CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,862 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 134 of 378
- CVE-2021-33925CRITICALCVSS 9.8EG 9.82023-02-15
SQL Injection vulnerability in nitinparashar30 cms-corephp through commit bdabe52ef282846823bda102728a35506d0ec8f9 (May 19, 2021) allows unauthenticated attackers to gain escilated privledges via a crafted login.
- CVE-2021-33948CRITICALCVSS 9.8EG 9.82023-02-17
SQL injection vulnerability in FantasticLBP Hotels Server v1.0 allows attacker to execute arbitrary code via the username parameter.
- CVE-2021-34117HIGHCVSS 7.5EG 7.52023-02-15
SQL Injection vulnerability in SEO Panel 4.9.0 in api/user.api.php in function getUserName in the username parameter, allows attackers to gain sensitive information.
- CVE-2021-34165CRITICALCVSS 9.8EG 9.82021-07-30
A SQL Injection vulnerability in Sourcecodester Basic Shopping Cart 1.0 allows a remote attacker to Bypass Authentication and become Admin.
- CVE-2021-34166CRITICALCVSS 9.8EG 9.82021-07-30
A SQL INJECTION vulnerability in Sourcecodester Simple Food Website 1.0 allows a remote attacker to Bypass Authentication and become Admin.
- CVE-2021-34187CRITICALCVSS 9.8EG 9.82021-06-28
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
- CVE-2021-34235CRITICALCVSS 9.8EG 9.82022-02-11
Tokheim Profleet DiaLOG 11.005.02 is affected by SQL Injection. The component is the Field__UserLogin parameter on the logon page.
- CVE-2021-34249HIGHCVSS 7.5EG 7.52023-02-24
SQL injection vulnerability in sourcecodester online-book-store 1.0 allows remote attackers to view sensitive information via the id paremeter in application URL.
- CVE-2021-34609HIGHCVSS 8.8EG 8.82021-07-08
A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.
- CVE-2021-34684CRITICALCVSS 9.8EG 9.82021-11-08
Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards…
- CVE-2021-35042CRITICALCVSS 9.8EG 9.82021-07-02
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
- CVE-2021-35048CRITICALCVSS 9.8EG 9.82021-06-25
Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnera…
- CVE-2021-35049CRITICALCVSS 9.9EG 8.82021-06-25
Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and …
- CVE-2021-35212HIGHCVSS 8.9EG 8.92021-08-31
An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certif…
- CVE-2021-35226MEDIUMCVSS 6.5EG 6.52022-10-10
An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role.
- CVE-2021-35234HIGHCVSS 8.0EG 8.82021-12-20
Numerous exposed dangerous functions within Orion Core has allows for read-only SQL injection leading to privileged escalation. An attacker with low-user privileges may steal password hashes and password salt information.
- CVE-2021-35283CRITICALCVSS 9.8EG 9.82022-07-07
SQL Injection vulnerability in product_admin.php in atoms183 CMS 1.0, allows attackers to execute arbitrary commands via the Name, Fname, and ID parameters to search.php.
- CVE-2021-35284CRITICALCVSS 9.8EG 9.82022-11-23
SQL Injection vulnerability in function get_user in login_manager.php in rizalafani cms-php v1.
- CVE-2021-35387HIGHCVSS 8.8EG 8.82022-10-28
Hospital Management System v 4.0 is vulnerable to SQL Injection via file:hospital/hms/admin/view-patient.php.
- CVE-2021-35414CRITICALCVSS 9.8EG 9.82021-12-03
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.
- CVE-2021-35437CRITICALCVSS 9.8EG 9.82023-11-16
SQL injection vulnerability in LMXCMS v.1.4 allows attacker to execute arbitrary code via the TagsAction.class.
- CVE-2021-35456CRITICALCVSS 9.8EG 9.82021-06-28
Online Pet Shop We App 1.0 is vulnerable to remote SQL injection and shell upload
- CVE-2021-35458CRITICALCVSS 9.8EG 9.82021-07-30
Online Pet Shop We App 1.0 is vulnerable to Union SQL Injection in products.php (aka p=products) via the c or s parameter.
- CVE-2021-35487MEDIUMCVSS 6.5EG 6.52022-05-25
Nokia Broadcast Message Center through 11.1.0 allows an authenticated user to perform a Boolean Blind SQL Injection attack on the endpoint /owui/block/send-receive-updates (for the Manage Alerts page) via the extIdentifier HTTP POST parame…
- CVE-2021-3604CRITICALCVSS 9.8EG 9.82021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts st…
- CVE-2021-36184HIGHCVSS 8.8EG 8.82021-11-02
A improper neutralization of Special Elements used in an SQL Command ('SQL Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclosure device, users and database information via crafted HTTP requests.
- CVE-2021-36299HIGHCVSS 7.1EG 7.12021-11-23
Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause informa…
- CVE-2021-36300MEDIUMCVSS 6.5EG 6.52021-11-23
iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to crash the webserver o…
- CVE-2021-36328HIGHCVSS 8.8EG 8.82021-11-30
Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive i…
- CVE-2021-36348HIGHCVSS 8.1EG 8.12022-01-25
iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supp…
- CVE-2021-36351CRITICALCVSS 9.8EG 9.82021-08-06
SQL Injection Vulnerability in Care2x Open Source Hospital Information Management 2.7 Alpha via the (1) pday, (2) pmonth, and (3) pyear parameters in GET requests sent to /modules/nursing/nursing-station.php.
- CVE-2021-36385CRITICALCVSS 9.8EG 9.82021-08-24
A SQL Injection vulnerability in Cerner Mobile Care 5.0.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via a Fullwidth Apostrophe (aka U+FF07) in the default.aspx User ID field. Arbitrary system commands can be…
- CVE-2021-36392CRITICALCVSS 9.8EG 9.82023-03-06
In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.
- CVE-2021-36393CRITICALCVSS 9.8EG 9.82023-03-06
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
- CVE-2021-36431CRITICALCVSS 9.1EG 9.12023-02-03
SQL injection vulnerability in jocms 0.8 allows remote attackers to run arbitrary SQL commands and view sentivie information via jo_json_check() function in jocms/apps/mask/inc/mask.php.
- CVE-2021-36432HIGHCVSS 7.5EG 7.52023-02-03
SQL injection vulnerability in jocms 0.8 allows remote attackers to run arbitrary SQL commands and view sentivie information via jo_set_mask() function in jocms/apps/mask/mask.php.
- CVE-2021-36433CRITICALCVSS 9.1EG 9.12023-02-03
SQL injection vulnerability in jocms 0.8 allows remote attackers to run arbitrary SQL commands and view sentivie information via jo_delete_mask function in jocms/apps/mask/mask.php.
- CVE-2021-36434CRITICALCVSS 9.1EG 9.12023-02-03
SQL injection vulnerability in jocms 0.8 allows remote attackers to run arbitrary SQL commands and view sentivie information via jo_json_check function in jocms/apps/mask/inc/getmask.php.
- CVE-2021-36438MEDIUMCVSS 6.5EG 6.52026-04-27
SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php.
- CVE-2021-36455HIGHCVSS 8.8EG 8.82021-08-06
SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 via the quicksearch parameter in \lib\packages\comments\comments.php.
- CVE-2021-36484CRITICALCVSS 9.8EG 9.82023-02-03
SQL injection vulnerability in JIZHICMS 1.9.5 allows attackers to run arbitrary SQL commands via add or edit article page.
- CVE-2021-36503CRITICALCVSS 9.8EG 9.82023-02-03
SQL injection vulnerability in native-php-cms 1.0 allows remote attackers to run arbitrary SQL commands via the cat parameter to /list.php file.
- CVE-2021-36520HIGHCVSS 7.5EG 7.52023-04-16
A SQL injection vulnerability in I-Tech Trainsmart r1044 exists via a evaluation/assign-evaluation?id= URI.
- CVE-2021-36621HIGHCVSS 8.1EG 8.12021-07-30
Sourcecodester Online Covid Vaccination Scheduler System 1.0 is vulnerable to SQL Injection. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, an attacker can decrypt and obt…
- CVE-2021-36624CRITICALCVSS 9.8EG 9.82021-07-30
Sourcecodester Phone Shop Sales Managements System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
- CVE-2021-36625HIGHCVSS 8.8EG 8.82022-03-31
An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.
- CVE-2021-36722HIGHCVSS 7.1EG 7.12021-12-29
Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused by CWE-209: Generation of Error Message …
- CVE-2021-36748HIGHCVSS 7.5EG 9.02021-08-20
A SQL Injection issue in the list controller of the Prestahome Blog (aka ph_simpleblog) module before 1.7.8 for Prestashop allows a remote attacker to extract data from the database via the sb_category parameter.
- CVE-2021-36789CRITICALCVSS 9.8EG 9.82021-08-13
The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows SQL Injection.
- CVE-2021-36807HIGHCVSS 8.8EG 8.82021-11-26
An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →