CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,861 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 131 of 378
- CVE-2021-26201CRITICALCVSS 9.8EG 9.82021-02-15
The Login Panel of CASAP Automated Enrollment System 1.0 is vulnerable to SQL injection authentication bypass. An attacker can obtain access to the admin panel by injecting a SQL query in the username field of the login page.
- CVE-2021-26223CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to view_pay.php.
- CVE-2021-26226CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_user.php.
- CVE-2021-26228CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_class1.php.
- CVE-2021-26229CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_stud.php.
- CVE-2021-26231CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester Fantastic Blog CMS v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to category.php.
- CVE-2021-26232CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in SourceCodester Simple College Website v 1.0 allows remote attackers to execute arbitrary SQL statements via the id parameter to news.php.
- CVE-2021-26578HIGHCVSS 7.5EG 7.52021-03-22
A potential security vulnerability has been identified in HPE Network Orchestrator (NetO) version(s): Prior to 2.5. The vulnerability could be remotely exploited with SQL injection.
- CVE-2021-26599CRITICALCVSS 9.8EG 9.82022-03-28
ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
- CVE-2021-26609HIGHCVSS 7.5EG 7.52021-10-26
A vulnerability was found in Mangboard(WordPress plugin). A SQL-Injection vulnerability was found in order_type parameter. The order_type parameter makes a SQL query using unfiltered data. This vulnerability allows a remote attacker to ste…
- CVE-2021-26633HIGHCVSS 7.5EG 9.82022-06-02
SQL injection and Local File Inclusion (LFI) vulnerabilities in MaxBoard can cause information leakage and privilege escalation. This vulnerabilities can be exploited by manipulating a variable with a desired value and inserting and arbitr…
- CVE-2021-26634CRITICALCVSS 9.8EG 9.82022-06-02
SQL injection and file upload attacks are possible due to insufficient validation of input values in some parameters and variables of files compromising Maxboard, which may lead to arbitrary code execution or privilege escalation. Attacker…
- CVE-2021-26636HIGHCVSS 8.8EG 9.62022-06-23
Stored XSS and SQL injection vulnerability in MaxBoard could lead to occur Remote Code Execution, which could lead to information exposure and privilege escalation.
- CVE-2021-26644HIGHCVSS 8.8EG 9.82023-01-20
SQL-Injection vulnerability caused by the lack of verification of input values for the table name of DB used by the Mangboard bulletin board. A remote attacker can use this vulnerability to execute arbitrary code on the server where the bu…
- CVE-2021-26685MEDIUMCVSS 6.5EG 6.52021-02-23
A remote authenticated SQL Injection vulnerabilitiy was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the web-based management interface API of ClearPass could allow an a…
- CVE-2021-26686MEDIUMCVSS 6.5EG 6.52021-02-23
A remote authenticated SQL Injection vulnerabilitiy was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the web-based management interface API of ClearPass could allow an a…
- CVE-2021-26739CRITICALCVSS 9.8EG 9.82021-11-01
SQL Injection vulnerability in pay.php in millken doyocms 2.3, allows attackers to execute arbitrary code, via the attribute parameter.
- CVE-2021-26751HIGHCVSS 8.8EG 8.82021-02-12
NeDi 1.9C allows an authenticated user to perform a SQL Injection in the Monitoring History function on the endpoint /Monitoring-History.php via the det HTTP GET parameter. This allows an attacker to access all the data in the database and…
- CVE-2021-26754CRITICALCVSS 9.8EG 9.82021-02-08
wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection.
- CVE-2021-26762HIGHCVSS 8.8EG 8.82021-07-22
SQL injection vulnerability in PHPGurukul Student Record System 4.0 allows remote attackers to execute arbitrary SQL statements, via the cid parameter to edit-course.php.
- CVE-2021-26764HIGHCVSS 8.8EG 8.82021-07-22
SQL injection vulnerability in PHPGurukul Student Record System v 4.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit-std.php.
- CVE-2021-26765CRITICALCVSS 9.8EG 9.82021-07-22
SQL injection vulnerability in PHPGurukul Student Record System 4.0 allows remote attackers to execute arbitrary SQL statements, via the sid parameter to edit-sub.php.
- CVE-2021-26795HIGHCVSS 8.8EG 8.82021-11-14
A SQL Injection vulnerability in /appliance/shiftmgn.php in TalariaX sendQuick Alert Plus Server Admin 4.3 before 8HF11 allows attackers to obtain sensitive information via a Roster Time to Roster Management.
- CVE-2021-26822CRITICALCVSS 9.8EG 9.82021-02-15
Teachers Record Management System 1.0 is affected by a SQL injection vulnerability in 'searchteacher' POST parameter in search-teacher.php. This vulnerability can be exploited by a remote unauthenticated attacker to leak sensitive informat…
- CVE-2021-26830CRITICALCVSS 9.1EG 9.12021-04-16
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.
- CVE-2021-26837CRITICALCVSS 9.8EG 9.82023-09-19
SQL Injection vulnerability in SearchTextBox parameter in Fortra (Formerly HelpSystems) DeliverNow before version 1.2.18, allows attackers to execute arbitrary code, escalate privileges, and gain sensitive information.
- CVE-2021-26904CRITICALCVSS 9.8EG 9.82021-02-26
LMA ISIDA Retriever 5.2 allows SQL Injection.
- CVE-2021-26935HIGHCVSS 7.5EG 7.52021-03-18
In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a requests.php?f=search-my-followers SQL Injection vulnerability via the event_id parameter.
- CVE-2021-26965MEDIUMCVSS 6.5EG 6.52021-03-05
A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQ…
- CVE-2021-26966MEDIUMCVSS 6.5EG 6.52021-03-05
A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQ…
- CVE-2021-27021HIGHCVSS 8.8EG 8.82021-07-20
A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query.
- CVE-2021-27101CRITICALCVSS 9.8EG 9.8⚠ KEV2021-02-16
Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.
- CVE-2021-27124MEDIUMCVSS 6.5EG 6.52021-02-18
SQL injection in the expertise parameter in search_result.php in Doctor Appointment System v1.0 allows an authenticated patient user to dump the database credentials via a SQL injection attack.
- CVE-2021-27130CRITICALCVSS 9.8EG 9.82021-04-14
Online Reviewer System 1.0 contains a SQL injection vulnerability through authentication bypass, which may lead to a reverse shell upload.
- CVE-2021-27234CRITICALCVSS 9.8EG 9.82021-02-16
An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. The web application suffers from SQL injection on Adminlog.asp, Archivemsgs.asp, Deletelog.asp, Eventlog.asp, and Evmlog.asp.
- CVE-2021-27314CRITICALCVSS 9.8EG 9.82021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
- CVE-2021-27315HIGHCVSS 7.5EG 7.52021-03-24
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via the comment parameter.
- CVE-2021-27316HIGHCVSS 7.5EG 7.52021-03-24
Blind SQL injection in contactus.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via lastname parameter.
- CVE-2021-27319HIGHCVSS 7.5EG 7.52021-03-24
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter.
- CVE-2021-27320HIGHCVSS 7.5EG 7.52021-03-24
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter.
- CVE-2021-27464CRITICALCVSS 10.0EG 9.82022-03-23
The ArchiveService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier exposes functions lacking proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL stat…
- CVE-2021-27468CRITICALCVSS 10.0EG 9.82022-03-23
The AosService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier exposes functions lacking proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statemen…
- CVE-2021-27472CRITICALCVSS 10.0EG 9.82022-03-23
A vulnerability exists in the RunSearch function of SearchService service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier, which may allow for the execution of remote unauthenticated arbitrary SQL statements.
- CVE-2021-27545MEDIUMCVSS 6.5EG 6.52021-04-15
SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter.
- CVE-2021-27581CRITICALCVSS 9.8EG 9.82021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
- CVE-2021-27644HIGHCVSS 8.8EG 8.82021-11-01
In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)
- CVE-2021-27672MEDIUMCVSS 4.9EG 4.92021-04-15
SQL Injection in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to obtain sesnitive database information by injecting SQL commands into the "cID" parameter when creating a new HTML com…
- CVE-2021-27828CRITICALCVSS 9.1EG 9.12021-06-01
SQL injection in In4Suite ERP 3.2.74.1370 allows attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries.
- CVE-2021-27890HIGHCVSS 8.8EG 8.82021-03-15
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
- CVE-2021-27946HIGHCVSS 8.8EG 8.82021-03-15
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →