CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,868 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 140 of 378
- CVE-2021-43851HIGHCVSS 8.1EG 8.12021-12-22
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "s…
- CVE-2021-43863HIGHCVSS 7.5EG 7.52022-01-25
The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app uses content providers to manage its data. Prior to version 3.18.1, the providers `FileContentProvider` and `Disk…
- CVE-2021-43925MEDIUMCVSS 4.7EG 9.82022-02-07
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands vi…
- CVE-2021-43926MEDIUMCVSS 4.7EG 9.82022-02-07
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands vi…
- CVE-2021-43927MEDIUMCVSS 4.7EG 9.82022-02-07
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL comman…
- CVE-2021-43969MEDIUMCVSS 6.5EG 6.52022-03-10
The login.jsp page of Quicklert for Digium 10.0.0 (1043) is affected by both Blind SQL Injection with Out-of-Band Interaction (DNS) and Blind Time-Based SQL Injections. Exploitation can be used to disclose all data within the database (up …
- CVE-2021-43971HIGHCVSS 8.8EG 8.82022-01-11
A SQL injection vulnerability in /mobile/SelectUsers.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to execute arbitrary SQL commands via the filterText parameter.
- CVE-2021-44026CRITICALCVSS 9.8EG 9.8⚠ KEV2021-11-19
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
- CVE-2021-44050MEDIUMCVSS 6.5EG 6.52021-12-02
CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL injection vulnerability in the NFA web application, due to insufficient input validation, that could potentially allow an authenticated user to access sensitive data.
- CVE-2021-44088CRITICALCVSS 9.8EG 9.82022-03-17
An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters.
- CVE-2021-44090CRITICALCVSS 9.8EG 9.82022-01-20
An SQL Injection vulnerability exists in Sourcecodester Online Reviewer System 1.0 via the password parameter.
- CVE-2021-44092CRITICALCVSS 9.8EG 9.82022-01-20
An SQL Injection vulnerability exists in code-projects Pharmacy Management 1.0 via the username parameter in the administer login form.
- CVE-2021-44095CRITICALCVSS 9.8EG 9.82022-06-02
A SQL injection vulnerability exists in ProjectWorlds Hospital Management System in php 1.0 on login page that allows a remote attacker to compromise Application SQL database.
- CVE-2021-44096CRITICALCVSS 9.8EG 9.82022-06-02
EGavilan Media User-Registration-and-Login-System-With-Admin-Panel 1.0 is vulnerable to SQL Injection via profile_action - update_user. This allows a remote attacker to compromise Application SQL database.
- CVE-2021-44097CRITICALCVSS 9.8EG 9.82022-06-02
EGavilan Media Contact-Form-With-Messages-Entry-Management 1.0 is vulnerable to SQL Injection via Addmessage.php. This allows a remote attacker to compromise Application SQL database.
- CVE-2021-44098CRITICALCVSS 9.8EG 9.82022-06-02
EGavilan Media Expense-Management-System 1.0 is vulnerable to SQL Injection via /expense_action.php. This allows a remote attacker to compromise Application SQL database.
- CVE-2021-44135CRITICALCVSS 9.8EG 9.82022-04-01
pagekit all versions, as of 15-10-2021, is vulnerable to SQL Injection via Comment listing.
- CVE-2021-44161HIGHCVSS 8.8EG 8.82021-12-29
Changing MOTP (Mobile One Time Password) system’s specific function parameter has insufficient validation for user input. A attacker in local area network can perform SQL injection attack to read, modify or delete backend database withou…
- CVE-2021-44244CRITICALCVSS 9.8EG 9.82022-01-20
An SQL Injection vulnerabiity exists in Sourcecodester Logistic Hub Parcel's Management System 1.0 via the username parameter in login.php.
- CVE-2021-44245CRITICALCVSS 9.8EG 9.82022-01-20
An SQL Injection vulnerability exists in Courcecodester COVID 19 Testing Management System (CTMS) 1.0 via the (1) username and (2) contactno parameters.
- CVE-2021-44249CRITICALCVSS 9.8EG 9.82022-01-28
Online Motorcycle (Bike) Rental System 1.0 is vulnerable to a Blind Time-Based SQL Injection attack within the login portal. This can lead attackers to remotely dump MySQL database credentials.
- CVE-2021-44280CRITICALCVSS 9.8EG 9.82021-12-01
attendance management system 1.0 is affected by a SQL injection vulnerability in admin/incFunctions.php through the makeSafe function.
- CVE-2021-44302HIGHCVSS 8.8EG 8.82022-02-19
BaiCloud-cms v2.5.7 was discovered to contain multiple SQL injection vulnerabilities via the tongji and baidu_map parameters in /user/ztconfig.php.
- CVE-2021-44345HIGHCVSS 7.5EG 7.52022-03-20
Beijing Wisdom Vision Technology Industry Co., Ltd One Card Integrated Management System 3.0 is vulnerable to SQL Injection.
- CVE-2021-44347CRITICALCVSS 9.8EG 9.82021-12-03
SQL Injection vulnerability exists in TuziCMS v2.0.6 in App\Manage\Controller\GuestbookController.class.php.
- CVE-2021-44348CRITICALCVSS 9.8EG 9.82021-12-03
SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameer in App\Manage\Controller\AdvertController.class.php.
- CVE-2021-44349CRITICALCVSS 9.8EG 9.82021-12-03
SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameter in App\Manage\Controller\DownloadController.class.php.
- CVE-2021-44350CRITICALCVSS 9.8EG 9.82021-12-15
SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.
- CVE-2021-44427CRITICALCVSS 9.8EG 9.82021-11-29
An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via th…
- CVE-2021-4450HIGHCVSS 8.8EG 8.82024-10-16
The Post Grid plugin for WordPress is vulnerable to blind SQL Injection via post metadata in versions up to, and including, 2.1.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existi…
- CVE-2021-44567CRITICALCVSS 9.8EG 9.82022-02-24
An unauthenticated SQL Injection vulnerability exists in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php.
- CVE-2021-4458MEDIUMCVSS 5.9EG 5.92025-07-12
The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wp_ajax_mec_load_single_page' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the us…
- CVE-2021-44581HIGHCVSS 7.5EG 7.52022-03-29
An SQL Injection vulnerabilty exists in Kreado Kreasfero 1.5 via the id parameter.
- CVE-2021-44593HIGHCVSS 8.1EG 8.12022-01-21
Simple College Website 1.0 is vulnerable to unauthenticated file upload & remote code execution via UNION-based SQL injection in the username parameter on /admin/login.php.
- CVE-2021-44599HIGHCVSS 7.5EG 7.52021-12-23
The id parameter from Online Enrollment Management System 1.0 system appears to be vulnerable to SQL injection attacks. A crafted payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a …
- CVE-2021-44600HIGHCVSS 7.5EG 7.52021-12-23
The password parameter on Simple Online Mens Salon Management System (MSMS) 1.0 appears to be vulnerable to SQL injection attacks through the password parameter. The predictive tests of this application interacted with that domain, indicat…
- CVE-2021-44610CRITICALCVSS 9.8EG 9.82022-02-24
Multiple SQL Injection vulnerabilities exist in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) URLs, (2) lang_id, (3) tmpl_id, (4) mod_rewrite (5) eta_doctype. (6) meta_charset, (7) default_group, and (8) page group parameters in the settings mode…
- CVE-2021-44617CRITICALCVSS 9.8EG 9.82022-03-28
A SQL Injection vulnerability exits in the Ramo plugin for GLPI 9.4.6 via the idu parameter in plugins/ramo/ramoapirest.php/getOutdated.
- CVE-2021-44653CRITICALCVSS 9.8EG 9.82021-12-15
Online Magazine Management System 1.0 contains a SQL injection authentication bypass vulnerability. The Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to gain access as adm…
- CVE-2021-44655CRITICALCVSS 9.8EG 9.82021-12-15
Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to get…
- CVE-2021-44779HIGHCVSS 7.3EG 7.32022-02-04
Unauthenticated SQL Injection (SQLi) vulnerability discovered in [GWA] AutoResponder WordPress plugin (versions <= 2.3), vulnerable at (&listid). No patched version available, plugin closed.
- CVE-2021-44835CRITICALCVSS 9.8EG 9.82022-09-09
An issue was discovered in Active Intelligent Visualization 5. The Vdc header is used in a SQL query without being sanitized. This causes SQL injection.
- CVE-2021-44866HIGHCVSS 7.5EG 7.52022-02-03
An issue was discovered in Online-Movie-Ticket-Booking-System 1.0. The file about.php does not perform input validation on the 'id' paramter. An attacker can append SQL queries to the input to extract sensitive information from the databas…
- CVE-2021-44868CRITICALCVSS 9.8EG 9.82022-02-17
A problem was found in ming-soft MCMS v5.1. There is a sql injection vulnerability in /ms/cms/content/list.do
- CVE-2021-44874HIGHCVSS 8.8EG 8.82021-12-21
Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Insecure design on report build via SQL query. The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise data…
- CVE-2021-44915HIGHCVSS 7.2EG 7.22022-07-05
Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category.
- CVE-2021-44966CRITICALCVSS 9.8EG 9.82021-12-13
SQL injection bypass authentication vulnerability in PHPGURUKUL Employee Record Management System 1.2 via index.php. An attacker can log in as an admin account of this system and can destroy, change or manipulate all sensitive information …
- CVE-2021-45014CRITICALCVSS 9.8EG 9.82021-12-14
There is an upload sql injection vulnerability in the background of taocms 3.0.2 in parameter id:action=cms&ctrl=update&id=26
- CVE-2021-45041HIGHCVSS 8.8EG 8.82021-12-19
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
- CVE-2021-45252CRITICALCVSS 9.8EG 9.82021-12-21
Multiple SQL injection vulnerabilities are found on Simple Forum-Discussion System 1.0 For example on three applications which are manage_topic.php, manage_user.php, and ajax.php. The attacker can be retrieving all information from the dat…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →