CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,865 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 136 of 378
- CVE-2021-38481HIGHCVSS 8.1EG 8.12021-10-22
The scheduler service running on a specific TCP port enables the user to start and stop jobs. There is no sanitation of the supplied JOB ID provided to the function. An attacker may send a malicious payload that can enable the user to exec…
- CVE-2021-3854CRITICALCVSS 9.8EG 9.82023-03-02
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before 5.1.0.15.
- CVE-2021-38574CRITICALCVSS 9.8EG 9.82021-08-11
An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows SQL Injection via crafted data at the end of a string.
- CVE-2021-3860HIGHCVSS 8.8EG 8.82021-12-20
JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query.
- CVE-2021-38694HIGHCVSS 7.5EG 7.52022-01-18
SoftVibe SARABAN for INFOMA 1.1 allows SQL Injection.
- CVE-2021-38706HIGHCVSS 8.8EG 8.82021-09-07
messages_load.php in ClinicCases 7.3.3 suffers from a blind SQL injection vulnerability, which allows low-privileged attackers to execute arbitrary SQL commands through a vulnerable parameter.
- CVE-2021-38723HIGHCVSS 8.8EG 8.82021-09-09
FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items
- CVE-2021-38727CRITICALCVSS 9.8EG 9.82021-09-09
FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items
- CVE-2021-38729CRITICALCVSS 9.8EG 9.82022-10-28
SEMCMS SHOP v 1.1 is vulnerable to SQL Injection via Ant_Plist.php.
- CVE-2021-38730CRITICALCVSS 9.8EG 9.82022-10-28
SEMCMS SHOP v 1.1 is vulnerable to SQL Injection via Ant_Info.php.
- CVE-2021-38731CRITICALCVSS 9.8EG 9.82022-10-28
SEMCMS SHOP v 1.1 is vulnerable to SQL Injection via Ant_Zekou.php.
- CVE-2021-38732CRITICALCVSS 9.8EG 9.82022-10-28
SEMCMS SHOP v 1.1 is vulnerable to SQL via Ant_Message.php.
- CVE-2021-38733CRITICALCVSS 9.8EG 9.82022-10-28
SEMCMS SHOP v 1.1 is vulnerable to SQL Injection via Ant_BlogCat.php.
- CVE-2021-38734CRITICALCVSS 9.8EG 9.82022-10-28
SEMCMS SHOP v 1.1 is vulnerable to SQL Injection via Ant_Menu.php.
- CVE-2021-38736CRITICALCVSS 9.8EG 9.82022-10-28
SEMCMS Shop V 1.1 is vulnerable to SQL Injection via Ant_Global.php.
- CVE-2021-38737CRITICALCVSS 9.8EG 9.82022-10-28
SEMCMS v 1.1 is vulnerable to SQL Injection via Ant_Pro.php.
- CVE-2021-38754CRITICALCVSS 9.8EG 9.82021-08-16
SQL Injection vulnerability in Hospital Management System due to lack of input validation in messearch.php.
- CVE-2021-38819HIGHCVSS 8.8EG 8.82022-11-17
A SQL injection vulnerability exits on the Simple Image Gallery System 1.0 application through "id" parameter on the album page.
- CVE-2021-38833CRITICALCVSS 9.8EG 9.82021-09-13
SQL injection vulnerability in PHPGurukul Apartment Visitors Management System (AVMS) v. 1.0 allows attackers to execute arbitrary SQL statements and to gain RCE.
- CVE-2021-38840CRITICALCVSS 9.8EG 9.82021-09-07
SQL Injection can occur in Simple Water Refilling Station Management System 1.0 via the water_refilling/classes/Login.php username parameter.
- CVE-2021-39085CRITICALCVSS 9.8EG 9.82022-08-16
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5, 6.1.0.0 through 6.1.0.4, and 6.1.1.0 through 6.1.1.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the…
- CVE-2021-39165HIGHCVSS 8.1EG 9.02021-08-26
Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensit…
- CVE-2021-39179HIGHCVSS 8.8EG 8.82021-10-29
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL Injection vulnerability in the Tracker component in DHIS2 Server allows authenticated remote attackers to execute arbitrary SQL co…
- CVE-2021-39302CRITICALCVSS 9.8EG 9.82021-08-19
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
- CVE-2021-3935HIGHCVSS 8.1EG 8.12021-11-22
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affe…
- CVE-2021-39351MEDIUMCVSS 6.5EG 6.52021-10-06
The WP Bannerize WordPress plugin is vulnerable to authenticated SQL injection via the id parameter found in the ~/Classes/wpBannerizeAdmin.php file which allows attackers to exfiltrate sensitive information from vulnerable sites. This iss…
- CVE-2021-39375HIGHCVSS 8.8EG 8.82021-08-24
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.
- CVE-2021-39376HIGHCVSS 8.8EG 8.82021-08-24
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.
- CVE-2021-39377CRITICALCVSS 9.8EG 9.82021-09-01
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter.
- CVE-2021-39378CRITICALCVSS 9.8EG 9.82021-09-01
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter.
- CVE-2021-39379CRITICALCVSS 9.8EG 9.82021-09-01
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id p…
- CVE-2021-3958CRITICALCVSS 9.8EG 9.82021-11-16
Improper Handling of Parameters vulnerability in Ipack Automation Systems Ipack SCADA Software allows : Blind SQL Injection.This issue affects Ipack SCADA Software: from unspecified before 1.1.0.
- CVE-2021-39978HIGHCVSS 7.5EG 7.52022-01-03
Telephony application has a SQL Injection vulnerability.Successful exploitation of this vulnerability may cause privacy and security issues.
- CVE-2021-40129MEDIUMCVSS 4.9EG 4.92021-11-19
A vulnerability in the configuration dashboard of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to submit a SQL query through the CSPC configuration dashboard. This vulnerability is due to in…
- CVE-2021-40247CRITICALCVSS 9.8EG 9.82022-01-21
SQL injection vulnerability in Sourcecodester Budget and Expense Tracker System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username field.
- CVE-2021-40279HIGHCVSS 7.2EG 7.22021-12-09
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php.
- CVE-2021-40280HIGHCVSS 7.2EG 7.22021-12-09
An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php.
- CVE-2021-40281HIGHCVSS 8.8EG 8.82021-12-09
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users.
- CVE-2021-40282HIGHCVSS 8.8EG 8.82021-12-09
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users.
- CVE-2021-40309HIGHCVSS 8.8EG 8.82021-09-24
A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An at…
- CVE-2021-40313HIGHCVSS 8.8EG 8.82021-12-06
Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.
- CVE-2021-40317HIGHCVSS 8.8EG 8.82022-05-26
Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.
- CVE-2021-40353CRITICALCVSS 9.8EG 9.82021-09-01
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist becau…
- CVE-2021-40493CRITICALCVSS 9.8EG 9.82021-10-13
Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. This occurs via the pollingObject parameter of the getDataCollectionFailureReason API.
- CVE-2021-40543CRITICALCVSS 9.8EG 9.82021-10-11
Opensis-Classic Version 8.0 is affected by a SQL injection vulnerability due to a lack of sanitization of input data at two parameters $_GET['usrid'] and $_GET['prof_id'] in the PasswordCheck.php file.
- CVE-2021-40578HIGHCVSS 7.2EG 7.22021-12-07
Authenticated Blind & Error-based SQL injection vulnerability was discovered in Online Enrollment Management System in PHP and PayPal Free Source Code 1.0, that allows attackers to obtain sensitive information and execute arbitrary SQL com…
- CVE-2021-40595CRITICALCVSS 9.8EG 9.82022-01-21
SQL injection vulnerability in Sourcecodester Online Leave Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter to /leave_system/classes/Login.php.
- CVE-2021-40596CRITICALCVSS 9.8EG 9.82022-01-24
SQL injection vulnerability in Login.php in sourcecodester Online Learning System v2 by oretnom23, allows attackers to execute arbitrary SQL commands via the faculty_id parameter.
- CVE-2021-40617CRITICALCVSS 9.8EG 9.82021-10-11
An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.
- CVE-2021-40618CRITICALCVSS 9.8EG 9.82021-10-12
An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →