CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,868 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 141 of 378
- CVE-2021-45253CRITICALCVSS 9.8EG 9.82021-12-21
The id parameter in view_storage.php from Simple Cold Storage Management System 1.0 appears to be vulnerable to SQL injection attacks. A payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that refere…
- CVE-2021-45255CRITICALCVSS 9.8EG 9.82021-12-21
The email parameter from ajax.php of Video Sharing Website 1.0 appears to be vulnerable to SQL injection attacks. A payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an exte…
- CVE-2021-45334CRITICALCVSS 9.8EG 9.82022-01-10
Sourcecodester Online Thesis Archiving System 1.0 is vulnerable to SQL Injection. An attacker can bypass admin authentication and gain access to admin panel using SQL Injection
- CVE-2021-45406HIGHCVSS 8.8EG 8.82022-01-14
In SalonERP 3.0.1, a SQL injection vulnerability allows an attacker to inject payload using 'sql' parameter in SQL query while generating a report. Upon successfully discovering the login admin password hash, it can be decrypted to obtain …
- CVE-2021-45435CRITICALCVSS 9.8EG 9.82022-01-28
An SQL Injection vulnerability exists in Sourcecodester Simple Cold Storage Management System using PHP/OOP 1.0 via the username field in login.php.
- CVE-2021-45788HIGHCVSS 8.8EG 8.82022-09-29
Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the "orders" parameter.
- CVE-2021-45791HIGHCVSS 8.8EG 8.82022-03-17
Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/member_type.php, /admin/modules/system/user_group.php, and /admin/modules/membership/index.php through the dir parameter. …
- CVE-2021-45793HIGHCVSS 7.5EG 7.52022-03-17
Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained.
- CVE-2021-45794HIGHCVSS 7.5EG 7.52022-03-17
Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. User data can be obtained.
- CVE-2021-45802CRITICALCVSS 9.8EG 9.82022-01-25
MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Injection occurs because the email and phone parameter values are added to the SQL query without any verification at the time of membership registration.
- CVE-2021-45803HIGHCVSS 8.8EG 8.82022-01-25
MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Injection occurs because this view parameter value is added to the SQL query without additional verification when viewing reservation.
- CVE-2021-45811MEDIUMCVSS 6.5EG 6.52023-09-08
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
- CVE-2021-45814CRITICALCVSS 9.8EG 9.82021-12-28
Nettmp NNT 5.1 is affected by a SQL injection vulnerability. An attacker can bypass authentication and access the panel with an administrative account.
- CVE-2021-45821HIGHCVSS 8.8EG 8.82022-03-16
A blind SQL injection vulnerability exists in Xbtit 3.1 via the sid parameter in ajaxchat/getHistoryChatData.php file that is accessible by a registered user. As a result, a malicious user can extract sensitive data such as usernames and p…
- CVE-2021-46024CRITICALCVSS 9.8EG 9.82022-01-23
Projectworlds online-shopping-webvsite-in-php 1.0 suffers from a SQL Injection vulnerability via the "id" parameter in cart_add.php, No login is required.
- CVE-2021-46061CRITICALCVSS 9.8EG 9.82022-01-20
An SQL Injection vulnerability exists in Sourcecodester Computer and Mobile Repair Shop Management system (RSMS) 1.0 via the code parameter in /rsms/ node app.
- CVE-2021-46089CRITICALCVSS 9.8EG 9.82022-01-25
In JeecgBoot 3.0, there is a SQL injection vulnerability that can operate the database with root privileges.
- CVE-2021-46110CRITICALCVSS 9.8EG 9.82022-02-18
Online Shopping Portal v3.1 was discovered to contain multiple time-based SQL injection vulnerabilities via the email and contactno parameters.
- CVE-2021-46198CRITICALCVSS 9.8EG 9.82022-01-21
An SQL Injection vulnerability exists in Sourceodester Courier Management System 1.0 via the email parameter in /cms/ajax.php app.
- CVE-2021-46200CRITICALCVSS 9.8EG 9.82022-01-21
An SQL Injection vulnerability exists in Sourcecodester Simple Music Clour Community System 1.0 via the email parameter in /music/ajax.php.
- CVE-2021-46201CRITICALCVSS 9.8EG 9.82022-01-21
An SQL Injection vulnerability exists in Sourcecodester Online Resort Management System 1.0 via the id parameterv in /orms/ node.
- CVE-2021-46204CRITICALCVSS 9.8EG 9.82022-01-19
Taocms v3.0.2 was discovered to contain an arbitrary file read vulnerability via the path parameter. SQL injection vulnerability via taocms\include\Model\Article.php.
- CVE-2021-46307CRITICALCVSS 9.8EG 9.82022-01-21
An SQL Injection vulnerability exists in Projectworlds Online Examination System 1.0 via the eid parameter in account.php.
- CVE-2021-46308CRITICALCVSS 9.8EG 9.82022-01-21
An SQL Injection vulnerability exists in Sourcecodester Online Railway Reservation Sysytem 1.0 via the sid parameter.
- CVE-2021-46309CRITICALCVSS 9.8EG 9.82022-01-21
An SQL Injection vulnerability exists in Sourcecodester Employee and Visitor Gate Pass Logging System 1.0 via the username parameter.
- CVE-2021-46377CRITICALCVSS 9.8EG 9.82022-01-27
There is a front-end sql injection vulnerability in cszcms 1.2.9 via cszcms/controllers/Member.php#viewUser
- CVE-2021-46383HIGHCVSS 7.5EG 7.52022-01-26
https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.web.DictAction#list. The attack vector is: 0 or sleep(3). ¶¶ MCM…
- CVE-2021-46385HIGHCVSS 7.5EG 7.52022-01-26
https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.FormDataAction#queryData. The attack vector is: 0 or sleep(3). ¶�…
- CVE-2021-46427CRITICALCVSS 9.8EG 9.82022-01-27
An SQL Injection vulnerability exists in Sourcecodester Simple Chatbot Application 1.0 via the message parameter in Master.php.
- CVE-2021-46436HIGHCVSS 7.2EG 7.22022-04-08
An issue was discovered in ZZCMS 2021. There is a SQL injection vulnerability in ad_manage.php.
- CVE-2021-46444CRITICALCVSS 9.8EG 9.82022-01-28
H.H.G Multistore v5.1.0 and below was discovered to contain a SQL injection vulnerability via /admin/admin.php?module=admin_group_edit&agID.
- CVE-2021-46445CRITICALCVSS 9.8EG 9.82022-01-28
H.H.G Multistore v5.1.0 and below was discovered to contain a SQL injection vulnerability via /admin/categories.php?box_group_id.
- CVE-2021-46446CRITICALCVSS 9.8EG 9.82022-01-28
H.H.G Multistore v5.1.0 and below was discovered to contain a SQL injection vulnerability via /admin/admin.php?module=admin_access_group_edit&aagID.
- CVE-2021-46448CRITICALCVSS 9.8EG 9.82022-01-28
H.H.G Multistore v5.1.0 and below was discovered to contain a SQL injection vulnerability via /admin/customers.php?page=1&cID.
- CVE-2021-46451CRITICALCVSS 9.8EG 9.82022-01-24
An SQL Injection vulnerabilty exists in Sourcecodester Online Project Time Management System 1.0 via the pid parameter in the load_file function.
- CVE-2021-46458HIGHCVSS 7.5EG 7.52022-01-31
Victor CMS v1.0 was discovered to contain a SQL injection vulnerability in the component admin/posts.php?source=add_post. This vulnerability can be exploited through a crafted POST request via the post_title parameter.
- CVE-2021-46459HIGHCVSS 7.5EG 7.52022-01-31
Victor CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the component admin/users.php?source=add_user. These vulnerabilities can be exploited through a crafted POST request via the user_name, user_firstname,user…
- CVE-2021-47693HIGHCVSS 8.8EG 8.82025-10-30
The Core Config Manager (CCM) in Nagios XI versions prior to CCM 3.1.3 / Nagios XI 5.8.5 contains a SQL injection vulnerability in the search text handling. Unsanitized user-supplied input was incorporated into SQL queries used by configu…
- CVE-2021-47704MEDIUMCVSS 6.5EG 6.52025-12-09
OpenBMCS 2.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code. Attackers can send GET requests to /debug/obix_test.php with malicious 'id' values to …
- CVE-2021-47708CRITICALCVSS 9.3EG 9.32025-12-09
COMMAX Smart Home System CDP-1020n contains an SQL injection vulnerability that allows attackers to bypass authentication by injecting arbitrary SQL code through the 'id' parameter in 'loginstart.asp'. Attackers can exploit this by sending…
- CVE-2021-47711HIGHCVSS 8.8EG 8.82025-12-18
A SQL injection vulnerability in Kentico Xperience allows authenticated editors to inject malicious SQL queries via online marketing macro method parameters. This enables unauthorized database access and potential data manipulation by expl…
- CVE-2021-47714MEDIUMCVSS 5.5EG 6.82025-12-22
Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pg_read_file() PostgreSQL function by crafting malicious SQL …
- CVE-2021-47720HIGHCVSS 7.1EG 7.12025-12-23
Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_pr…
- CVE-2021-47763HIGHCVSS 8.2EG 8.22026-01-15
Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending …
- CVE-2021-47766HIGHCVSS 7.1EG 7.12026-01-15
Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-b…
- CVE-2021-47777HIGHCVSS 8.2EG 8.22026-01-15
Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipul…
- CVE-2021-47782HIGHCVSS 8.2EG 8.22026-01-16
Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. Attackers can exploit the vulnerability by sending crafted payloads t…
- CVE-2021-47801HIGHCVSS 8.2EG 8.22026-01-16
Vianeos OctoPUS 5 contains a time-based blind SQL injection vulnerability in the 'login_user' parameter during authentication requests. Attackers can exploit this vulnerability by crafting malicious POST requests with specially constructed…
- CVE-2021-47811CRITICALCVSS 9.1EG 8.22026-01-16
Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to t…
- CVE-2021-47846HIGHCVSS 8.2EG 8.22026-01-21
Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending cr…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →