CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,862 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 133 of 378
- CVE-2021-31233HIGHCVSS 7.5EG 7.52023-05-31
SQL Injection vulnerability found in Fighting Cock Information System v.1.0 allows a remote attacker to obtain sensitive information via the edit_breed.php parameter.
- CVE-2021-31316CRITICALCVSS 9.8EG 9.82021-05-18
The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter.
- CVE-2021-31586HIGHCVSS 8.8EG 8.82021-06-23
Accellion Kiteworks before 7.4.0 allows an authenticated user to perform SQL Injection via LDAPGroup Search.
- CVE-2021-31632CRITICALCVSS 9.8EG 9.82021-12-06
b2evolution CMS v7.2.3 was discovered to contain a SQL injection vulnerability via the parameter cfqueryparam in the User login section. This vulnerability allows attackers to execute arbitrary code via a crafted input.
- CVE-2021-31650CRITICALCVSS 9.8EG 9.82022-12-16
A SQL injection vulnerability in Sourcecodester Online Grading System 1.0 allows remote attackers to execute arbitrary SQL commands via the uname parameter.
- CVE-2021-31777MEDIUMCVSS 4.9EG 4.92021-04-28
The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.
- CVE-2021-31818MEDIUMCVSS 4.3EG 4.32021-06-17
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow u…
- CVE-2021-31827HIGHCVSS 8.8EG 8.82021-05-18
In Progress MOVEit Transfer before 2021.0 (13.0), a SQL injection vulnerability has been found in the MOVEit Transfer web app that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending o…
- CVE-2021-31849HIGHCVSS 8.4EG 7.22021-11-01
SQL injection vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.7.100 allows a remote attacker logged into ePO as an administrator to inject arbitrary SQL into the ePO database through the user management section…
- CVE-2021-31856CRITICALCVSS 9.8EG 9.82021-04-28
A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persist…
- CVE-2021-31867MEDIUMCVSS 6.5EG 6.52021-08-04
Pimcore Customer Data Framework version 3.0.0 and earlier suffers from a Boolean-based blind SQL injection issue in the $id parameter of the SegmentAssignmentController.php component of the application. This issue was fixed in version 3.0.…
- CVE-2021-31869MEDIUMCVSS 6.5EG 7.52021-08-04
Pimcore AdminBundle version 6.8.0 and earlier suffers from a SQL injection issue in the specificID variable used by the application. This issue was fixed in version 6.9.4 of the product.
- CVE-2021-32051HIGHCVSS 7.5EG 7.52021-05-14
Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
- CVE-2021-32099CRITICALCVSS 9.8EG 9.82021-05-07
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login b…
- CVE-2021-32102HIGHCVSS 8.8EG 8.82021-05-07
A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1.
- CVE-2021-32104HIGHCVSS 8.8EG 8.82021-05-07
A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1.
- CVE-2021-3239CRITICALCVSS 9.8EG 9.82021-02-15
E-Learning System 1.0 suffers from an unauthenticated SQL injection vulnerability, which allows remote attackers to execute arbitrary code on the hosting web server and gain a reverse shell.
- CVE-2021-3242CRITICALCVSS 9.8EG 9.82022-02-16
DuxCMS v3.1.3 was discovered to contain a SQL injection vulnerability via the component s/tools/SendTpl/index?keyword=.
- CVE-2021-32428CRITICALCVSS 9.8EG 9.82022-07-01
SQL Injection vulnerability in viaviwebtech Android EBook App (Books App, PDF, ePub, Online Book Reading, Download Books) 10 via the author_id parameter to api.php.
- CVE-2021-32441HIGHCVSS 7.5EG 7.52023-02-17
SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class.
- CVE-2021-32474HIGHCVSS 7.2EG 7.22022-03-11
An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8…
- CVE-2021-32582HIGHCVSS 7.5EG 7.52021-06-17
An issue was discovered in ConnectWise Automate before 2021.5. A blind SQL injection vulnerability exists in core agent inventory communication that can enable an attacker to extract database information or administrative credentials from …
- CVE-2021-32590CRITICALCVSS 9.9EG 9.92021-08-04
Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiPortal 6.0.0 through 6.0.4, 5.3.0 through 5.3.5, 5.2.0 through 5.2.5, and 4.2.2 and earlier may allow an attacker with regular user's privi…
- CVE-2021-32615CRITICALCVSS 9.8EG 9.82021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
- CVE-2021-3262CRITICALCVSS 9.8EG 9.82023-08-29
TripSpark VEO Transportation-2.2.x-XP_BB-20201123-184084 NovusEDU-2.2.x-XP_BB-20201123-184084 allows unsafe data inputs in POST body parameters from end users without sanitizing using server-side logic. It was possible to inject custom SQL…
- CVE-2021-3264HIGHCVSS 7.2EG 7.22021-08-27
SQL Injection vulnerability in cxuucms 3.1 ivia the pid parameter in public/admin.php.
- CVE-2021-32704HIGHCVSS 8.5EG 8.52021-06-24
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the /api/trackedEntityIn…
- CVE-2021-3278CRITICALCVSS 9.8EG 9.82021-01-26
Local Service Search Engine Management System 1.0 has a vulnerability through authentication bypass using SQL injection . Using this vulnerability, an attacker can bypass the login page.
- CVE-2021-32789HIGHCVSS 7.5EG 9.02021-07-26
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to versio…
- CVE-2021-32790MEDIUMCVSS 4.9EG 4.92021-07-26
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or A…
- CVE-2021-3286CRITICALCVSS 9.8EG 9.82021-01-26
SQL injection exists in Spotweb 1.4.9 because the notAllowedCommands protection mechanism is inadequate, e.g., a variation of the payload may be used. NOTE: this issue exists because of an incomplete fix for CVE-2020-35545.
- CVE-2021-32932HIGHCVSS 7.5EG 7.52021-06-11
The affected product is vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information on the iView (versions prior to v5.7.03.6182).
- CVE-2021-32953CRITICALCVSS 9.8EG 9.82022-04-01
An attacker could utilize SQL commands to create a new user MDT AutoSave versions prior to v6.02.06 and update the user’s permissions, granting the attacker the ability to login.
- CVE-2021-32957HIGHCVSS 7.5EG 7.52022-04-01
A function in MDT AutoSave versions prior to v6.02.06 is used to retrieve system information for a specific process, and this information collection executes multiple commands and summarizes the information into an XML. This function and s…
- CVE-2021-32983CRITICALCVSS 9.8EG 9.82021-08-30
A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the par…
- CVE-2021-33177HIGHCVSS 8.8EG 8.82021-10-14
The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to …
- CVE-2021-33180HIGHCVSS 7.3EG 7.32021-06-01
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vector…
- CVE-2021-33470CRITICALCVSS 9.8EG 9.82021-05-26
COVID19 Testing Management System 1.0 is vulnerable to SQL Injection via the admin panel.
- CVE-2021-33578CRITICALCVSS 9.8EG 9.82021-07-13
Echo ShareCare 8.15.5 is susceptible to SQL injection vulnerabilities when processing remote input from both authenticated and unauthenticated users, leading to the ability to bypass authentication, exfiltrate Structured Query Language (SQ…
- CVE-2021-33688MEDIUMCVSS 4.3EG 4.32021-09-14
SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained.
- CVE-2021-33701CRITICALCVSS 9.1EG 9.12021-09-15
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly …
- CVE-2021-33729HIGHCVSS 8.8EG 8.82021-10-12
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). An authenticated attacker that is able to import firmware containers to an affected system could execute arbitrary commands in the local database.
- CVE-2021-33730HIGHCVSS 7.2EG 7.22021-10-12
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected ap…
- CVE-2021-33731HIGHCVSS 7.2EG 7.22021-10-12
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected ap…
- CVE-2021-33732HIGHCVSS 7.2EG 7.22021-10-12
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected ap…
- CVE-2021-33733HIGHCVSS 7.2EG 7.22021-10-12
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected ap…
- CVE-2021-33734HIGHCVSS 7.2EG 7.22021-10-12
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected ap…
- CVE-2021-33735HIGHCVSS 7.2EG 7.22021-10-12
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected ap…
- CVE-2021-33736HIGHCVSS 7.2EG 7.22021-10-12
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected ap…
- CVE-2021-33894HIGHCVSS 8.8EG 8.82021-06-09
In Progress MOVEit Transfer before 2019.0.6 (11.0.6), 2019.1.x before 2019.1.5 (11.1.5), 2019.2.x before 2019.2.2 (11.2.2), 2020.x before 2020.0.5 (12.0.5), 2020.1.x before 2020.1.4 (12.1.4), and 2021.x before 2021.0.1 (13.0.1), a SQL inje…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →