CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,868 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 144 of 378
- CVE-2022-1375CRITICALCVSS 9.8EG 9.82022-05-02
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_slogHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and ex…
- CVE-2022-1376CRITICALCVSS 9.8EG 9.82022-05-02
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_privgrpHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and…
- CVE-2022-1377CRITICALCVSS 9.8EG 9.82022-05-02
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_rltHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and exe…
- CVE-2022-1378CRITICALCVSS 9.8EG 9.82022-05-02
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_pgHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and exec…
- CVE-2022-1429HIGHCVSS 7.5EG 7.52022-04-22
SQL injection in GridHelperService.php in GitHub repository pimcore/pimcore prior to 10.3.6. This vulnerability is capable of steal the data
- CVE-2022-1453CRITICALCVSS 9.8EG 7.52022-05-10
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unaut…
- CVE-2022-1472HIGHCVSS 7.2EG 7.22022-06-20
The Better Find and Replace WordPress plugin before 1.3.6 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection
- CVE-2022-1505CRITICALCVSS 9.8EG 7.52022-05-10
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible …
- CVE-2022-1531CRITICALCVSS 9.8EG 9.82022-04-29
SQL injection vulnerability in ARAX-UI Synonym Lookup functionality in GitHub repository rtxteam/rtx prior to checkpoint_2022-04-20 . This vulnerability is critical as it can lead to remote code execution and thus complete server takeover.
- CVE-2022-1552HIGHCVSS 8.8EG 8.82022-08-31
A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amc…
- CVE-2022-1556CRITICALCVSS 9.8EG 9.82022-05-30
The StaffList WordPress plugin before 3.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Injection
- CVE-2022-1683HIGHCVSS 8.8EG 8.82022-06-08
The amtyThumb WordPress plugin through 4.2.0 does not sanitise and escape a parameter before using it in a SQL statement via its shortcode, leading to an SQL injection and is exploitable by any authenticated user (and not just Author+ like…
- CVE-2022-1684LOWCVSS 2.7EG 2.72022-06-08
The Cube Slider WordPress plugin through 1.2 does not sanitise and escape the idslider parameter before using it in various SQL queries, leading to SQL Injections exploitable by high privileged users such as admin
- CVE-2022-1685MEDIUMCVSS 4.9EG 4.92022-06-08
The Five Minute Webshop WordPress plugin through 1.3.2 does not properly validate and sanitise the orderby parameter before using it in a SQL statement via the Manage Products admin page, leading to an SQL Injection
- CVE-2022-1686LOWCVSS 2.7EG 2.72022-06-08
The Five Minute Webshop WordPress plugin through 1.3.2 does not sanitise and escape the id parameter before using it in a SQL statement when editing a product via the admin dashboard, leading to an SQL Injection
- CVE-2022-1687LOWCVSS 2.7EG 2.72022-06-08
The Logo Slider WordPress plugin through 1.4.8 does not sanitise and escape the lsp_slider_id parameter before using it in a SQL statement via the Manage Slider Images admin page, leading to an SQL Injection
- CVE-2022-1688LOWCVSS 2.7EG 2.72022-06-08
The Note Press WordPress plugin through 0.1.10 does not sanitise and escape the id parameter before using it in various SQL statement via the admin dashboard, leading to SQL Injections
- CVE-2022-1689LOWCVSS 2.7EG 2.72022-06-08
The Note Press WordPress plugin through 0.1.10 does not sanitise and escape the Update parameter before using it in a SQL statement when updating a note via the admin dashboard, leading to an SQL injection
- CVE-2022-1690LOWCVSS 2.7EG 2.72022-06-08
The Note Press WordPress plugin through 0.1.10 does not sanitise and escape the ids from the bulk actions before using them in a SQL statement in an admin page, leading to an SQL injection
- CVE-2022-1691MEDIUMCVSS 4.9EG 4.92022-06-08
The Realty Workstation WordPress plugin before 1.0.15 does not sanitise and escape the trans_edit parameter before using it in a SQL statement when an agent edit a transaction, leading to an SQL injection
- CVE-2022-1692CRITICALCVSS 9.8EG 9.82022-06-08
The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated…
- CVE-2022-1731CRITICALCVSS 9.8EG 9.82022-05-16
Metasonic Doc WebClient 7.0.14.0 / 7.0.12.0 / 7.0.3.0 is vulnerable to a SQL injection attack in the username field. SSO or System authentication are required to be enabled for vulnerable conditions to exist.
- CVE-2022-1768CRITICALCVSS 9.8EG 9.02022-06-13
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient escaping and parameterization on user supplied data passed to multiple SQL queries in the ~/rsvpmaker-email.php file. This makes it possi…
- CVE-2022-1800HIGHCVSS 7.2EG 7.22022-06-13
The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability.
- CVE-2022-1807HIGHCVSS 7.2EG 7.22022-09-07
Multiple SQLi vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 18.5 MR4 and version 19.0 MR1.
- CVE-2022-1838MEDIUMCVSS 4.7EG 7.22022-05-24
A vulnerability classified as critical has been found in Home Clean Services Management System 1.0. This affects an unknown part of admin/login.php. The manipulation of the argument username with the input admin%'/**/AND/**/(SELECT/**/5383…
- CVE-2022-1839MEDIUMCVSS 6.3EG 8.82022-05-24
A vulnerability classified as critical was found in Home Clean Services Management System 1.0. This vulnerability affects the file login.php. The manipulation of the argument email with the input admin%'/**/AND/**/(SELECT/**/5383/**/FROM/*…
- CVE-2022-1883HIGHCVSS 8.8EG 8.82022-05-25
SQL Injection in GitHub repository camptocamp/terraboard prior to 2.2.0.
- CVE-2022-1887CRITICALCVSS 9.8EG 9.82022-12-22
The search term could have been specified externally to trigger SQL injection. This vulnerability affects Firefox for iOS < 101.
- CVE-2022-1905CRITICALCVSS 9.8EG 9.82022-06-20
The Events Made Easy WordPress plugin before 2.2.81 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
- CVE-2022-1950CRITICALCVSS 9.8EG 9.82022-08-01
The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection
- CVE-2022-2017MEDIUMCVSS 4.7EG 7.22022-06-09
A vulnerability was found in SourceCodester Prison Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /pms/admin/visits/view_visit.php of the component Visit Handler. The manipulati…
- CVE-2022-2018MEDIUMCVSS 4.7EG 7.22022-06-09
A vulnerability classified as critical has been found in SourceCodester Prison Management System 1.0. Affected is an unknown function of the file /admin/?page=inmates/view_inmate of the component Inmate Handler. The manipulation of the arg…
- CVE-2022-20280LOWCVSS 3.3EG 3.32022-08-12
In MMSProvider, there is a possible read of protected data due to improper input validationSQL injection. This could lead to local information disclosure of sms/mms data with User execution privileges needed. User interaction is not needed…
- CVE-2022-20351MEDIUMCVSS 5.5EG 5.52022-10-11
In queryInternal of CallLogProvider.java, there is a possible access to voicemail information due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not nee…
- CVE-2022-20517MEDIUMCVSS 5.5EG 5.52022-12-16
In getMessagesByPhoneNumber of MmsSmsProvider.java, there is a possible access to restricted tables due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is n…
- CVE-2022-20518MEDIUMCVSS 5.5EG 5.52022-12-16
In query of MmsSmsProvider.java, there is a possible access to restricted tables due to SQL injection. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.P…
- CVE-2022-2067CRITICALCVSS 9.1EG 9.12022-06-13
SQL Injection in GitHub repository francoisjacquet/rosariosis prior to 9.0.
- CVE-2022-20786MEDIUMCVSS 5.4EG 8.12022-04-21
A vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected sys…
- CVE-2022-2086MEDIUMCVSS 6.3EG 8.82022-06-15
A vulnerability, which was classified as critical, has been found in SourceCodester Bank Management System 1.0. Affected by this issue is login.php. The manipulation of the argument password with the input 1'and 1=2 union select 1,sleep(10…
- CVE-2022-20867MEDIUMCVSS 5.4EG 6.52022-11-04
A vulnerability in web-based management interface of the of Cisco Email Security Appliance and Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct SQL injection attacks as root on an affected system.…
- CVE-2022-21176HIGHCVSS 8.6EG 8.62022-02-18
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not properly sanitize user input, which may allow an attacker to perform a SQL injection …
- CVE-2022-21210HIGHCVSS 8.8EG 8.82022-04-14
An SQL injection vulnerability exists in the AssetActions.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vu…
- CVE-2022-21234HIGHCVSS 8.8EG 8.82022-04-14
An SQL injection vulnerability exists in the EchoAssets.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vuln…
- CVE-2022-2135HIGHCVSS 7.5EG 7.52022-07-22
The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information.
- CVE-2022-2136HIGHCVSS 8.8EG 6.52022-07-22
The affected product is vulnerable to multiple SQL injections that require low privileges for exploitation and may allow an unauthorized attacker to disclose information.
- CVE-2022-2137MEDIUMCVSS 4.9EG 4.92022-07-22
The affected product is vulnerable to two SQL injections that require high privileges for exploitation and may allow an unauthorized attacker to disclose information
- CVE-2022-2142HIGHCVSS 8.1EG 5.92022-07-22
The affected product is vulnerable to a SQL injection with high attack complexity, which may allow an unauthorized attacker to disclose information.
- CVE-2022-21643CRITICALCVSS 10.0EG 10.02022-01-04
USOC is an open source CMS with a focus on simplicity. In affected versions USOC allows for SQL injection via register.php. In particular usernames, email addresses, and passwords provided by the user were not sanitized and were used direc…
- CVE-2022-21644CRITICALCVSS 9.1EG 9.12022-01-04
USOC is an open source CMS with a focus on simplicity. In affected versions USOC allows for SQL injection via usersearch.php. In search terms provided by the user were not sanitized and were used directly to construct a sql statement. The …
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →