CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,857 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 108 of 378
- CVE-2019-20107HIGHCVSS 8.8EG 8.82020-03-05
Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRev…
- CVE-2019-20179HIGHCVSS 8.8EG 8.82020-01-09
SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter.
- CVE-2019-20337HIGHCVSS 7.2EG 7.22020-01-05
In PHP Scripts Mall advanced-real-estate-script 4.0.9, the news_edit.php news_id parameter is vulnerable to SQL Injection.
- CVE-2019-20361CRITICALCVSS 9.8EG 9.82020-01-08
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).
- CVE-2019-20447CRITICALCVSS 9.8EG 9.82020-02-05
Jobberbase 2.0 has SQL injection via the PATH_INFO to the jobs-in endpoint.
- CVE-2019-20573HIGHCVSS 7.8EG 7.82020-03-24
An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the RCS Content Provider. The Samsung IDs are SVE-2019-14059, SVE-2019-14685 (August 2019).
- CVE-2019-20574HIGHCVSS 7.8EG 7.82020-03-24
An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the Wi-Fi history Content Provider. The Samsung ID is SVE-2019-14061 (August 2019).
- CVE-2019-20576CRITICALCVSS 9.8EG 9.82020-03-24
An issue was discovered on Samsung mobile devices with P(9.0) software. The MemorySaver Content Provider allows SQL injection. The Samsung ID is SVE-2019-14365 (August 2019).
- CVE-2019-20591HIGHCVSS 7.8EG 7.82020-03-24
An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the Gear VR Service Content Provider. The Samsung ID is SVE-2019-14058 (July 2019).
- CVE-2019-20592HIGHCVSS 7.8EG 7.82020-03-24
An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the Story Video Editor Content Provider. The Samsung ID is SVE-2019-14062 (July 2019).
- CVE-2019-20613HIGHCVSS 8.1EG 8.12020-03-24
An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. There is time-based SQL injection in Contacts. The Samsung ID is SVE-2018-13452 (March 2019).
- CVE-2019-20730CRITICALCVSS 9.8EG 9.82020-04-16
Certain NETGEAR devices are affected by SQL injection. This affects D3600 before 1.0.0.68, D6000 before 1.0.0.68, D6200 before 1.1.00.28, D6220 before 1.0.0.40, D6400 before 1.0.0.74, D7000 before 1.0.1.60, D7000v2 before 1.0.0.74, D7800 b…
- CVE-2019-20842HIGHCVSS 7.2EG 7.22020-06-19
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels.
- CVE-2019-20896CRITICALCVSS 9.8EG 9.82020-07-07
WebChess 1.0 allows SQL injection via the messageFrom, gameID, opponent, messageID, or to parameter.
- CVE-2019-2195HIGHCVSS 7.8EG 7.82019-11-13
In tokenize of sqlite3_android.cpp, there is a possible attacker controlled INSERT statement due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interactio…
- CVE-2019-2196MEDIUMCVSS 5.5EG 5.52019-11-13
In Download Provider, there is possible SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 An…
- CVE-2019-2198MEDIUMCVSS 5.5EG 5.52019-11-13
In Download Provider, there is a possible SQL injection vulnerability. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions…
- CVE-2019-2211HIGHCVSS 7.5EG 7.52019-11-13
In createProjectionMapForQuery of TvProvider.java, there is possible SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: An…
- CVE-2019-25019CRITICALCVSS 9.8EG 9.82021-02-14
LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.
- CVE-2019-25100MEDIUMCVSS 5.5EG 9.82023-01-08
A vulnerability was found in happyman twmap. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file twmap3/data/ajaxCRUD/pointdata2.php. The manipulation of the argument id leads to sql inj…
- CVE-2019-25159MEDIUMCVSS 5.5EG 5.52024-02-04
A vulnerability was found in mpedraza2020 Intranet del Monterroso up to 4.50.0. It has been classified as critical. This affects an unknown part of the file config/cargos.php. The manipulation of the argument dni_profe leads to sql injecti…
- CVE-2019-25212MEDIUMCVSS 4.9EG 9.12024-09-11
The video carousel slider with lightbox plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficie…
- CVE-2019-25218MEDIUMCVSS 4.9EG 4.92024-10-19
The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack…
- CVE-2019-25221MEDIUMCVSS 6.5EG 6.52024-12-13
The Responsive Filterable Portfolio plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient p…
- CVE-2019-25222MEDIUMCVSS 4.9EG 4.92025-03-15
The Thumbnail carousel slider plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient prepara…
- CVE-2019-25223MEDIUMCVSS 4.9EG 4.92025-04-08
The Team Circle Image Slider With Lightbox plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.4 due to insufficient escaping on the user supplied parameter and lack of suffi…
- CVE-2019-25260HIGHCVSS 8.2EG 8.22026-02-03
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parame…
- CVE-2019-25298CRITICALCVSS 9.1EG 7.12026-02-06
html5_snmp 1.11 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through Router_ID and Router_IP parameters. Attackers can exploit error-based, time-based, and union-based injection techni…
- CVE-2019-25299HIGHCVSS 7.1EG 7.12026-02-06
RimbaLinux AhadPOS 1.11 contains a SQL injection vulnerability in the 'alamatCustomer' parameter that allows attackers to manipulate database queries through crafted POST requests. Attackers can exploit time-based and boolean-based blind S…
- CVE-2019-25300HIGHCVSS 7.1EG 7.12026-02-06
thejshen Globitek CMS 1.4 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques…
- CVE-2019-25303HIGHCVSS 7.1EG 7.12026-02-06
TheJshen ContentManagementSystem 1.04 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injectio…
- CVE-2019-25320MEDIUMCVSS 6.5EG 6.52026-02-12
E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. Attackers can exploit the /login.php file by sending a specific…
- CVE-2019-25325HIGHCVSS 8.2EG 8.22026-02-12
Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code …
- CVE-2019-25335HIGHCVSS 7.5EG 7.52026-02-12
PRO-7070 Hazır Profesyonel Web Sitesi version 1.0 contains an authentication bypass vulnerability in the administration panel login page. Attackers can bypass authentication by using '=' 'or' as both username and password to gain unauthor…
- CVE-2019-25346HIGHCVSS 7.5EG 7.12026-02-12
TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 to retrieve unauthorized database recor…
- CVE-2019-25347HIGHCVSS 7.5EG 7.12026-02-12
thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 to the username field to gain unauthoriz…
- CVE-2019-25366HIGHCVSS 8.2EG 8.22026-02-22
microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.…
- CVE-2019-25391HIGHCVSS 8.2EG 8.22026-02-22
Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. Attackers can send POST requests to the admin/bannedcustomers.…
- CVE-2019-25431HIGHCVSS 8.2EG 8.22026-02-20
delpino73 Blue-Smiley-Organizer 1.32 contains an SQL injection vulnerability in the datetime parameter that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL code through POST requests to extract sen…
- CVE-2019-25432HIGHCVSS 7.5EG 7.52026-02-20
Part-DB 0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to login by injecting SQL syntax into authentication parameters. Attackers can submit a single quote followed by 'or' in the login form to by…
- CVE-2019-25433HIGHCVSS 8.2EG 8.22026-02-22
XOOPS CMS 2.5.9 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. Attackers can send GET requests to the gerar_pdf.php endpoint wit…
- CVE-2019-25439HIGHCVSS 8.2EG 8.22026-02-22
NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injecti…
- CVE-2019-25440HIGHCVSS 8.2EG 8.22026-02-22
WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. Attackers can send GET requests to product_detail.php with mali…
- CVE-2019-25443HIGHCVSS 8.2EG 8.22026-02-22
Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, descriptio…
- CVE-2019-25446HIGHCVSS 8.2EG 8.22026-02-22
DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /…
- CVE-2019-25462HIGHCVSS 8.2EG 8.22026-02-22
Web Ofisi Rent a Car v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'klima' parameter. Attackers can send GET requests to with malicious 'kl…
- CVE-2019-25473HIGHCVSS 7.1EG 7.12026-03-12
Clinic Pro contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the month parameter. Attackers can send POST requests to the monthly_expense_overview endpoi…
- CVE-2019-25479HIGHCVSS 8.2EG 8.22026-03-12
Inout RealEstate contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the city parameter. Attackers can send POST requests to the agents/agentlistdetails…
- CVE-2019-25481HIGHCVSS 8.2EG 8.22026-03-12
iScripts ReserveLogic contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the jqSearchDestination parameter. Attackers can send POST requests to the sea…
- CVE-2019-25486HIGHCVSS 8.2EG 8.22026-03-11
Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_id parameter. Attackers can submit POST requests with crafted SQL payloads in…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →