CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,859 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 118 of 378
- CVE-2020-22174HIGHCVSS 7.5EG 7.52021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\book-appointment.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
- CVE-2020-22175HIGHCVSS 7.5EG 7.52021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\admin\betweendates-detailsreports.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
- CVE-2020-22198CRITICALCVSS 9.8EG 9.82021-06-16
SQL Injection vulnerability in DedeCMS 5.7 via mdescription parameter to member/ajax_membergroup.php.
- CVE-2020-22199CRITICALCVSS 9.8EG 9.82021-06-16
SQL Injection vulnerability in phpCMS 2007 SP6 build 0805 via the digg_mod parameter to digg_add.php.
- CVE-2020-22203CRITICALCVSS 9.8EG 9.82021-06-16
SQL Injection in phpCMS 2008 sp4 via the genre parameter to yp/job.php.
- CVE-2020-22204CRITICALCVSS 9.8EG 9.82021-06-16
SQL Injection in ECShop 2.7.6 via the goods_number parameter to flow.php. .
- CVE-2020-22205CRITICALCVSS 9.8EG 9.82021-06-16
SQL Injection in ECShop 3.0 via the id parameter to admin/shophelp.php.
- CVE-2020-22206CRITICALCVSS 9.8EG 9.82021-06-16
SQL Injection in ECShop 3.0 via the aid parameter to admin/affiliate_ck.php.
- CVE-2020-22208CRITICALCVSS 9.8EG 9.82021-06-16
SQL Injection in 74cms 3.2.0 via the x parameter to plus/ajax_street.php.
- CVE-2020-22209CRITICALCVSS 9.8EG 9.82021-06-16
SQL Injection in 74cms 3.2.0 via the query parameter to plus/ajax_common.php.
- CVE-2020-22210CRITICALCVSS 9.8EG 9.82021-06-16
SQL Injection in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php.
- CVE-2020-22211CRITICALCVSS 9.8EG 9.82021-06-16
SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajax_street.php.
- CVE-2020-22212CRITICALCVSS 9.8EG 9.82021-06-16
SQL Injection in 74cms 3.2.0 via the id parameter to wap/wap-company-show.php.
- CVE-2020-22223CRITICALCVSS 9.8EG 9.82021-11-05
Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a SQL injection vulnerability via the pjActionLoad function.
- CVE-2020-22225CRITICALCVSS 9.8EG 9.82021-11-05
Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a SQL injection vulnerability via the pjActionLoadForm function.
- CVE-2020-22226CRITICALCVSS 9.8EG 9.82021-11-05
Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a SQL injection vulnerability via the pjActionSetAmount function.
- CVE-2020-22425HIGHCVSS 8.8EG 8.82021-02-15
Centreon 19.10-3.el7 is affected by a SQL injection vulnerability, where an authorized user is able to inject additional SQL queries to perform remote command execution.
- CVE-2020-22452CRITICALCVSS 9.8EG 9.82023-01-26
SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php.
- CVE-2020-22669CRITICALCVSS 9.8EG 9.82022-09-02
Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implemen…
- CVE-2020-22781HIGHCVSS 7.5EG 7.52021-04-28
In Etherpad < 1.8.3, a specially crafted URI would raise an unhandled exception in the cache mechanism and cause a denial of service (crash the instance).
- CVE-2020-22807CRITICALCVSS 9.8EG 9.82021-04-29
An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature.
- CVE-2020-22818CRITICALCVSS 9.8EG 9.82022-11-03
MKCMS V6.2 has SQL injection via /ucenter/reg.php name parameter.
- CVE-2020-22819CRITICALCVSS 9.8EG 9.82022-11-03
MKCMS V6.2 has SQL injection via the /ucenter/active.php verify parameter.
- CVE-2020-22820CRITICALCVSS 9.8EG 9.82022-11-03
MKCMS V6.2 has SQL injection via the /ucenter/repass.php name parameter.
- CVE-2020-23045HIGHCVSS 7.2EG 7.22021-10-22
Macrob7 Macs Framework Content Management System - 1.14f was discovered to contain a SQL injection vulnerability via the 'roleId' parameter of the `editRole` and `deletUser` modules.
- CVE-2020-23149HIGHCVSS 7.5EG 7.52021-08-09
The dbName parameter in ajaxDbInstall.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a SQL injection and access sensitive database information.
- CVE-2020-23150HIGHCVSS 7.5EG 7.52021-08-09
A SQL injection vulnerability in config.inc.php of rConfig 3.9.5 allows attackers to access sensitive database information via a crafted GET request to install/lib/ajaxHandlers/ajaxDbInstall.php.
- CVE-2020-23262CRITICALCVSS 9.8EG 9.82021-01-26
An issue was discovered in ming-soft MCMS v5.0, where a malicious user can exploit SQL injection without logging in through /mcms/view.do.
- CVE-2020-23282HIGHCVSS 7.5EG 7.52021-07-21
SQL injection in Logon Page in MV's mConnect application, v02.001.00, allows an attacker to use a non existing user with a generic password to connect to the application and get access to unauthorized information.
- CVE-2020-23630HIGHCVSS 8.8EG 8.82021-01-11
A blind SQL injection vulnerability exists in zzcms ver201910 based on time (cookie injection).
- CVE-2020-23685CRITICALCVSS 9.8EG 9.82021-11-02
SQL Injection vulnerability in 188Jianzhan v2.1.0, allows attackers to execute arbitrary code and gain escalated privileges, via the username parameter to login.php.
- CVE-2020-23711CRITICALCVSS 9.8EG 9.82021-06-28
SQL Injection vulnerability in NavigateCMS 2.9 via the URL encoded GET input category in navigate.php.
- CVE-2020-23763CRITICALCVSS 9.8EG 9.82021-04-09
SQL injection in admin.php in Online Book Store 1.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication.
- CVE-2020-23833CRITICALCVSS 9.8EG 9.82020-09-15
Projectworlds House Rental v1.0 suffers from an unauthenticated SQL Injection vulnerability, allowing remote attackers to execute arbitrary code on the hosting webserver via a malicious index.php POST request.
- CVE-2020-23935CRITICALCVSS 9.8EG 9.82020-08-20
Kabir Alhasan Student Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)".
- CVE-2020-23936CRITICALCVSS 9.8EG 9.82020-08-20
PHPGurukul Vehicle Parking Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)".
- CVE-2020-23945HIGHCVSS 7.5EG 7.52020-10-27
A SQL injection vulnerability exists in Victor CMS V1.0 in the cat_id parameter of the category.php file. This parameter can be used by sqlmap to obtain data information in the database.
- CVE-2020-23966CRITICALCVSS 9.8EG 9.82023-05-08
SQL Injection vulnerability in victor cms 1.0 allows attackers to execute arbitrary commands via the post parameter to /post.php in a crafted GET request.
- CVE-2020-23973CRITICALCVSS 9.8EG 9.82020-08-27
KandNconcepts Club CMS 1.1 and 1.2 has SQL Injection via the 'team.php,player.php,club.php' id parameter.
- CVE-2020-23976CRITICALCVSS 9.8EG 9.82020-08-27
Webexcels Ecommerce CMS 2.x, 2017, 2018, 2019, 2020 has SQL Injection via the 'content.php' id parameter.
- CVE-2020-23978CRITICALCVSS 9.8EG 9.82020-08-27
SQL injection can occur in Soluzione Globale Ecommerce CMS v1 via the parameter " offerta.php"
- CVE-2020-23979CRITICALCVSS 9.8EG 9.82020-08-27
13enforme CMS 1.0 has SQL Injection via the 'content.php' id parameter.
- CVE-2020-23980CRITICALCVSS 9.8EG 9.82020-08-27
DesignMasterEvents Conference management 1.0.0 allows SQL Injection via the username field on the administrator login page.
- CVE-2020-24000CRITICALCVSS 9.8EG 9.82021-11-03
SQL Injection vulnerability in eyoucms cms v1.4.7, allows attackers to execute arbitrary code and disclose sensitive information, via the tid parameter to index.php.
- CVE-2020-24193CRITICALCVSS 9.8EG 9.82020-09-03
A SQL injection vulnerability in login in Sourcecodetester Daily Tracker System 1.0 allows unauthenticated user to execute authentication bypass with SQL injection via the email parameter.
- CVE-2020-24197CRITICALCVSS 9.8EG 9.82020-09-09
A SQL injection vulnerability in the login component in Stock Management System v1.0 allows remote attacker to execute arbitrary SQL commands via the username parameter.
- CVE-2020-24208CRITICALCVSS 9.8EG 9.82020-08-17
A SQL injection vulnerability in SourceCodester Online Shopping Alphaware 1.0 allows remote unauthenticated attackers to bypass the authentication process via email and password parameters.
- CVE-2020-24315HIGHCVSS 7.5EG 7.52020-08-26
Vinoj Cardoza WordPress Poll Plugin v36 and lower executes SQL statement passed in via the pollid POST parameter due to a lack of user input escaping. This allows users who craft specific SQL statements to dump the entire targets database.
- CVE-2020-24400HIGHCVSS 7.1EG 7.12020-11-09
Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the produ…
- CVE-2020-24568MEDIUMCVSS 6.5EG 6.52020-10-02
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the lancompenent component, allowing logged-in attackers to discover arbitrary information.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →