CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,865 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 135 of 378
- CVE-2021-36880HIGHCVSS 8.6EG 8.62021-09-27
Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom.
- CVE-2021-36898HIGHCVSS 7.5EG 7.22022-10-28
Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin <= 7.3.4 on WordPress.
- CVE-2021-36916HIGHCVSS 8.6EG 8.62021-11-24
The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address fro…
- CVE-2021-37197HIGHCVSS 8.8EG 8.82022-01-11
A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used)…
- CVE-2021-37291CRITICALCVSS 9.8EG 9.82022-04-11
An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the input_id POST parameter in index.php.
- CVE-2021-37316HIGHCVSS 7.5EG 7.52023-02-03
SQL injection vulnerability in Cloud Disk in ASUS RT-AC68U router firmware version before 3.0.0.4.386.41634 allows remote attackers to view sensitive information via /etc/shadow.
- CVE-2021-37350CRITICALCVSS 9.8EG 9.82021-08-13
Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.
- CVE-2021-37358CRITICALCVSS 9.8EG 9.82021-08-18
SQL Injection in SEACMS v210530 (2021-05-30) allows remote attackers to execute arbitrary code via the component "admin_ajax.php?action=checkrepeat&v_name=".
- CVE-2021-37371CRITICALCVSS 9.8EG 9.82021-10-26
Online Student Admission System 1.0 is affected by an unauthenticated SQL injection bypass vulnerability in /admin/login.php.
- CVE-2021-37413CRITICALCVSS 9.8EG 9.82022-05-19
GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface. A remote unauthenticated attacker can exploit this vulnerability to obtain administrative access to the webpage, access the user database, modi…
- CVE-2021-37422CRITICALCVSS 9.8EG 9.82021-09-10
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.
- CVE-2021-37473CRITICALCVSS 9.8EG 9.82021-07-26
In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `products-order` through a post request, which results in arbitrary sql query execution in the backend database.
- CVE-2021-37475CRITICALCVSS 9.8EG 9.82021-07-26
In NavigateCMS version 2.9.4 and below, function in `templates.php` is vulnerable to sql injection on parameter `template-properties-order`, which results in arbitrary sql query execution in the backend database.
- CVE-2021-37476CRITICALCVSS 9.8EG 9.82021-07-26
In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `id` through a post request, which results in arbitrary sql query execution in the backend database.
- CVE-2021-37477CRITICALCVSS 9.8EG 9.82021-07-26
In NavigateCMS version 2.9.4 and below, function in `structure.php` is vulnerable to sql injection on parameter `children_order`, which results in arbitrary sql query execution in the backend database.
- CVE-2021-37478CRITICALCVSS 9.8EG 9.82021-07-26
In NavigateCMS version 2.9.4 and below, function `block` is vulnerable to sql injection on parameter `block-order`, which results in arbitrary sql query execution in the backend database.
- CVE-2021-37497CRITICALCVSS 9.8EG 9.82023-02-03
SQL injection vulnerability in route of PbootCMS 3.0.5 allows remote attackers to run arbitrary SQL commands via crafted GET request.
- CVE-2021-37522CRITICALCVSS 9.8EG 9.82023-07-18
SQL injection vulnerability in HKing2802 Locke-Bot 2.0.2 allows remote attackers to run arbitrary SQL commands via crafted string to /src/db.js, /commands/mute.js, /modules/event/messageDelete.js.
- CVE-2021-37538CRITICALCVSS 9.8EG 9.82021-08-24
Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.06 allow a remote unauthenticated attacker to execute arbitrary SQL commands via the day, month, or year parameter to the controllers/front/archive.p…
- CVE-2021-37556HIGHCVSS 8.8EG 8.82021-08-03
A SQL injection vulnerability in reporting export in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/reporting/dashboard/csvExport/…
- CVE-2021-37557HIGHCVSS 8.8EG 8.82021-08-03
A SQL injection vulnerability in image generation in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/views/graphs/generateGraphs/ge…
- CVE-2021-37558CRITICALCVSS 9.8EG 9.82021-08-03
A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. The vulne…
- CVE-2021-37589HIGHCVSS 7.5EG 7.52022-06-07
Virtua Cobranca before 12R allows SQL Injection on the login page.
- CVE-2021-37593CRITICALCVSS 9.1EG 9.12021-07-30
PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands. Upon a successful SQL injection attack, an attacke…
- CVE-2021-37599CRITICALCVSS 9.8EG 9.82021-08-12
The exporter/Login.aspx login form in the Exporter in Nuance Winscribe Dictation 4.1.0.99 is vulnerable to SQL injection that allows a remote, unauthenticated attacker to read the database (and execute code in some situations) via the txtP…
- CVE-2021-37614HIGHCVSS 8.8EG 8.82021-08-05
In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine b…
- CVE-2021-37737HIGHCVSS 8.8EG 8.82021-10-15
A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prio…
- CVE-2021-37749CRITICALCVSS 9.8EG 9.82021-08-30
MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method.
- CVE-2021-37782CRITICALCVSS 9.8EG 9.82022-10-28
Employee Record Management System v 1.2 is vulnerable to SQL Injection via editempprofile.php.
- CVE-2021-37787MEDIUMCVSS 6.5EG 6.52025-03-11
The unprivileged administrative interface in ABO.CMS version 5.8 through v.5.9.3 is affected by a SQL Injection vulnerability via a HTTP POST request to the TinyMCE module
- CVE-2021-37803HIGHCVSS 8.1EG 8.12021-10-27
An SQL Injection vulnerability exists in Sourcecodester Online Covid Vaccination Scheduler System 1.0 via the username in lognin.php .
- CVE-2021-37806MEDIUMCVSS 5.9EG 5.92021-10-27
An SQL Injection vulnerability exists in https://phpgurukul.com Vehicle Parking Management System affected version 1.0. The system is vulnerable to time-based SQL injection on multiple endpoints. Based on the SLEEP(N) function payload that…
- CVE-2021-37807HIGHCVSS 7.5EG 7.52021-10-27
An SQL Injection vulneraility exists in https://phpgurukul.com Online Shopping Portal 3.1 via the email parameter on the /check_availability.php endpoint that serves as a checker whether a new user's email is already exist within the datab…
- CVE-2021-37808MEDIUMCVSS 5.9EG 5.92021-10-27
SQL Injection vulnerabilities exist in https://phpgurukul.com News Portal Project 3.1 via the (1) category, (2) subcategory, (3) sucatdescription, and (4) username parameters, the server response is about (N) seconds delay respectively whi…
- CVE-2021-37823MEDIUMCVSS 4.9EG 4.92022-11-03
OpenCart 3.0.3.7 allows users to obtain database information or read server files through SQL injection in the background.
- CVE-2021-37832CRITICALCVSS 9.8EG 9.82021-08-03
A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL commands to the SQLite database through the vulnerable idappartamenti parameter.
- CVE-2021-38145CRITICALCVSS 9.8EG 9.82021-08-31
An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of modules/export_manager/export.php?expor…
- CVE-2021-38159CRITICALCVSS 9.8EG 9.82021-08-07
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine…
- CVE-2021-38167CRITICALCVSS 9.8EG 9.82021-08-07
Roxy-WI through 5.2.2.0 allows SQL Injection via check_login. An unauthenticated attacker can extract a valid uuid to bypass authentication.
- CVE-2021-38168HIGHCVSS 8.8EG 8.82021-08-07
Roxy-WI through 5.2.2.0 allows authenticated SQL injection via select_servers.
- CVE-2021-3817CRITICALCVSS 9.8EG 9.82021-12-09
wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
- CVE-2021-38176HIGHCVSS 8.8EG 8.82021-09-14
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Databa…
- CVE-2021-38217CRITICALCVSS 9.8EG 9.82022-10-28
SEMCMS v 1.2 is vulnerable to SQL Injection via SEMCMS_User.php.
- CVE-2021-38239HIGHCVSS 7.5EG 7.52023-02-15
SQL Injection vulnerability in dataease before 1.2.0, allows attackers to gain sensitive information via the orders parameter to /api/sys_msg/list/1/10.
- CVE-2021-38302CRITICALCVSS 9.8EG 3.92021-08-13
The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection.
- CVE-2021-38303CRITICALCVSS 9.8EG 9.82021-09-28
A SQL injection vulnerability exists in Sureline SUREedge Migrator 7.0.7.29360.
- CVE-2021-38324HIGHCVSS 8.2EG 8.22021-09-09
The SP Rental Manager WordPress plugin is vulnerable to SQL Injection via the orderby parameter found in the ~/user/shortcodes.php file which allows attackers to retrieve information contained in a site's database, in versions up to and in…
- CVE-2021-38390CRITICALCVSS 9.8EG 9.82021-08-30
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through t…
- CVE-2021-38391CRITICALCVSS 9.8EG 9.82021-08-30
A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the p…
- CVE-2021-38393CRITICALCVSS 9.8EG 9.82021-08-30
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through t…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →