CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,858 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 115 of 378
- CVE-2020-15617HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
- CVE-2020-15618HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
- CVE-2020-15619HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
- CVE-2020-15620HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
- CVE-2020-15621HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
- CVE-2020-15622HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
- CVE-2020-15624HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
- CVE-2020-15625HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
- CVE-2020-15626HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
- CVE-2020-15627HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
- CVE-2020-15628HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
- CVE-2020-15713HIGHCVSS 8.8EG 8.82020-07-28
rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.php script using the sortBy parameter, which could allow the attacker to view, add, modify, or delete informatio…
- CVE-2020-15714HIGHCVSS 8.8EG 8.82020-07-28
rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.crud.php script using the custom_Location parameter, which could allow the attacker to view, add, modify, or del…
- CVE-2020-15792MEDIUMCVSS 4.3EG 4.32020-10-15
A vulnerability has been identified in Desigo Insight (All versions). The web service does not properly apply input validation for some query parameters in a reserved area. This could allow an authenticated attacker to retrieve data via a …
- CVE-2020-15849HIGHCVSS 7.2EG 7.22020-09-30
Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover s…
- CVE-2020-15873MEDIUMCVSS 6.5EG 6.52020-07-21
In LibreNMS before 1.65.1, an authenticated attacker can achieve SQL Injection via the customoid.inc.php device_id POST parameter to ajax_form.php.
- CVE-2020-15884HIGHCVSS 8.8EG 8.82020-07-23
A SQL injection vulnerability in TableQuery.php in MunkiReport before 5.6.3 allows attackers to execute arbitrary SQL commands via the order[0][dir] field on POST requests to /datatables/data.
- CVE-2020-15886HIGHCVSS 8.8EG 8.82020-07-23
A SQL injection vulnerability in reportdata_controller.php in the reportdata module before 3.5 for MunkiReport allows attackers to execute arbitrary SQL commands via the req parameter of the /module/reportdata/ip endpoint.
- CVE-2020-15887HIGHCVSS 8.8EG 8.82020-07-23
A SQL injection vulnerability in softwareupdate_controller.php in the Software Update module before 1.6 for MunkiReport allows attackers to execute arbitrary SQL commands via the last URL parameter of the /module/softwareupdate/get_tab_dat…
- CVE-2020-15924HIGHCVSS 7.5EG 7.52020-07-24
There is a SQL Injection in Mida eFramework through 2.9.0 that leads to Information Disclosure. No authentication is required. The injection point resides in one of the authentication parameters.
- CVE-2020-15925HIGHCVSS 8.8EG 8.82020-08-13
A SQL injection vulnerability at a tpf URI in Loway QueueMetrics before 19.10.21 allows remote authenticated attackers to execute arbitrary SQL commands via the TPF_XPAR1 parameter.
- CVE-2020-15927HIGHCVSS 8.8EG 8.82020-10-06
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.
- CVE-2020-15947HIGHCVSS 8.8EG 8.82020-08-13
A SQL injection vulnerability in the qm_adm/qm_export_stats_run.do endpoint of Loway QueueMetrics before 19.10.21 allows remote authenticated users to execute arbitrary SQL commands via the exportId parameter.
- CVE-2020-16104HIGHCVSS 8.2EG 8.22020-12-14
SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to …
- CVE-2020-16165CRITICALCVSS 9.8EG 9.82020-07-30
The DAO/DTO implementation in SpringBlade through 2.7.1 allows SQL Injection in an ORDER BY clause. This is related to the /api/blade-log/api/list ascs and desc parameters.
- CVE-2020-16267HIGHCVSS 8.8EG 8.82020-10-06
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.
- CVE-2020-16276HIGHCVSS 8.8EG 8.82020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
- CVE-2020-16277HIGHCVSS 8.8EG 8.82020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
- CVE-2020-16629CRITICALCVSS 9.8EG 9.82021-02-08
PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path.
- CVE-2020-17373MEDIUMCVSS 5.3EG 5.32020-08-12
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.
- CVE-2020-17463CRITICALCVSS 9.8EG 9.8⚠ KEV2020-08-13
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
- CVE-2020-17506CRITICALCVSS 9.8EG 9.82020-08-12
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
- CVE-2020-18013CRITICALCVSS 9.8EG 9.82021-07-30
SQL Injextion vulnerability exists in Whatsns 4.0 via the ip parameter in index.php?admin_banned/add.htm.
- CVE-2020-18019HIGHCVSS 7.5EG 7.52021-04-28
SQL Injection in Xinhu OA System v1.8.3 allows remote attackers to obtain sensitive information by injecting arbitrary commands into the "typeid" variable of the "createfolderAjax" function in the "mode_worcAction.php" component.
- CVE-2020-18020CRITICALCVSS 9.8EG 9.82021-04-28
SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user_phone" parameter of a crafted HTTP request to the "admin.php" component.
- CVE-2020-18081HIGHCVSS 7.5EG 7.52021-12-17
The checkuser function of SEMCMS 3.8 was discovered to contain a vulnerability which allows attackers to obtain the password in plaintext through a SQL query.
- CVE-2020-18106CRITICALCVSS 9.8EG 9.82021-08-27
The GET parameter "id" in WMS v1.0 is passed without filtering, which allows attackers to perform SQL injection.
- CVE-2020-18116HIGHCVSS 8.8EG 8.82021-08-27
A lack of filtering for searched keywords in the search bar of YouDianCMS 8.0 allows attackers to perform SQL injection.
- CVE-2020-18144CRITICALCVSS 9.8EG 9.82021-07-14
SQL Injection Vulnerability in ECTouch v2 via the integral_min parameter in index.php.
- CVE-2020-18155CRITICALCVSS 9.8EG 9.82021-07-14
SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection.
- CVE-2020-18164CRITICALCVSS 9.8EG 9.82021-08-17
SQL Injection vulnerability exists in tp-shop 2.x-3.x via the /index.php/home/api/shop fBill parameter.
- CVE-2020-18175CRITICALCVSS 9.8EG 9.82021-07-30
SQL Injection vulnerability in Metinfo 6.1.3 via a dosafety_emailadd action in basic.php.
- CVE-2020-18215HIGHCVSS 8.8EG 8.82021-02-09
Multiple SQL Injection vulnerabilities in PHPSHE 1.7 in phpshe/admin.php via the (1) ad_id, (2) menu_id, and (3) cashout_id parameters, which could let a remote malicious user execute arbitrary code.
- CVE-2020-18243MEDIUMCVSS 6.5EG 6.52025-04-15
SQL injection vulnerability found in Enricozab CMS v.1.0 allows a remote attacker to execute arbitrary code via /hdo/hdo-view-case.php.
- CVE-2020-18262CRITICALCVSS 9.8EG 9.82021-11-03
ED01-CMS v1.0 was discovered to contain a SQL injection in the component cposts.php via the cid parameter.
- CVE-2020-18263HIGHCVSS 7.5EG 7.52021-11-03
PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability in the component search.php via the search parameter. This vulnerability allows attackers to access sensitive database information.
- CVE-2020-18476HIGHCVSS 8.8EG 8.82021-08-26
SQL Injection vulnerability in Hucart CMS 5.7.4 via the basic information field found in the avatar usd_image field.
- CVE-2020-18477HIGHCVSS 8.8EG 8.82021-08-26
SQL Injection vulnerability in Hucart CMS 5.7.4 via the purchase enquiry field found in the Message con_content field.
- CVE-2020-18544CRITICALCVSS 9.8EG 9.82021-07-12
SQL Injection in WMS v1.0 allows remote attackers to execute arbitrary code via the "username" parameter in the component "chkuser.php".
- CVE-2020-18662CRITICALCVSS 9.8EG 9.82021-06-24
SQL Injection vulnerability in gnuboard5 <=v5.3.2.8 via the table_prefix parameter in install_db.php.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →