CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,868 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 146 of 378
- CVE-2022-23695HIGHCVSS 8.8EG 8.82022-09-20
Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit these …
- CVE-2022-23696HIGHCVSS 8.8EG 8.82022-09-20
Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit these …
- CVE-2022-23767HIGHCVSS 8.8EG 9.82022-09-19
This vulnerability of SecureGate is SQL-Injection using login without password. A path traversal vulnerability is also identified during file transfer. An attacker can take advantage of these vulnerabilities to perform various attacks such…
- CVE-2022-23797CRITICALCVSS 9.8EG 9.82022-03-30
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection.
- CVE-2022-23857MEDIUMCVSS 6.5EG 6.52022-01-24
model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user ta…
- CVE-2022-23865CRITICALCVSS 9.8EG 9.82022-04-15
Nyron 1.0 is affected by a SQL injection vulnerability through Nyron/Library/Catalog/winlibsrch.aspx. To exploit this vulnerability, an attacker must inject '"> on the thes1 parameter.
- CVE-2022-23873HIGHCVSS 8.8EG 8.82022-02-03
Victor CMS v1.0 was discovered to contain a SQL injection vulnerability that allows attackers to inject arbitrary commands via 'user_firstname' parameter.
- CVE-2022-23882CRITICALCVSS 9.8EG 9.82022-03-28
TuziCMS 2.0.6 is affected by SQL injection in \App\Manage\Controller\BannerController.class.php.
- CVE-2022-23898CRITICALCVSS 9.8EG 9.82022-03-03
MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml.
- CVE-2022-23899CRITICALCVSS 9.8EG 9.82022-03-03
MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java.
- CVE-2022-23902CRITICALCVSS 9.8EG 9.82022-02-14
Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in export_data.php via the d_name parameter.
- CVE-2022-23911HIGHCVSS 7.2EG 7.22022-02-28
The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not validate and escape the id parameter before using it in a SQL statement when retrieving a testimonial to edit, leading to a SQL Injection
- CVE-2022-23972HIGHCVSS 8.8EG 8.82022-04-07
ASUS RT-AX56U’s SQL handling function has an SQL injection vulnerability due to insufficient user input validation. An unauthenticated LAN attacker to inject arbitrary SQL code to read, modify and delete database.
- CVE-2022-23986HIGHCVSS 7.5EG 7.52022-02-24
SQL injection vulnerability in the phpUploader v1.2 and earlier allows a remote unauthenticated attacker to obtain the information in the database via unspecified vectors.
- CVE-2022-24121HIGHCVSS 7.5EG 7.52022-02-03
SQL Injection vulnerability discovered in Unified Office Total Connect Now that would allow an attacker to extract sensitive information through a cookie parameter.
- CVE-2022-24124HIGHCVSS 7.5EG 7.52022-01-29
The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
- CVE-2022-24206CRITICALCVSS 9.8EG 9.82022-02-14
Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in /mobile_seal/get_seal.php via the DEVICE_LIST parameter.
- CVE-2022-2421CRITICALCVSS 10.0EG 10.02022-10-26
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
- CVE-2022-24219CRITICALCVSS 9.8EG 9.82022-02-01
eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/edit_page.php.
- CVE-2022-2422CRITICALCVSS 10.0EG 10.02022-10-26
Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.
- CVE-2022-24220CRITICALCVSS 9.8EG 9.82022-02-01
eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/edit_post.php.
- CVE-2022-24221CRITICALCVSS 9.8EG 9.82022-02-01
eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/functions/functions.php.
- CVE-2022-24222CRITICALCVSS 9.8EG 9.82022-02-01
eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/edit_user.php.
- CVE-2022-24223CRITICALCVSS 9.8EG 9.82022-02-01
AtomCMS v2.0 was discovered to contain a SQL injection vulnerability via /admin/login.php.
- CVE-2022-24226HIGHCVSS 7.5EG 7.52022-02-15
Hospital Management System v4.0 was discovered to contain a blind SQL injection vulnerability via the register function in func2.php.
- CVE-2022-24231CRITICALCVSS 9.8EG 6.12022-04-05
Simple Student Information System v1.0 was discovered to contain a SQL injection vulnerability via add/Student.
- CVE-2022-24240CRITICALCVSS 9.8EG 9.82022-06-02
ACEweb Online Portal 3.5.065 was discovered to contain a SQL injection vulnerability via the criteria parameter in showschedule.awp.
- CVE-2022-24260CRITICALCVSS 9.8EG 9.82022-02-04
A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
- CVE-2022-24263CRITICALCVSS 9.8EG 9.82022-01-31
Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/func.php via the email parameter.
- CVE-2022-24264HIGHCVSS 7.5EG 7.52022-01-31
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter.
- CVE-2022-24265HIGHCVSS 7.5EG 7.52022-01-31
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter.
- CVE-2022-24266HIGHCVSS 7.5EG 7.52022-01-31
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.
- CVE-2022-24281HIGHCVSS 7.2EG 7.22022-03-08
A vulnerability has been identified in SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). A privileged authenticated attacker could execute arbitrary commands in the local database by sending specially crafted requests to…
- CVE-2022-24391HIGHCVSS 8.8EG 8.82022-05-17
Vulnerability in Fidelis Network and Deception CommandPost enables SQL injection through the web interface by an attacker with user level access. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patche…
- CVE-2022-24407HIGHCVSS 8.8EG 8.82022-02-24
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
- CVE-2022-24571CRITICALCVSS 9.8EG 9.82022-02-28
Car Driving School Management System v1.0 is affected by SQL injection in the login page. An attacker can use simple SQL login injection payload to get admin access.
- CVE-2022-2460CRITICALCVSS 9.8EG 9.82022-08-08
The WPDating WordPress plugin before 7.4.0 does not properly escape user input before concatenating it to certain SQL queries, leading to multiple SQL injection vulnerabilities exploitable by unauthenticated users
- CVE-2022-24600CRITICALCVSS 9.8EG 9.82022-03-10
Luocms v2.0 is affected by SQL Injection through /admin/login.php. An attacker can log in to the background through SQL injection statements.
- CVE-2022-24601HIGHCVSS 7.5EG 7.52022-03-10
Luocms v2.0 is affected by SQL Injection in /admin/manager/admin_mod.php. An attacker can obtain sensitive information through SQL injection statements.
- CVE-2022-24602CRITICALCVSS 9.8EG 9.82022-03-10
Luocms v2.0 is affected by SQL Injection in /admin/news/news_mod.php.
- CVE-2022-24603CRITICALCVSS 9.8EG 9.82022-03-10
Luocms v2.0 is affected by SQL Injection in /admin/news/sort_mod.php.
- CVE-2022-24604CRITICALCVSS 9.8EG 9.82022-03-10
Luocms v2.0 is affected by SQL Injection in /admin/link/link_mod.php.
- CVE-2022-24605CRITICALCVSS 9.8EG 9.82022-03-10
Luocms v2.0 is affected by SQL Injection in /admin/link/link_ok.php.
- CVE-2022-24606CRITICALCVSS 9.8EG 9.82022-03-10
Luocms v2.0 is affected by SQL Injection in /admin/news/sort_ok.php.
- CVE-2022-24607CRITICALCVSS 9.8EG 9.82022-03-10
Luocms v2.0 is affected by SQL Injection in /admin/news/news_ok.php.
- CVE-2022-24627CRITICALCVSS 9.8EG 9.82023-05-29
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form.
- CVE-2022-24628HIGHCVSS 7.2EG 7.22023-05-29
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is authenticated SQL injection in the id parameter of IPPhoneFirmwareEdit.php.
- CVE-2022-24646HIGHCVSS 7.5EG 7.52022-02-10
Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/contact.php via the txtMsg parameters.
- CVE-2022-2467HIGHCVSS 7.3EG 9.82022-07-19
A vulnerability has been found in SourceCodester Garage Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /login.php. The manipulation of the argument username with the input [email protected]' AND…
- CVE-2022-2468MEDIUMCVSS 6.3EG 8.82022-07-19
A vulnerability was found in SourceCodester Garage Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /editbrand.php. The manipulation of the argument id leads to sql injection. The att…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →