CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,858 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 116 of 378
- CVE-2020-18667CRITICALCVSS 9.8EG 9.82021-06-24
SQL Injection vulnerability in WebPort <=1.19.1 via the new connection, parameter name in type-conn.
- CVE-2020-18713CRITICALCVSS 9.8EG 9.82021-02-05
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in customerAction.php
- CVE-2020-18714CRITICALCVSS 9.8EG 9.82021-02-05
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordModel.php's getdata function.
- CVE-2020-18716CRITICALCVSS 9.8EG 9.82021-02-05
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordAction.php.
- CVE-2020-18717CRITICALCVSS 9.8EG 9.82021-02-05
SQL Injection in ZZZCMS zzzphp 1.7.1 allows remote attackers to execute arbitrary code due to a lack of parameter filtering in inc/zzz_template.php.
- CVE-2020-18746HIGHCVSS 7.2EG 7.22021-08-18
SQL Injection in AiteCMS v1.0 allows remote attackers to execute arbitrary code via the component "aitecms/login/diy_list.php".
- CVE-2020-18877HIGHCVSS 7.5EG 7.52021-08-20
SQL Injection in Wuzhi CMS v4.1.0 allows remote attackers to obtain sensitive information via the 'flag' parameter in the component '/coreframe/app/order/admin/index.php'.
- CVE-2020-18913HIGHCVSS 7.5EG 7.52021-08-24
EARCLINK ESPCMS-P8 was discovered to contain a SQL injection vulnerability in the espcms_web/Search.php component via the attr_array parameter. This vulnerability allows attackers to access sensitive database information.
- CVE-2020-19107CRITICALCVSS 9.8EG 9.82021-05-06
SQL Injection vulnerability in Online Book Store v1.0 via the isbn parameter to edit_book.php, which could let a remote malicious user execute arbitrary code.
- CVE-2020-19108CRITICALCVSS 9.8EG 9.82021-05-06
SQL Injection vulnerability in Online Book Store v1.0 via the pubid parameter to bookPerPub.php, which could let a remote malicious user execute arbitrary code.
- CVE-2020-19109CRITICALCVSS 9.8EG 9.82021-05-06
SQL Injection vulnerability in Online Book Store v1.0 via the bookisbn parameter to admin_edit.php, which could let a remote malicious user execute arbitrary code.
- CVE-2020-19110CRITICALCVSS 9.8EG 9.82021-05-06
SQL Injection vulnerability in Online Book Store v1.0 via the bookisbn parameter to book.php parameter, which could let a remote malicious user execute arbitrary code.
- CVE-2020-19112CRITICALCVSS 9.8EG 9.82021-05-06
SQL Injection vulnerability in Online Book Store v1.0 via the bookisbn parameter to admin_delete.php, which could let a remote malicious user execute arbitrary code.
- CVE-2020-19114CRITICALCVSS 9.8EG 9.82021-05-06
SQL Injection vulnerability in Online Book Store v1.0 via the publisher parameter to edit_book.php, which could let a remote malicious user execute arbitrary code.
- CVE-2020-19165CRITICALCVSS 9.8EG 9.82020-12-11
PHPSHE 1.7 has SQL injection via the admin.php?mod=user&userlevel_id=1 userlevel_id[] parameter.
- CVE-2020-19212MEDIUMCVSS 4.9EG 4.92022-05-06
SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.
- CVE-2020-19213CRITICALCVSS 9.8EG 9.82022-05-06
SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.
- CVE-2020-19215HIGHCVSS 8.8EG 8.82022-05-06
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.
- CVE-2020-19216HIGHCVSS 8.8EG 8.82022-05-06
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.
- CVE-2020-19217HIGHCVSS 8.8EG 8.82022-05-06
SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.
- CVE-2020-19248MEDIUMCVSS 5.1EG 5.12025-02-21
SQL Injection vulnerability in PbootCMS 1.4.1 in parsing if statements in templates, resulting in a malicious user's ability to contaminate template content by searching for page contamination URLs, thus triggering vulnerabilities when the…
- CVE-2020-1937HIGHCVSS 8.8EG 8.82020-02-24
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.
- CVE-2020-19447HIGHCVSS 7.5EG 7.52020-09-24
SQL injection exists in the jdownloads 3.2.63 component for Joomla! com_jdownloads/models/send.php via the f_marked_files_id parameter.
- CVE-2020-19450HIGHCVSS 7.5EG 7.52020-09-25
SQL injection exists in the jdownloads 3.2.63 component for Joomla! via com_jdownloads/helpers/jdownloadshelper.php, getUserLimits function in the list parameter.
- CVE-2020-19451HIGHCVSS 7.5EG 7.52020-09-25
SQL injection exists in the jdownloads 3.2.63 component for Joomla! via com_jdownloads/helpers/jdownloadshelper.php, updateLog function via the X-forwarded-for Header parameter.
- CVE-2020-19455HIGHCVSS 7.5EG 7.52020-09-25
SQL injection exists in the jdownloads 3.2.63 component for Joomla! via components/com_jdownloads/helpers/categories.php, order function via the filter_order parameter.
- CVE-2020-19705CRITICALCVSS 9.8EG 9.82021-08-26
thinkphp-zcms as of 20190715 allows SQL injection via index.php?m=home&c=message&a=add.
- CVE-2020-19821HIGHCVSS 8.8EG 8.82021-08-26
A SQL injection vulnerability in admin.php of DOYOCMS 2.3 allows attackers to execute arbitrary SQL commands via the orders[] parameter.
- CVE-2020-19853CRITICALCVSS 9.8EG 9.82021-09-08
BlueCMS v1.6 contains a SQL injection vulnerability via /ad_js.php.
- CVE-2020-19957HIGHCVSS 7.5EG 7.52021-10-14
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page.
- CVE-2020-19959HIGHCVSS 7.5EG 7.52021-10-14
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendmail.php page cookie.
- CVE-2020-19960HIGHCVSS 7.5EG 7.52021-10-14
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendsms.php page cookie.
- CVE-2020-19961HIGHCVSS 7.5EG 7.52021-10-14
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php.
- CVE-2020-20120CRITICALCVSS 9.8EG 9.82021-09-28
ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods.
- CVE-2020-20122CRITICALCVSS 9.8EG 9.82021-09-28
Wuzhi CMS v4.1 contains a SQL injection vulnerability in the checktitle() function in /coreframe/app/content/admin/content.php.
- CVE-2020-20189CRITICALCVSS 9.8EG 9.82020-12-14
SQL Injection vulnerability in NewPK 1.1 via the title parameter to admin\newpost.php.
- CVE-2020-20289CRITICALCVSS 9.8EG 9.82021-02-01
Sql injection vulnerability in the yccms 3.3 project. The no_top function's improper judgment of the request parameters, triggers a sql injection vulnerability.
- CVE-2020-20294CRITICALCVSS 9.8EG 9.82021-02-01
An issue was found in CMSWing project version 1.3.8. Because the log function does not check the log parameter, malicious parameters can execute arbitrary commands.
- CVE-2020-20295CRITICALCVSS 9.8EG 9.82021-02-01
An issue was found in CMSWing project version 1.3.8. Because the updateAction function does not check the detail parameter, malicious parameters can execute arbitrary SQL commands.
- CVE-2020-20296CRITICALCVSS 9.8EG 9.82021-02-01
An issue was found in CMSWing project version 1.3.8, Because the rechargeAction function does not check the balance parameter, malicious parameters can execute arbitrary SQL commands.
- CVE-2020-20300CRITICALCVSS 9.8EG 9.82020-12-18
SQL injection vulnerability in the wp_where function in WeiPHP 5.0.
- CVE-2020-20340HIGHCVSS 7.5EG 7.52021-09-01
A SQL injection vulnerability in the 4.edu.php\conn\function.php component of S-CMS v1.0 allows attackers to access sensitive database information.
- CVE-2020-20392CRITICALCVSS 9.8EG 9.82021-06-23
SQL Injection vulnerability in imcat v5.2 via the fm[auser] parameters in coms/add_coms.php.
- CVE-2020-20413CRITICALCVSS 9.8EG 9.82023-06-20
SQL injection vulnerability found in WUZHICMS v.4.1.0 allows a remote attacker to execute arbitrary code via the checktitle() function in admin/content.php.
- CVE-2020-20469HIGHCVSS 7.5EG 7.52021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the log_edit.php files failing to filter the csa_to_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive …
- CVE-2020-20473HIGHCVSS 7.5EG 7.52021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the control_task.php, control_project.php, default_user.php files failing to filter the sort parameter. Remote attackers can exploit the vulnera…
- CVE-2020-20474HIGHCVSS 7.5EG 7.52021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the default_task_edituser.php files failing to filter the csa_to_user parameter. Remote attackers can exploit the vulnerability to obtain databa…
- CVE-2020-20491HIGHCVSS 7.2EG 7.22023-06-20
SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.
- CVE-2020-20583HIGHCVSS 7.5EG 7.52021-07-08
A SQL injection vulnerability in /question.php of LJCMS Version v4.3.R60321 allows attackers to obtain sensitive database information.
- CVE-2020-20585HIGHCVSS 7.5EG 7.52021-07-08
A blind SQL injection in /admin/?n=logs&c=index&a=dode of Metinfo 7.0 beta allows attackers to access sensitive database information.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →