CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,859 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 117 of 378
- CVE-2020-20625HIGHCVSS 7.5EG 7.52020-08-31
Sliced Invoices plugin for WordPress 3.8.2 and earlier allows unauthenticated information disclosure and authenticated SQL injection via core/class-sliced.php.
- CVE-2020-20636HIGHCVSS 7.5EG 7.52023-06-20
SQL injection vulnerability found in Joyplus-cms v.1.6.0 allows a remote attacker to access sensitive information via the id parameter of the goodbad() function.
- CVE-2020-20675CRITICALCVSS 9.8EG 9.82021-08-26
Nuishop v2.3 contains a SQL injection vulnerability in /goods/getGoodsListByConditions/.
- CVE-2020-20692HIGHCVSS 7.2EG 7.22021-09-27
GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php.
- CVE-2020-20796CRITICALCVSS 9.8EG 9.82021-09-30
FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/article.php via the "Id" parameter.
- CVE-2020-20797CRITICALCVSS 9.8EG 9.82021-09-30
FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability in /account/register.php.
- CVE-2020-20800CRITICALCVSS 9.8EG 9.82020-09-30
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the install/index.php?action=adminsetup&cndata=yes&endata=yes&showdata=yes URI.
- CVE-2020-20913CRITICALCVSS 9.8EG 9.82023-04-04
SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbitrary code via basic_title parameter.
- CVE-2020-20914CRITICALCVSS 9.8EG 9.82023-04-04
SQL Injection vulnerability found in San Luan PublicCMS v.4.0 allows a remote attacker to execute arbitrary code via the sql parameter.
- CVE-2020-20915CRITICALCVSS 9.8EG 9.82023-04-04
SQL Injection vulnerability found in PublicCMS v.4.0 allows a remote attacker to execute arbitrary code via sql parameter of the the SysSiteAdminControl.
- CVE-2020-20975CRITICALCVSS 9.8EG 9.82021-08-12
In \lib\admin\action\dataaction.class.php in Gxlcms v1.1, SQL Injection exists via the $filename parameter.
- CVE-2020-20981HIGHCVSS 7.5EG 7.52021-08-12
A SQL injection in the /admin/?n=logs&c=index&a=dolist component of Metinfo 7.0 allows attackers to access sensitive database information.
- CVE-2020-21012CRITICALCVSS 9.8EG 9.82021-10-01
Sourcecodester Hotel and Lodge Management System 2.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the email parameter to the edit page for Customer, Room, Currency, Roo…
- CVE-2020-21013HIGHCVSS 7.2EG 7.22021-10-01
emlog v6.0.0 contains a SQL injection via /admin/comment.php.
- CVE-2020-21060HIGHCVSS 8.8EG 8.82023-04-04
SQL injection vulnerability found in PHPMyWind v.5.6 allows a remote attacker to gain privileges via the delete function of the administrator management page.
- CVE-2020-21119CRITICALCVSS 9.8EG 9.82023-02-15
SQL Injection vulnerability in Kliqqi-CMS 2.0.2 in admin/admin_update_module_widgets.php in recordIDValue parameter, allows attackers to gain escalated privileges and execute arbitrary code.
- CVE-2020-21120CRITICALCVSS 9.8EG 9.82023-02-15
SQL Injection vulnerability in file home\controls\cart.class.php in UQCMS 2.1.3, allows attackers execute arbitrary commands via the cookie_cart parameter to /index.php/cart/num.
- CVE-2020-21121CRITICALCVSS 9.8EG 9.82021-09-15
Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file.
- CVE-2020-21127CRITICALCVSS 9.8EG 9.82021-09-15
MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel.
- CVE-2020-21131HIGHCVSS 7.2EG 7.22021-07-12
SQL Injection vulnerability in MetInfo 7.0.0beta via admin/?n=language&c=language_web&a=doAddLanguage.
- CVE-2020-21132CRITICALCVSS 9.8EG 9.82021-07-12
SQL Injection vulnerability in Metinfo 7.0.0beta in index.php.
- CVE-2020-21133CRITICALCVSS 9.8EG 9.82021-07-12
SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid.
- CVE-2020-21152CRITICALCVSS 9.8EG 9.82023-01-20
SQL Injection vulnerability in inxedu 2.0.6 allows attackers to execute arbitrary commands via the functionIds parameter to /saverolefunction.
- CVE-2020-21176CRITICALCVSS 9.8EG 9.82021-02-01
SQL injection vulnerability in the model.increment and model.decrement function in ThinkJS 3.2.10 allows remote attackers to execute arbitrary SQL commands via the step parameter.
- CVE-2020-21179CRITICALCVSS 9.8EG 9.82021-02-01
Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signin page.
- CVE-2020-21180CRITICALCVSS 9.8EG 9.82021-02-01
Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signup page.
- CVE-2020-21250CRITICALCVSS 9.8EG 9.82021-10-27
CSZ CMS v1.2.4 was discovered to contain an arbitrary file upload vulnerability in the component /core/MY_Security.php.
- CVE-2020-21377CRITICALCVSS 9.8EG 9.82020-12-21
SQL injection vulnerability in yunyecms V2.0.1 via the selcart parameter.
- CVE-2020-21378CRITICALCVSS 9.8EG 9.82020-12-21
SQL injection vulnerability in SeaCMS 10.1 (2020.02.08) via the id parameter in an edit action to admin_members_group.php.
- CVE-2020-21394HIGHCVSS 8.8EG 8.82021-06-29
SQL Injection vulnerability in Zhong Bang Technology Co., Ltd CRMEB mall system V2.60 and V3.1 via the tablename parameter in SystemDatabackup.php.
- CVE-2020-21400HIGHCVSS 7.2EG 7.22023-06-20
SQL injection vulnerability in gaozhifeng PHPMyWind v.5.6 allows a remote attacker to execute arbitrary code via the id variable in the modify function.
- CVE-2020-21486HIGHCVSS 7.5EG 7.52023-06-20
SQL injection vulnerability in PHPOK v.5.4. allows a remote attacker to obtain sensitive information via the _userlist function in framerwork/phpok_call.php file.
- CVE-2020-21662CRITICALCVSS 9.8EG 9.82023-07-31
SQL injection vulnerability in yunyecms 2.0.2 allows remote attackers to run arbitrary SQL commands via XFF.
- CVE-2020-21665HIGHCVSS 7.2EG 7.22020-11-17
In fastadmin V1.0.0.20191212_beta, when a user with administrator rights has logged in, a malicious parameter can be passed for SQL injection in URL /admin/ajax/weigh.
- CVE-2020-21667HIGHCVSS 7.2EG 7.22020-11-13
In fastadmin-tp6 v1.0, in the file app/admin/controller/Ajax.php the 'table' parameter passed is not filtered so a malicious parameter can be passed for SQL injection.
- CVE-2020-21725CRITICALCVSS 9.8EG 9.82021-10-07
OpenSNS v6.1.0 contains a blind SQL injection vulnerability in /Controller/ChinaCityController.class.php via the pid parameter.
- CVE-2020-21726CRITICALCVSS 9.8EG 9.82021-10-07
OpenSNS v6.1.0 contains a blind SQL injection vulnerability in /Controller/ChinaCityController.class.php via the cid parameter.
- CVE-2020-21806CRITICALCVSS 9.8EG 9.82021-07-30
SQL Injection Vulnerability in ECTouch v2 via the shop page in index.php..
- CVE-2020-21808CRITICALCVSS 9.8EG 9.82021-07-30
SQL Injection vulnerability in NukeViet CMS 4.0.10 - 4.3.07 via:the topicsid parameter in modules/news/admin/addtotopics.php.
- CVE-2020-21809CRITICALCVSS 9.8EG 9.82021-07-30
SQL Injection vulnerability in NukeViet CMS module Shops 4.0.29 and 4.3 via the (1) listid parameter in detail.php and the (2) group_price or groupid parameters in search_result.php.
- CVE-2020-22122HIGHCVSS 7.5EG 7.52021-08-18
A SQL injection vulnerability in /oa.php?c=Staff&a=read of Find a Place LJCMS v 1.3 allows attackers to access sensitive database information via a crafted POST request.
- CVE-2020-22164HIGHCVSS 7.5EG 7.52021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\check_availability.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
- CVE-2020-22165HIGHCVSS 7.5EG 7.52021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\user-login.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
- CVE-2020-22166HIGHCVSS 7.5EG 7.52021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\forgot-password.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
- CVE-2020-22168HIGHCVSS 7.5EG 7.52021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\change-emaild.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
- CVE-2020-22169HIGHCVSS 7.5EG 7.52021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\appointment-history.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
- CVE-2020-22170HIGHCVSS 7.5EG 7.52021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\get_doctor.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
- CVE-2020-22171HIGHCVSS 7.5EG 7.52021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\registration.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
- CVE-2020-22172HIGHCVSS 7.5EG 7.52021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\get_doctor.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
- CVE-2020-22173HIGHCVSS 7.5EG 7.52021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\edit-profile.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →