CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,865 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 137 of 378
- CVE-2021-40635HIGHCVSS 7.5EG 7.52022-03-03
OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. An attacker can inject a SQL query to extract information from the database.
- CVE-2021-40636HIGHCVSS 7.5EG 7.52022-03-03
OS4ED openSIS 8.0 is affected by SQL Injection in CheckDuplicateName.php, which can extract information from the database.
- CVE-2021-40644MEDIUMCVSS 6.5EG 6.52022-03-30
An SQL Injection vulnerability exists in oasys oa_system as of 9/7/2021 in resources/mappers/notice-mapper.xml.
- CVE-2021-40645MEDIUMCVSS 6.5EG 6.52022-03-30
An SQL Injection vulnerability exists in glorylion JFinalOA as of 9/7/2021 in the defkey parameter getHaveDoneTaskDataList method of the FlowTaskController.
- CVE-2021-40669CRITICALCVSS 9.8EG 9.82021-09-16
SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file.
- CVE-2021-40670CRITICALCVSS 9.8EG 9.82021-09-16
SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file.
- CVE-2021-40674CRITICALCVSS 9.8EG 9.82021-09-20
An SQL injection vulnerability exists in Wuzhi CMS v4.1.0 via the KeyValue parameter in coreframe/app/order/admin/index.php.
- CVE-2021-40814CRITICALCVSS 9.8EG 9.82021-09-08
The Customer Photo Gallery addon before 2.9.4 for PrestaShop is vulnerable to SQL injection.
- CVE-2021-40842CRITICALCVSS 9.8EG 9.82021-10-13
Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console. The vulnerability exists due to improper input validation on the database name parameter required in certain unauthenticated APIs. A mal…
- CVE-2021-40850CRITICALCVSS 10.0EG 10.02021-12-17
TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods in /PC/WebService.asmx.
- CVE-2021-40860HIGHCVSS 7.2EG 7.22021-12-08
A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) before 9.0.013.11 allows an attacker to execute arbitrary SQL queries via the ql_expression parameter, with which all data in the datab…
- CVE-2021-40861HIGHCVSS 7.2EG 7.22021-12-08
A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) 9.0.017.07 allows an attacker to execute arbitrary SQL queries via the value attribute, with which all data in the database can be extr…
- CVE-2021-4088HIGHCVSS 8.4EG 7.22022-01-24
SQL injection vulnerability in Data Loss Protection (DLP) ePO extension 11.8.x prior to 11.8.100, 11.7.x prior to 11.7.101, and 11.6.401 allows a remote authenticated attacker to inject unfiltered SQL into the DLP part of the ePO database.…
- CVE-2021-40907CRITICALCVSS 9.8EG 9.82022-01-24
SQL injection vulnerability in Sourcecodester Storage Unit Rental Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter to /storage/classes/Login.php.
- CVE-2021-40908CRITICALCVSS 9.8EG 9.82022-01-24
SQL injection vulnerability in Login.php in Sourcecodester Purchase Order Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter.
- CVE-2021-40909CRITICALCVSS 9.6EG 9.62022-01-24
Cross site scripting (XSS) vulnerability in sourcecodester PHP CRUD without Refresh/Reload using Ajax and DataTables Tutorial v1 by oretnom23, allows remote attackers to execute arbitrary code via the first_name, last_name, and email param…
- CVE-2021-40955HIGHCVSS 7.2EG 7.22022-06-23
SQL injection exists in LaiKetui v3.5.0 the background administrator list.
- CVE-2021-40956HIGHCVSS 7.5EG 7.52022-06-23
LaiKetui v3.5.0 has SQL injection in the background through the menu management function, and sensitive data can be obtained.
- CVE-2021-40961HIGHCVSS 8.8EG 8.82022-06-09
CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '.
- CVE-2021-40992HIGHCVSS 7.2EG 7.22021-10-15
A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prio…
- CVE-2021-40993HIGHCVSS 8.1EG 8.12021-10-15
A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prio…
- CVE-2021-41063CRITICALCVSS 9.8EG 9.82021-12-08
SQL injection vulnerability was discovered in Aanderaa GeoView Webservice prior to version 2.1.3 that could allow an unauthenticated attackers to execute arbitrary commands.
- CVE-2021-41075CRITICALCVSS 9.8EG 9.82021-10-13
The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.
- CVE-2021-41080CRITICALCVSS 9.8EG 9.82021-11-11
Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a hardware details search.
- CVE-2021-41081CRITICALCVSS 9.8EG 9.82021-11-11
Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a configuration search.
- CVE-2021-41147HIGHCVSS 7.2EG 7.22021-10-15
Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. Prior to version 11.16.99.173 of Community Edition and versions 11.16-6 and 11.15-8 of Enterprise Edition, an attacker with…
- CVE-2021-41148HIGHCVSS 8.8EG 8.82021-10-15
Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. Prior to version 11.16.99.173 of Community Edition and versions 11.16-6 and 11.15-8 of Enterprise Edition, an attacker with…
- CVE-2021-41154HIGHCVSS 8.8EG 8.82021-10-18
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions an attacker with read access to a "SVN core" repository could execute arbitrary SQL queries. The following versions…
- CVE-2021-41155HIGHCVSS 8.8EG 8.82021-10-18
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the…
- CVE-2021-41187HIGHCVSS 8.1EG 8.12021-11-01
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the API endpoints for /a…
- CVE-2021-41262HIGHCVSS 8.8EG 8.82021-12-16
Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 are subject to SQL injection attacks by users with "member" privilege. Users are advised to upgrade to …
- CVE-2021-41288CRITICALCVSS 9.8EG 9.82021-09-30
Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.
- CVE-2021-4134HIGHCVSS 7.2EG 7.22022-02-16
The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level pe…
- CVE-2021-41365HIGHCVSS 8.8EG 8.82021-12-15
Microsoft Defender for IoT Remote Code Execution Vulnerability
- CVE-2021-41408CRITICALCVSS 9.8EG 9.82022-06-17
VoIPmonitor WEB GUI up to version 24.61 is affected by SQL injection through the "api.php" file and "user" parameter.
- CVE-2021-41433CRITICALCVSS 9.8EG 9.82022-09-27
SQL Injection vulnerability exists in version 1.0 of the Resumes Management and Job Application Website application login form by EGavilan Media that allows authentication bypass through login.php.
- CVE-2021-41460HIGHCVSS 7.5EG 7.52022-06-28
ECShop 4.1.0 has SQL injection vulnerability, which can be exploited by attackers to obtain sensitive information.
- CVE-2021-41471CRITICALCVSS 9.8EG 9.82022-01-24
SQL injection vulnerability in Sourcecodester South Gate Inn Online Reservation System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the email and Password parameters.
- CVE-2021-41472CRITICALCVSS 9.8EG 9.82022-01-24
SQL injection vulnerability in Sourcecodester Simple Membership System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password parameters.
- CVE-2021-41487CRITICALCVSS 9.8EG 9.82022-06-16
NOKIA VitalSuite SPM 2020 is affected by SQL injection through UserName'.
- CVE-2021-41492CRITICALCVSS 9.8EG 9.82021-11-03
Multiple SQL Injection vulnerabilities exist in Sourcecodester Simple Cashiering System (POS) 1.0 via the (1) Product Code in the pos page in cashiering. (2) id parameter in manage_products and the (3) t paramater in actions.php.
- CVE-2021-41511CRITICALCVSS 9.8EG 9.82021-10-04
The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.
- CVE-2021-41609CRITICALCVSS 9.8EG 9.82022-01-28
SQL injection in the ID parameter of the UploadedImageDisplay.aspx endpoint of SelectSurvey.NET before 5.052.000 allows a remote, unauthenticated attacker to retrieve data from the application's backend database via boolean-based blind and…
- CVE-2021-41647CRITICALCVSS 9.1EG 9.12021-10-01
An un-authenticated error-based and time-based blind SQL injection vulnerability exists in Kaushik Jadhav Online Food Ordering Web App 1.0. An attacker can exploit the vulnerable "username" parameter in login.php and retrieve sensitive dat…
- CVE-2021-41648HIGHCVSS 7.5EG 7.52021-10-01
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input.
- CVE-2021-41649CRITICALCVSS 9.8EG 9.82021-10-01
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
- CVE-2021-41651HIGHCVSS 7.5EG 7.52021-10-04
A blind SQL injection vulnerability exists in the Raymart DG / Ahmed Helal Hotel-mgmt-system. A malicious attacker can retrieve sensitive database information and interact with the database using the vulnerable cid parameter in process_upd…
- CVE-2021-41654CRITICALCVSS 9.8EG 9.82022-06-16
SQL injection vulnerabilities exist in Wuzhicms v4.1.0 which allows attackers to execute arbitrary SQL commands via the $keyValue parameter in /coreframe/app/pay/admin/index.php
- CVE-2021-41659CRITICALCVSS 9.8EG 9.82022-01-24
SQL injection vulnerability in Sourcecodester Banking System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username or password field.
- CVE-2021-41660CRITICALCVSS 9.8EG 9.82022-01-24
SQL injection vulnerability in Sourcecodester Patient Appointment Scheduler System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password fields to login.php.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →