CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,867 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 138 of 378
- CVE-2021-41661CRITICALCVSS 9.8EG 9.82022-06-13
Church Management System version 1.0 is affected by a SQL anjection vulnerability through creating a user with a PHP file as an avatar image, which is accessible through the /uploads directory. This can lead to RCE on the web server by upl…
- CVE-2021-41662CRITICALCVSS 9.8EG 9.82022-06-13
The South Gate Inn Online Reservation System v1.0 contains an SQL injection vulnerability that can be chained with a malicious PHP file upload, which is caused by improper file handling in the editImg function. This vulnerability leads to …
- CVE-2021-41672MEDIUMCVSS 6.5EG 6.52022-06-15
PEEL Shopping CMS 9.4.0 is vulnerable to authenticated SQL injection in utilisateurs.php. A user that belongs to the administrator group can inject a malicious SQL query in order to affect the execution logic of the application and retrive…
- CVE-2021-41674CRITICALCVSS 9.8EG 9.82021-10-29
An SQL Injection vulnerability exists in Sourcecodester E-Negosyo System 1.0 via the user_email parameter in /admin/login.php.
- CVE-2021-41676CRITICALCVSS 9.8EG 9.82021-10-29
An SQL Injection vulnerabilty exists in the oretnom23 Pharmacy Point of Sale System 1.0 in the login function in actions.php.
- CVE-2021-41677CRITICALCVSS 9.8EG 9.82021-11-30
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.
- CVE-2021-41678CRITICALCVSS 9.8EG 9.82021-11-30
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.
- CVE-2021-41679CRITICALCVSS 9.8EG 9.82021-11-30
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.
- CVE-2021-41691CRITICALCVSS 9.8EG 9.82025-06-24
A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php.
- CVE-2021-41695CRITICALCVSS 9.8EG 9.82021-12-09
An SQL Injection vulnerability exists in Premiumdatingscript 4.2.7.7 via the ip parameter in connect.php. .
- CVE-2021-41746HIGHCVSS 7.5EG 7.52021-10-29
SQL Injection vulnerability exists in all versions of Yonyou TurboCRM.via the orgcode parameter in changepswd.php. Attackers can use the vulnerabilities to obtain sensitive database information.
- CVE-2021-41754CRITICALCVSS 9.8EG 9.82022-06-10
dynamicMarkt <= 3.10 is affected by SQL injection in the parent parameter of index.php.
- CVE-2021-41755CRITICALCVSS 9.8EG 9.82022-06-10
dynamicMarkt <= 3.10 is affected by SQL injection in the kat1 parameter of index.php.
- CVE-2021-41756CRITICALCVSS 9.8EG 9.82022-06-10
dynamicMarkt <= 3.10 is affected by SQL injection in the kat parameter of index.php.
- CVE-2021-41765CRITICALCVSS 9.8EG 9.82021-11-15
A SQL injection issue in pages/edit_fields/9_ajax/add_keyword.php of ResourceSpace 9.5 and 9.6 < rev 18274 allows remote unauthenticated attackers to execute arbitrary SQL commands via the k parameter. This allows attackers to uncover the …
- CVE-2021-41843MEDIUMCVSS 6.5EG 6.52021-12-17
An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/cale…
- CVE-2021-41845MEDIUMCVSS 6.5EG 6.52021-10-01
A SQL injection issue was discovered in ThycoticCentrify Secret Server before 11.0.000007. The only affected versions are 10.9.000032 through 11.0.000006.
- CVE-2021-41920HIGHCVSS 7.5EG 7.52021-10-08
webTareas version 2.4 and earlier allows an unauthenticated user to perform Time and Boolean-based blind SQL Injection on the endpoint /includes/library.php, via the sor_cible, sor_champs, and sor_ordre HTTP POST parameters. This allows an…
- CVE-2021-41928CRITICALCVSS 9.8EG 9.82022-01-24
SQL injection in Sourcecodester Try My Recipe (Recipe Sharing Website - CMS) 1.0 by oretnom23, allows attackers to execute arbitrary code via the rid parameter to the view_recipe page.
- CVE-2021-41931CRITICALCVSS 9.8EG 9.82021-11-17
The Company's Recruitment Management System in id=2 of the parameter from view_vacancy app on-page appears to be vulnerable to SQL injection. The payloads 19424269' or '1309'='1309 and 39476597' or '2917'='2923 were each submitted in the i…
- CVE-2021-41932HIGHCVSS 8.8EG 8.82022-06-06
A blind SQL injection vulnerability in search form in TeamMate+ Audit version 28.0.19.0 allows any authenticated user to create malicious SQL injections, which can result in complete database compromise, gaining information about other use…
- CVE-2021-41942HIGHCVSS 7.5EG 7.52022-04-29
The Magic CMS MSVOD v10 video system has a SQL injection vulnerability. Attackers can use vulnerabilities to obtain sensitive information in the database.
- CVE-2021-41947HIGHCVSS 7.2EG 7.22021-10-08
A SQL injection vulnerability exists in Subrion CMS v4.2.1 in the visual-mode.
- CVE-2021-41965HIGHCVSS 8.8EG 8.82022-05-15
A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action…
- CVE-2021-41971HIGHCVSS 8.8EG 8.82021-10-18
Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.
- CVE-2021-42064CRITICALCVSS 9.8EG 9.82021-12-14
If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exp…
- CVE-2021-42077CRITICALCVSS 9.8EG 9.82021-11-08
PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to…
- CVE-2021-4208HIGHCVSS 7.2EG 7.22022-02-21
The ExportFeed WordPress plugin through 2.0.1.0 does not sanitise and escape the product_id POST parameter before using it in a SQL statement, leading to a SQL injection vulnerability exploitable by high privilege users
- CVE-2021-42131HIGHCVSS 8.8EG 8.82021-12-07
A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
- CVE-2021-42169CRITICALCVSS 9.8EG 9.82021-10-22
The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account. The parameter (username) from the login form is n…
- CVE-2021-42185CRITICALCVSS 9.8EG 9.82022-05-04
wdja v2.1 is affected by a SQL injection vulnerability in the foreground search function.
- CVE-2021-42224CRITICALCVSS 9.8EG 9.82021-10-13
SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via the searchifsccode POST parameter in /search.php.
- CVE-2021-42235CRITICALCVSS 9.8EG 9.82022-05-04
SQL injection in osTicket before 1.14.8 and 1.15.4 login and password reset process allows attackers to access the osTicket administration profile functionality.
- CVE-2021-42258CRITICALCVSS 9.8EG 9.8⚠ KEV2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (…
- CVE-2021-42311CRITICALCVSS 10.0EG 9.82021-12-15
Microsoft Defender for IoT Remote Code Execution Vulnerability
- CVE-2021-42313CRITICALCVSS 10.0EG 10.02021-12-15
Microsoft Defender for IoT Remote Code Execution Vulnerability
- CVE-2021-42325CRITICALCVSS 9.8EG 9.82021-10-12
Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.
- CVE-2021-42333HIGHCVSS 8.8EG 8.82021-10-15
The Easytest contains SQL injection vulnerabilities. After obtaining user’s privilege, remote attackers can inject SQL commands into the parameters of the learning history page to access all database and obtain administrator permissions.
- CVE-2021-42334HIGHCVSS 8.8EG 8.82021-10-15
The Easytest contains SQL injection vulnerabilities. After obtaining a user’s privilege, remote attackers can inject SQL commands into the parameters of the elective course management page to obtain all database and administrator permiss…
- CVE-2021-42369CRITICALCVSS 9.9EG 8.82021-10-14
Imagicle Application Suite (for Cisco UC) before 2021.Summer.2 allows SQL injection. A low-privileged user could inject a SQL statement through the "Export to CSV" feature of the Contact Manager web GUI.
- CVE-2021-4246MEDIUMCVSS 6.3EG 9.82022-12-17
A vulnerability was found in roxlukas LMeve and classified as critical. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument X-Forwarded-For leads to sql injection. The attack m…
- CVE-2021-42580CRITICALCVSS 9.8EG 9.82021-11-15
Sourcecodester Online Learning System 2.0 is vunlerable to sql injection authentication bypass in admin login file (/admin/login.php) and authenticated file upload in (Master.php) file , we can craft these two vunlerablities to get unauthe…
- CVE-2021-4261MEDIUMCVSS 6.3EG 9.82022-12-19
A vulnerability classified as critical has been found in pacman-canvas up to 1.0.5. Affected is the function addHighscore of the file data/db-handler.php. The manipulation leads to sql injection. It is possible to launch the attack remotel…
- CVE-2021-4262MEDIUMCVSS 5.5EG 9.82022-12-19
A vulnerability classified as critical was found in laravel-jqgrid. Affected by this vulnerability is the function getRows of the file src/Mgallegos/LaravelJqgrid/Repositories/EloquentRepositoryAbstract.php. The manipulation leads to sql i…
- CVE-2021-42633MEDIUMCVSS 5.3EG 5.32022-02-02
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to SQL Injection, which may allow an attacker to access additional audit records.
- CVE-2021-42655HIGHCVSS 8.8EG 8.82022-05-24
SiteServer CMS V6.15.51 is affected by a SQL injection vulnerability.
- CVE-2021-42665CRITICALCVSS 9.8EG 9.82021-11-05
An SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the login form inside of index.php, which can allow an attacker to bypass authentication.
- CVE-2021-42666HIGHCVSS 8.8EG 8.82021-11-05
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to quiz_question.php, which could let a malicious user extract sensitive data from the web server and in some cases use this vulnera…
- CVE-2021-42667CRITICALCVSS 9.8EG 9.82021-11-05
A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-management/views. An attacker can leverage this vulnerability in order to manipulate the sql query performed. As a result he…
- CVE-2021-42668CRITICALCVSS 9.8EG 9.82021-11-05
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter in the my_classmates.php web page.. As a result, an attacker can extract sensitive data from the web server and in some cases can us…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →