CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,867 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 139 of 378
- CVE-2021-42670CRITICALCVSS 9.8EG 9.82021-11-05
A SQL injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to the announcements_student.php web page. As a result a malicious user can extract sensitive data from the web server and in some c…
- CVE-2021-4276MEDIUMCVSS 4.1EG 8.82022-12-25
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in dns-stats hedgehog. It has been rated as problematic. Affected by this issue is the function DSCIOManager::dsc_import_input_from_source of the file src/DSCIOManager.cpp. The mani…
- CVE-2021-42760HIGHCVSS 8.8EG 8.82021-12-08
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclose sensitive information from DB tables via crafted requests.
- CVE-2021-4290MEDIUMCVSS 5.5EG 9.82022-12-27
A vulnerability was found in DHBW Fallstudie. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file app/config/passport.js of the component Login. The manipulation of the argument id/email…
- CVE-2021-42945CRITICALCVSS 9.8EG 9.82021-12-15
A SQL Injection vulnerability exists in ZZCMS 2021 via the askbigclassid parameter in /admin/ask.php.
- CVE-2021-4298MEDIUMCVSS 5.5EG 9.82023-01-02
A vulnerability classified as critical has been found in Hesburgh Libraries of Notre Dame Sipity. This affects the function SearchCriteriaForWorksParameter of the file app/parameters/sipity/parameters/search_criteria_for_works_parameter.rb…
- CVE-2021-4301MEDIUMCVSS 6.3EG 9.82023-01-07
A vulnerability was found in slackero phpwcms up to 1.9.26 and classified as critical. Affected by this issue is some unknown functionality. The manipulation of the argument $phpwcms['db_prepend'] leads to sql injection. The attack may be …
- CVE-2021-43010HIGHCVSS 7.5EG 7.52022-05-10
In Safedog Apache v4.0.30255, attackers can bypass this product for SQL injection. Attackers can bypass access to sensitive data.
- CVE-2021-43035CRITICALCVSS 9.8EG 9.82021-12-06
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Two unauthenticated SQL injection vulnerabilities were discovered, allowing arbitrary SQL queries to be injected and executed under the postgres superuser account.…
- CVE-2021-43077HIGHCVSS 8.8EG 8.82022-03-01
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows attacker to execute unaut…
- CVE-2021-4308MEDIUMCVSS 5.5EG 5.52023-01-08
A vulnerability was found in WebPA up to 3.1.1. It has been rated as critical. This issue affects some unknown processing. The manipulation leads to sql injection. Upgrading to version 3.1.2 is able to address this issue. The identifier of…
- CVE-2021-43084CRITICALCVSS 9.8EG 9.82022-03-24
An SQL Injection vulnerability exists in Dreamer CMS 4.0.0 via the tableName parameter.
- CVE-2021-43091HIGHCVSS 7.5EG 7.52022-03-25
An SQL Injection vlnerability exits in Yeswiki doryphore 20211012 via the email parameter in the registration form.
- CVE-2021-43094CRITICALCVSS 9.8EG 9.82022-05-10
An SQL Injection vulnerability exists in OpenMRS Reference Application Standalone Edition <=2.11 and Platform Standalone Edition <=2.4.0 via GET requests on arbitrary parameters in patient.page.
- CVE-2021-43109HIGHCVSS 7.5EG 7.52022-03-29
An SQL Injection vulnerability exits in PuneethReddyHC online-shopping-system as of 11/01/2021 via the p parameter in product.php.
- CVE-2021-4313MEDIUMCVSS 5.5EG 9.82023-01-16
A vulnerability was found in NethServer phonenehome. It has been rated as critical. This issue affects the function get_info/get_country_coor of the file server/index.php. The manipulation leads to sql injection. The identifier of the patc…
- CVE-2021-43130CRITICALCVSS 9.8EG 9.82021-11-03
An SQL Injection vulnerability exists in Sourcecodester Customer Relationship Management System (CRM) 1.0 via the username parameter in customer/login.php.
- CVE-2021-43140CRITICALCVSS 9.8EG 9.82021-11-03
SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. via the login.
- CVE-2021-43155CRITICALCVSS 9.8EG 9.82021-12-22
Projectsworlds Online Book Store PHP v1.0 is vulnerable to SQL injection via the "bookisbn" parameter in cart.php.
- CVE-2021-43157CRITICALCVSS 9.8EG 9.82021-12-22
Projectsworlds Online Shopping System PHP 1.0 is vulnerable to SQL injection via the id parameter in cart_remove.php.
- CVE-2021-4328MEDIUMCVSS 6.3EG 9.82023-03-02
A vulnerability has been found in 狮子鱼CMS and classified as critical. Affected by this vulnerability is the function goods_detail of the file ApiController.class.php. The manipulation of the argument goods_id leads to sql injection. T…
- CVE-2021-43329CRITICALCVSS 9.8EG 9.82022-08-25
A SQL injection vulnerability in license_update.php in Mumara Classic through 2.93 allows a remote unauthenticated attacker to execute arbitrary SQL commands via the license parameter.
- CVE-2021-4336MEDIUMCVSS 5.5EG 5.52023-05-28
A vulnerability was found in ITRS Group monitor-ninja up to 2021.11.1. It has been rated as critical. Affected by this issue is some unknown functionality of the file modules/reports/models/scheduled_reports.php. The manipulation leads to …
- CVE-2021-43361CRITICALCVSS 9.9EG 9.82021-11-16
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MedData HBYS allows SQL Injection.This issue affects HBYS: from unspecified before 1.1.
- CVE-2021-43362CRITICALCVSS 9.9EG 9.82021-11-16
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MedData HBYS allows SQL Injection.This issue affects HBYS: from unspecified before 1.1.
- CVE-2021-4340CRITICALCVSS 9.8EG 9.82023-06-07
The uListing plugin for WordPress is vulnerable to generic SQL Injection via the ‘listing_id’ parameter in versions up to, and including, 1.6.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparat…
- CVE-2021-43408MEDIUMCVSS 6.5EG 6.52021-11-19
The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically b…
- CVE-2021-43420CRITICALCVSS 9.8EG 9.82022-01-24
SQL injection vulnerability in Login.php in Sourcecodester Online Payment Hub v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter.
- CVE-2021-43451CRITICALCVSS 9.8EG 9.82021-12-01
SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php.
- CVE-2021-43481CRITICALCVSS 9.8EG 9.82022-04-20
An SQL Injection vulnerability exists in Webtareas 2.4p3 and earlier via the $uq HTTP POST parameter in editapprovalstage.php.
- CVE-2021-43484CRITICALCVSS 9.8EG 9.82022-03-31
A Remote Code Execution (RCE) vulnerability exists in Simple Client Management System 1.0 in create.php due to the failure to validate the extension of the file being sent in a request.
- CVE-2021-43506CRITICALCVSS 9.8EG 9.82022-03-31
An SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the password parameter in Login.php.
- CVE-2021-43509CRITICALCVSS 9.8EG 9.82022-02-01
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the id parameter in view-service.php.
- CVE-2021-43510CRITICALCVSS 9.8EG 9.82022-02-01
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.
- CVE-2021-43608CRITICALCVSS 9.8EG 9.82021-12-09
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed un…
- CVE-2021-43609CRITICALCVSS 9.9EG 9.92023-11-09
An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the order_by_for_ticket function in app/models/reporting/database_query.rb allows an authenticated attacker to execute …
- CVE-2021-43628CRITICALCVSS 9.8EG 9.82021-12-22
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via the email parameter in hms-staff.php.
- CVE-2021-43629CRITICALCVSS 9.8EG 9.82021-12-22
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via multiple parameters in admin_home.php.
- CVE-2021-43630HIGHCVSS 8.8EG 8.82021-12-22
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via multiple parameters in add_patient.php. As a result, an authenticated malicious user can compromise the databases system and in some cases leverage this vulne…
- CVE-2021-43631CRITICALCVSS 9.8EG 9.82021-12-22
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via the appointment_no parameter in payment.php.
- CVE-2021-43650CRITICALCVSS 9.8EG 9.82022-03-22
WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process.
- CVE-2021-43679CRITICALCVSS 9.8EG 9.82021-12-02
ecshop v2.7.3 is affected by a SQL injection vulnerability in shopex\ecshop\upload\api\client\api.php.
- CVE-2021-43700CRITICALCVSS 9.8EG 9.82022-03-24
An issue was discovered in ApiManager 1.1. there is sql injection vulnerability that can use in /index.php?act=api&tag=8.
- CVE-2021-43701MEDIUMCVSS 6.5EG 6.52022-03-29
CSZ CMS 1.2.9 has a Time and Boolean-based Blind SQL Injection vulnerability in the endpoint /admin/export/getcsv/article_db, via the fieldS[] and orderby parameters.
- CVE-2021-43735CRITICALCVSS 9.8EG 9.82022-03-23
CmsWing 1.3.7 is affected by a SQLi vulnerability via parameter: behavior rule.
- CVE-2021-43766HIGHCVSS 8.1EG 8.12022-08-25
Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first…
- CVE-2021-43789HIGHCVSS 7.5EG 7.52021-12-07
PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2.
- CVE-2021-43806HIGHCVSS 8.8EG 8.82021-12-15
Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in…
- CVE-2021-43822HIGHCVSS 8.5EG 8.52021-12-13
Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to …
- CVE-2021-43830HIGHCVSS 7.4EG 7.42021-12-14
OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packag…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →