CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,860 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 122 of 378
- CVE-2020-35244CRITICALCVSS 9.8EG 9.82020-12-26
Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addGroup.
- CVE-2020-35245CRITICALCVSS 9.8EG 9.82020-12-26
Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addUser.
- CVE-2020-35263CRITICALCVSS 9.8EG 9.82021-01-26
EgavilanMedia User Registration & Login System 1.0 is affected by SQL injection to the admin panel, which may allow arbitrary code execution.
- CVE-2020-35270CRITICALCVSS 9.1EG 9.12021-01-26
Student Result Management System In PHP With Source Code is affected by SQL injection. An attacker can able to access of Admin Panel and manage every account of Result.
- CVE-2020-35276CRITICALCVSS 9.8EG 9.82020-12-21
EgavilanMedia ECM Address Book 1.0 is affected by SQL injection. An attacker can bypass the Admin Login panel through SQLi and get Admin access and add or remove any user.
- CVE-2020-35326CRITICALCVSS 9.8EG 9.82023-01-18
SQL Injection vulnerability in file /inxedu/demo_inxedu_open/src/main/resources/mybatis/inxedu/website/WebsiteImagesMapper.xml in inxedu 2.0.6 via the id value.
- CVE-2020-35327MEDIUMCVSS 6.5EG 6.52021-03-04
SQL injection vulnerability was discovered in Courier Management System 1.0, which can be exploited via the ref_no (POST) parameter to admin_class.php
- CVE-2020-35329MEDIUMCVSS 6.5EG 6.52021-03-04
Courier Management System 1.0 1.0 is affected by SQL Injection via 'MULTIPART street '.
- CVE-2020-35337CRITICALCVSS 9.8EG 9.82021-03-24
ThinkSAAS before 3.38 contains a SQL injection vulnerability through app/topic/action/admin/topic.php via the title parameter, which allows remote attackers to execute arbitrary SQL commands.
- CVE-2020-35378CRITICALCVSS 9.8EG 9.82020-12-14
SQL Injection in the login page in Online Bus Ticket Reservation 1.0 allows attackers to execute arbitrary SQL commands and bypass authentication via the username and password fields.
- CVE-2020-35382HIGHCVSS 7.2EG 7.22020-12-14
SQL Injection in Classbooking before 2.4.1 via the username field of a CSV file when adding a new user.
- CVE-2020-35427CRITICALCVSS 9.8EG 9.82021-07-20
SQL injection vulnerability in PHPGurukul Employee Record Management System 1.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication.
- CVE-2020-35430CRITICALCVSS 9.8EG 9.82021-04-29
SQL Injection in com/inxedu/OS/edu/controller/letter/AdminMsgSystemController in Inxedu v2.0.6 via the ids parameter to admin/letter/delsystem.
- CVE-2020-35441CRITICALCVSS 9.8EG 9.82021-06-02
FDCMS (aka Fangfa Content Management System) 4.0 contains a front-end SQL injection via Admin/Lib/Action/FloginAction.class.php.
- CVE-2020-35545CRITICALCVSS 9.8EG 9.82020-12-17
Time-based SQL injection exists in Spotweb 1.4.9 via the query string.
- CVE-2020-35597HIGHCVSS 8.8EG 8.82022-06-16
Victor CMS 1.0 is vulnerable to SQL injection via c_id parameter of admin_edit_comment.php, p_id parameter of admin_edit_post.php, u_id parameter of admin_edit_user.php, and edit parameter of admin_update_categories.php.
- CVE-2020-35613CRITICALCVSS 9.8EG 9.82020-12-28
An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.
- CVE-2020-35666HIGHCVSS 8.8EG 8.82020-12-23
Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[…
- CVE-2020-35674CRITICALCVSS 9.8EG 9.82022-09-29
BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membership_passwordReset.php (the endpoint that is responsible for issuing self-service password resets). An unauthenticated attacker is abl…
- CVE-2020-35700HIGHCVSS 8.8EG 8.82021-02-08
A second-order SQL injection issue in Widgets/TopDevicesController.php (aka the Top Devices dashboard widget) of LibreNMS before 21.1.0 allows remote authenticated attackers to execute arbitrary SQL commands via the sort_order parameter ag…
- CVE-2020-35701HIGHCVSS 8.8EG 8.82021-01-11
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code executio…
- CVE-2020-35708HIGHCVSS 7.2EG 7.22020-12-25
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
- CVE-2020-35742HIGHCVSS 7.0EG 7.02020-12-31
HGiga MailSherlock contains a vulnerability of SQL Injection. Attackers can inject and launch SQL commands in a URL parameter.
- CVE-2020-35743HIGHCVSS 7.0EG 7.02020-12-31
HGiga MailSherlock contains a SQL injection flaw. Attackers can inject and launch SQL commands in a URL parameter of specific cgi pages.
- CVE-2020-35765HIGHCVSS 8.8EG 8.82021-02-05
doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.
- CVE-2020-35846CRITICALCVSS 9.8EG 9.82020-12-30
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.
- CVE-2020-35847CRITICALCVSS 9.8EG 9.82020-12-30
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.
- CVE-2020-35848CRITICALCVSS 9.8EG 9.82020-12-30
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.
- CVE-2020-36002HIGHCVSS 7.5EG 7.52021-02-17
Seat-Reservation-System 1.0 has a SQL injection vulnerability in index.php in the id parameter where attackers can obtain sensitive database information.
- CVE-2020-36003HIGHCVSS 7.5EG 7.52021-02-17
The id parameter in detail.php of Online Book Store v1.0 is vulnerable to union-based blind SQL injection, which leads to the ability to retrieve all databases.
- CVE-2020-36004MEDIUMCVSS 6.5EG 6.52021-06-03
AppCMS 2.0.101 in /admin/download_frame.php has a SQL injection vulnerability which allows attackers to obtain sensitive database information.
- CVE-2020-36033CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the id parameter to edituser.php.
- CVE-2020-36034CRITICALCVSS 9.8EG 9.82023-08-11
SQL Injection vulnerability in oretnom23 School Faculty Scheduling System version 1.0, allows remote attacker to execute arbitrary code, escalate privilieges, and gain sensitive information via crafted payload to id parameter in manage_use…
- CVE-2020-36071HIGHCVSS 8.8EG 8.82023-04-06
SQL injection vulnerability found in Tailor Management System v.1 allows a remote authenticated attacker to execute arbitrary code via the customer parameter of the email.php page.
- CVE-2020-36072HIGHCVSS 8.8EG 8.82023-04-06
SQL injection vulnerability found in Tailor Management System v.1 allows a remote attacker to execute arbitrary code via the id parameter.
- CVE-2020-36073HIGHCVSS 8.8EG 8.82023-04-06
SQL injection vulnerability found in Tailor Management System v.1 allows a remote attacker to execute arbitrary code via the detail parameter of the document.php page.
- CVE-2020-36074HIGHCVSS 8.8EG 8.82023-04-06
SQL injection vulnerability found in Tailor Mangement System v.1 allows a remote attacker to execute arbitrary code via the title parameter.
- CVE-2020-36077HIGHCVSS 8.8EG 8.82023-04-10
SQL injection vulnerability found in Tailor Mangement System v.1 allows a remote attacker to execute arbitrary code via the customer parameter of the orderadd.php file
- CVE-2020-36084CRITICALCVSS 9.8EG 9.82025-02-05
SQL Injection vulnerability in SourceCodester Responsive E-Learning System 1.0 allows remote attackers to inject sql query in /elearning/delete_teacher_students.php?id= parameter via id field.
- CVE-2020-36112CRITICALCVSS 9.8EG 9.82021-01-04
CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php and in cart.php. A successful exploitation of this vulnerability will lead to an attacke…
- CVE-2020-36136HIGHCVSS 7.5EG 7.52023-08-11
SQL Injection vulnerability in cskaza cszcms version 1.2.9, allows attackers to gain sensitive information via pm_sendmail parameter in csz_model.php.
- CVE-2020-36195CRITICALCVSS 9.8EG 9.82021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed…
- CVE-2020-36530MEDIUMCVSS 6.3EG 8.82022-06-07
A vulnerability classified as critical was found in SevOne Network Management System up to 5.7.2.22. This vulnerability affects the Alert Summary. The manipulation leads to sql injection. The attack can be initiated remotely.
- CVE-2020-36535MEDIUMCVSS 6.3EG 8.82022-06-07
A vulnerability classified as critical has been found in MINMAX. This affects an unknown part of the file /newsDia.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely.
- CVE-2020-36536MEDIUMCVSS 6.3EG 8.82022-06-07
A vulnerability was found in Brandbugle. It has been rated as critical. Affected by this issue is some unknown functionality of the file /main.php. The manipulation leads to sql injection. The attack may be launched remotely.
- CVE-2020-36537MEDIUMCVSS 6.3EG 8.82022-06-07
A vulnerability was found in Everywhere CMS. It has been classified as critical. Affected is an unknown function. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely.
- CVE-2020-36538MEDIUMCVSS 6.3EG 8.82022-06-07
A vulnerability was found in Eatan CMS. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to sql injection. The attack can be launched remotely.
- CVE-2020-36539MEDIUMCVSS 6.3EG 9.82022-06-07
A vulnerability was found in Lógico y Creativo 1.0 and classified as critical. This issue affects some unknown processing. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely.
- CVE-2020-36540MEDIUMCVSS 6.3EG 9.82022-06-07
A vulnerability, which was classified as critical, was found in Neetai Tech. Affected is an unknown function of the file /product.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has b…
- CVE-2020-36541HIGHCVSS 7.3EG 9.82022-06-07
A vulnerability was found in Demokratian. It has been rated as critical. Affected by this issue is some unknown functionality of the file basicos_php/genera_select.php. The manipulation of the argument id_provincia with the input -1%20unio…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →