catalog
10 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-564page 1 of 1
- CVE-2024-4658MEDIUMCVSS 6.9EG 6.92024-10-10
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TE Informatics Nova CMS allows SQL Injection. This issue affects Nova CMS: before 5.0.
- CVE-2024-48988HIGHCVSS 7.6EG 7.62025-08-22
SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. This vulnerability is present only in the distri…
- CVE-2024-58352HIGHCVSS 7.5EG 7.52026-07-02
Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated... Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity…
- CVE-2025-0959HIGHCVSS 8.8EG 8.82025-03-07
The Eventer - WordPress Event & Booking Manager Plugin plugin for WordPress is vulnerable to SQL Injection via the reg_id parameter in all versions up to, and including, 3.9.9.2 due to insufficient escaping on the user supplied parameter a…
- CVE-2025-67280MEDIUMCVSS 5.4EG 5.42026-01-09
In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user.
- CVE-2025-71332HIGHCVSS 8.8EG 5.92025-04-07
Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated un…
- CVE-2025-8052HIGHCVSS 8.8EG 8.82025-10-20
SQL Injection vulnerability in opentext Flipper allows SQL Injection. The vulnerability could allow a low privilege user to interact with the database in unintended ways and extract data by interacting with the HQL processor. This issu…
- CVE-2026-22242MEDIUMCVSS 4.9EG 4.92026-01-08
CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based…
- CVE-2026-23959MEDIUMCVSS 4.9EG 4.92026-01-22
CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperl…
- CVE-2026-40871HIGHCVSS 7.2EG 7.22026-04-21
mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint …
Map vulnerabilities like CWE-564 to your infrastructure
EchelonGraph correlates every CVE — across CWE-564 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →