CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,868 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 145 of 378
- CVE-2022-21661HIGHCVSS 8.0EG 9.02022-01-06
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that us…
- CVE-2022-21664HIGHCVSS 7.4EG 7.42022-01-06
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This ha…
- CVE-2022-21666HIGHCVSS 7.2EG 7.22022-01-10
Useful Simple Open-Source CMS (USOC) is a content management system (CMS) for programmers. Versions prior to Pb2.4Bfx3 allowed Sql injection in usersearch.php only for users with administrative privileges. Users should replace the file `ad…
- CVE-2022-21720MEDIUMCVSS 4.9EG 4.92022-01-28
GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround,…
- CVE-2022-2177CRITICALCVSS 9.4EG 9.82022-09-20
Kayrasoft product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2.
- CVE-2022-22055CRITICALCVSS 9.8EG 9.82022-01-14
The Le-yan dental management system contains an SQL-injection vulnerability. An unauthenticated remote attacker can inject SQL commands into the input field of the login page to acquire administrator’s privilege and perform arbitrary ope…
- CVE-2022-2214MEDIUMCVSS 6.3EG 8.82022-06-27
A vulnerability was found in SourceCodester Library Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /librarian/bookdetails.php. The manipulation of the argument id with…
- CVE-2022-22149HIGHCVSS 8.8EG 8.82022-04-14
A SQL injection vulnerability exists in the HelpdeskEmailActions.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger …
- CVE-2022-22280CRITICALCVSS 9.8EG 9.82022-07-29
Improper Neutralization of Special Elements used in an SQL Command leading to Unauthenticated SQL Injection vulnerability, impacting SonicWall GMS 9.3.1-SP2-Hotfix1, Analytics On-Prem 2.5.0.3-2520 and earlier versions.
- CVE-2022-22294CRITICALCVSS 9.8EG 9.82022-01-28
A SQL injection vulnerability exists in ZFAKA<=1.43 which an attacker can use to complete SQL injection in the foreground and add a background administrator account.
- CVE-2022-22295CRITICALCVSS 9.8EG 9.82022-02-14
Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in parameter_admin.class.php via the table_para parameter.
- CVE-2022-22338MEDIUMCVSS 6.3EG 9.82023-01-04
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information i…
- CVE-2022-2238MEDIUMCVSS 6.5EG 6.52022-09-01
A vulnerability was found in the search-api container in Red Hat Advanced Cluster Management for Kubernetes when a query in the search filter gets parsed by the backend. This flaw allows an attacker to craft specific strings containing spe…
- CVE-2022-22389MEDIUMCVSS 6.5EG 6.52022-06-24
IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may terminate abnormally when executing specially crafted SQL statements by an authenticated user. IBM X-Force ID: 22197…
- CVE-2022-22413CRITICALCVSS 9.8EG 9.82022-05-12
IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-…
- CVE-2022-22463MEDIUMCVSS 6.5EG 6.52022-07-08
IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete i…
- CVE-2022-22495HIGHCVSS 8.8EG 8.82022-05-24
IBM i 7.3, 7.4, and 7.5 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 2269…
- CVE-2022-22524CRITICALCVSS 9.4EG 9.42022-09-28
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify users and stop services .
- CVE-2022-22540HIGHCVSS 7.5EG 7.52022-02-09
SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could r…
- CVE-2022-2262MEDIUMCVSS 4.7EG 7.22022-07-12
A vulnerability has been found in Online Hotel Booking System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file edit_all_room.php of the component Room Handler. The manipulation of the a…
- CVE-2022-2263MEDIUMCVSS 4.7EG 7.22022-07-12
A vulnerability was found in Online Hotel Booking System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file edit_room_cat.php of the component Room Handler. The manipulation of the argument roo…
- CVE-2022-2269CRITICALCVSS 9.8EG 9.82022-08-08
The Website File Changes Monitor WordPress plugin before 1.8.3 does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manage_options capability (by default admins), leading to a…
- CVE-2022-2272CRITICALCVSS 9.8EG 9.82022-08-03
This vulnerability allows remote attackers to bypass authentication on affected installations of Sante PACS Server 3.0.4. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of calls…
- CVE-2022-22735HIGHCVSS 8.8EG 8.82022-03-14
The Simple Quotation WordPress plugin through 1.3.2 does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such a…
- CVE-2022-22794MEDIUMCVSS 6.8EG 9.82022-02-24
Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?…
- CVE-2022-22880CRITICALCVSS 9.8EG 9.82022-02-16
Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /jeecg-boot/sys/user/queryUserByDepId.
- CVE-2022-22881CRITICALCVSS 9.8EG 9.82022-02-16
Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /sys/user/queryUserComponentData.
- CVE-2022-22897CRITICALCVSS 9.8EG 9.82022-08-29
A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data.
- CVE-2022-2298HIGHCVSS 7.3EG 9.82022-07-12
A vulnerability has been found in SourceCodester Clinics Patient Management System 2.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /pms/index.php of the component Login Page. The manip…
- CVE-2022-23046HIGHCVSS 7.2EG 7.22022-01-19
PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php
- CVE-2022-2315CRITICALCVSS 9.4EG 9.82022-09-21
Database Software Accreditation Tracking/Presentation Module product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2.
- CVE-2022-23168MEDIUMCVSS 5.9EG 9.82022-06-13
The attacker could get access to the database. The SQL injection is in the username parameter at the login panel: username: admin'--
- CVE-2022-23169MEDIUMCVSS 5.9EG 7.22022-06-13
attacker needs to craft a SQL payload. the vulnerable parameter is "agentid" must be authenticated to the admin panel.
- CVE-2022-23305CRITICALCVSS 9.8EG 9.82022-01-18
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows att…
- CVE-2022-23314CRITICALCVSS 9.8EG 9.82022-01-21
MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via /ms/mdiy/model/importJson.do.
- CVE-2022-23335CRITICALCVSS 9.8EG 9.82022-02-14
Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in language_general.class.php via doModifyParameter.
- CVE-2022-23336CRITICALCVSS 9.8EG 9.82022-02-14
S-CMS v5.0 was discovered to contain a SQL injection vulnerability in member_pay.php via the O_id parameter.
- CVE-2022-23337CRITICALCVSS 9.8EG 9.82022-02-14
DedeCMS v5.7.87 was discovered to contain a SQL injection vulnerability in article_coonepage_rule.php via the ids parameter.
- CVE-2022-23358CRITICALCVSS 9.8EG 9.82022-02-16
EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In the background, search terms provided by the user were not sanitized and were used directly to construct a SQL statement.
- CVE-2022-23363CRITICALCVSS 9.8EG 9.82022-01-21
Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via index.php.
- CVE-2022-23364CRITICALCVSS 9.8EG 9.82022-01-21
HMS v1.0 was discovered to contain a SQL injection vulnerability via adminlogin.php.
- CVE-2022-23365CRITICALCVSS 9.8EG 9.82022-01-21
HMS v1.0 was discovered to contain a SQL injection vulnerability via doctorlogin.php.
- CVE-2022-23366CRITICALCVSS 9.8EG 9.82022-01-21
HMS v1.0 was discovered to contain a SQL injection vulnerability via patientlogin.php.
- CVE-2022-23379CRITICALCVSS 9.8EG 9.82022-02-04
Emlog v6.0 was discovered to contain a SQL injection vulnerability via the $TagID parameter of getblogidsfromtagid().
- CVE-2022-23380HIGHCVSS 8.8EG 8.82022-03-01
There is a SQL injection vulnerability in the background of taocms 3.0.2 in parameter id:action=admin&id=2&ctrl=edit.
- CVE-2022-23387HIGHCVSS 7.5EG 7.52022-03-01
An issue was discovered in taocms 3.0.2. This is a SQL blind injection that can obtain database data through the Comment Update field.
- CVE-2022-23510CRITICALCVSS 9.6EG 9.62022-12-09
cube-js is a headless business intelligence platform. In version 0.31.23 all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. This issue has been resolve…
- CVE-2022-23692HIGHCVSS 8.8EG 8.82022-09-20
Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit these …
- CVE-2022-23693HIGHCVSS 8.8EG 8.82022-09-20
Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit these …
- CVE-2022-23694HIGHCVSS 8.8EG 8.82022-09-20
Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit these …
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →