CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,868 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 147 of 378
- CVE-2022-24690HIGHCVSS 8.2EG 8.22022-07-18
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. A PresAbs.php SQL Injection vulnerability allows unauthenticated users to taint database data and extract sensitive information via crafted HTTP requests. The type of SQL Inj…
- CVE-2022-24691HIGHCVSS 7.1EG 7.12022-07-18
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. A SQL Injection vulnerability allows authenticated users to taint database data and extract sensitive information via crafted HTTP requests. The type of SQL Injection is blin…
- CVE-2022-24707HIGHCVSS 7.4EG 7.42022-02-24
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1…
- CVE-2022-24752CRITICALCVSS 9.8EG 9.82022-03-15
SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The maintainers do not know if this could l…
- CVE-2022-24815HIGHCVSS 8.1EG 8.12022-04-11
JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservice architectures. SQL Injection vulnerability in entities for applications generated with the option "reactive with Spring WebFlu…
- CVE-2022-24827HIGHCVSS 8.1EG 8.12022-04-11
Elide is a Java library that lets you stand up a GraphQL/JSON-API web service with minimal effort. When leveraging the following together: Elide Aggregation Data Store for Analytic Queries, Parameterized Columns (A column that requires a c…
- CVE-2022-24831HIGHCVSS 8.3EG 8.32022-05-14
OpenClinica is an open source software for Electronic Data Capture (EDC) and Clinical Data Management (CDM). Versions prior to 3.16.1 are vulnerable to SQL injection due to the use of string concatenation to create SQL queries instead of p…
- CVE-2022-24844HIGHCVSS 8.1EG 8.12022-04-13
Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. The problem occurs in the following code in server/service/system/sys_auto_code_pgsql.go, which means that PostgreSQ…
- CVE-2022-24848HIGHCVSS 8.8EG 8.82022-06-01
DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability affects the `/api/programs/orgUnits?programs=` API endpoint in DHIS2 versions prior to 2.36.10.1 a…
- CVE-2022-2489MEDIUMCVSS 6.3EG 8.82022-07-20
A vulnerability was found in SourceCodester Simple E-Learning System 1.0. It has been rated as critical. This issue affects some unknown processing of the file classRoom.php. The manipulation of the argument classCode with the input 1'||(S…
- CVE-2022-2490MEDIUMCVSS 6.3EG 8.82022-07-20
A vulnerability classified as critical has been found in SourceCodester Simple E-Learning System 1.0. Affected is an unknown function of the file search.php. The manipulation of the argument classCode with the input 1'||(SELECT 0x74666264 …
- CVE-2022-2491MEDIUMCVSS 6.3EG 8.82022-07-20
A vulnerability has been found in SourceCodester Library Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file lab.php. The manipulation of the argument Section with the input 1' UNION ALL SE…
- CVE-2022-2492MEDIUMCVSS 6.3EG 8.82022-07-20
A vulnerability was found in SourceCodester Library Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /index.php. The manipulation of the argument RollNo with the input admin' AND (SEL…
- CVE-2022-24956MEDIUMCVSS 6.5EG 6.52022-03-29
An issue was discovered in Shopware B2B-Suite through 4.4.1. The sort-by parameter of the search functionality of b2border and b2borderlist allows SQL injection. Possible techniques are boolean-based blind, time-based blind, and potentiall…
- CVE-2022-25003CRITICALCVSS 9.8EG 9.82022-02-24
Hospital Patient Record Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/doctors/view_doctor.php.
- CVE-2022-25004CRITICALCVSS 9.8EG 9.82022-02-24
Hospital Patient Record Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/doctors/manage_doctor.php.
- CVE-2022-2504CRITICALCVSS 9.8EG 9.82023-02-23
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SDD Computer Software SDD-Baro allows SQL Injection. This issue affects SDD-Baro: before 2.8.432.
- CVE-2022-25096CRITICALCVSS 9.8EG 9.82022-02-26
Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /members/view_member.php.
- CVE-2022-25125CRITICALCVSS 9.8EG 9.82022-03-03
MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp.
- CVE-2022-25148CRITICALCVSS 9.8EG 9.82022-02-24
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without a…
- CVE-2022-25149CRITICALCVSS 9.8EG 9.82022-02-24
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication…
- CVE-2022-25222CRITICALCVSS 9.8EG 9.82022-03-23
Money Transfer Management System Version 1.0 allows an unauthenticated user to inject SQL queries in 'admin/maintenance/manage_branch.php' and 'admin/maintenance/manage_fee.php' via the 'id' parameter.
- CVE-2022-25223MEDIUMCVSS 4.3EG 4.32022-03-23
Money Transfer Management System Version 1.0 allows an authenticated user to inject SQL queries in 'mtms/admin/?page=transaction/view_details' via the 'id' parameter.
- CVE-2022-25225HIGHCVSS 7.2EG 7.22022-03-10
Network Olympus version 1.8.0 allows an authenticated admin user to inject SQL queries in '/api/eventinstance' via the 'sqlparameter' JSON parameter. It is also possible to achieve remote code execution in the default installation (Postgre…
- CVE-2022-25228MEDIUMCVSS 6.5EG 6.52022-08-18
CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via…
- CVE-2022-25322CRITICALCVSS 9.8EG 9.82022-02-18
ZEROF Web Server 2.0 allows /HandleEvent SQL Injection.
- CVE-2022-25393HIGHCVSS 7.5EG 7.52022-03-02
Simple Bakery Shop Management v1.0 was discovered to contain a SQL injection vulnerability via the username parameter.
- CVE-2022-25394CRITICALCVSS 9.8EG 9.82022-03-02
Medical Store Management System v1.0 was discovered to contain a SQL injection vulnerability via the cid parameter under customer-add.php.
- CVE-2022-25396CRITICALCVSS 9.8EG 9.82022-03-02
Cosmetics and Beauty Product Online Store v1.0 was discovered to contain a SQL injection vulnerability via the search parameter.
- CVE-2022-25398CRITICALCVSS 9.8EG 9.82022-03-02
Auto Spare Parts Management v1.0 was discovered to contain a SQL injection vulnerability via the user parameter.
- CVE-2022-25399CRITICALCVSS 9.8EG 9.82022-03-02
Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter.
- CVE-2022-25403CRITICALCVSS 9.8EG 9.82022-02-24
HMS v1.0 was discovered to contain a SQL injection vulnerability via the component admin.php.
- CVE-2022-25404CRITICALCVSS 9.8EG 9.82022-02-24
Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in delete.php via the DELETE_STR parameter.
- CVE-2022-25405CRITICALCVSS 9.8EG 9.82022-02-24
Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in change_box.php via the DELETE_STR parameter.
- CVE-2022-25406CRITICALCVSS 9.8EG 9.82022-02-24
Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in delete_query.php via the DELETE_STR parameter.
- CVE-2022-25488CRITICALCVSS 9.8EG 9.82022-03-15
Atom CMS v2.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/ajax/avatar.php.
- CVE-2022-25490CRITICALCVSS 9.8EG 9.82022-03-15
HMS v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in department.php.
- CVE-2022-25491HIGHCVSS 7.5EG 7.52022-03-15
HMS v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in appointment.php.
- CVE-2022-25492CRITICALCVSS 9.8EG 9.82022-03-15
HMS v1.0 was discovered to contain a SQL injection vulnerability via the medicineid parameter in ajaxmedicine.php.
- CVE-2022-25494CRITICALCVSS 9.8EG 9.82022-03-15
Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via staff_login.php.
- CVE-2022-25505CRITICALCVSS 9.8EG 9.82022-03-21
Taocms v3.0.2 was discovered to contain a SQL injection vulnerability via the id parameter in \include\Model\Category.php.
- CVE-2022-25506MEDIUMCVSS 6.5EG 6.52022-03-11
FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser.
- CVE-2022-25517CRITICALCVSS 9.8EG 9.82022-03-22
MyBatis plus v3.4.3 was discovered to contain a SQL injection vulnerability via the Column parameter in /core/conditions/AbstractWrapper.java. NOTE: the vendor's position is that the reported execution of a SQL statement was intended behav…
- CVE-2022-2559HIGHCVSS 7.2EG 7.22022-08-29
The Fluent Support WordPress plugin before 1.5.8 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection vulnerability exploitable by high privilege users
- CVE-2022-25607MEDIUMCVSS 6.6EG 7.22022-03-18
Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player WordPress plugin (versions <= 7.5.15.727).
- CVE-2022-2577MEDIUMCVSS 6.3EG 8.82022-07-29
A vulnerability classified as critical was found in SourceCodester Garage Management System 1.0. This vulnerability affects unknown code of the file /edituser.php. The manipulation of the argument id with the input -2'%20UNION%20select%201…
- CVE-2022-25775MEDIUMCVSS 6.6EG 6.62024-09-18
Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle. The user could retrieve and alter data like sensitive data, login, and depending on database permission the at…
- CVE-2022-25811HIGHCVSS 7.2EG 7.22022-08-22
The Transposh WordPress Translation WordPress plugin through 1.0.8 does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection
- CVE-2022-25880CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerTag_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and exec…
- CVE-2022-2593HIGHCVSS 7.2EG 7.22022-08-22
The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →