CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,868 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 148 of 378
- CVE-2022-25980CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerCommon.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and …
- CVE-2022-26013CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_dmdsetHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents,…
- CVE-2022-26059CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetQueryData. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execut…
- CVE-2022-26065CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and exec…
- CVE-2022-26069CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerPage_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, an…
- CVE-2022-26116HIGHCVSS 7.2EG 8.82022-05-11
Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerability [CWE-89] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.…
- CVE-2022-26120MEDIUMCVSS 5.4EG 8.82022-07-18
Multiple improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerabilities [CWE-89] in FortiADC management interface 7.0.0 through 7.0.1, 5.0.0 through 6.2.2 may allow an authenticated attacker to execute…
- CVE-2022-26169CRITICALCVSS 9.8EG 9.82022-03-02
Air Cargo Management System v1.0 was discovered to contain a SQL injection vulnerability via the ref_code parameter.
- CVE-2022-26170CRITICALCVSS 9.8EG 9.82022-03-02
Simple Mobile Comparison Website v1.0 was discovered to contain a SQL injection vulnerability via the search parameter.
- CVE-2022-26171CRITICALCVSS 9.8EG 9.82022-03-02
Bank Management System v1.o was discovered to contain a SQL injection vulnerability via the email parameter.
- CVE-2022-26201CRITICALCVSS 9.8EG 9.82022-03-04
Victor CMS v1.0 was discovered to contain a SQL injection vulnerability.
- CVE-2022-26245CRITICALCVSS 9.8EG 9.82022-03-27
Falcon-plus v0.3 was discovered to contain a SQL injection vulnerability via the parameter grpName in /config/service/host.go.
- CVE-2022-26266HIGHCVSS 8.8EG 8.82022-03-18
Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.
- CVE-2022-26268CRITICALCVSS 9.8EG 9.82022-03-28
Xiaohuanxiong v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /app/controller/Books.php.
- CVE-2022-26283CRITICALCVSS 9.8EG 9.82022-03-21
Simple Subscription Website v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the view_plan endpoint. This vulnerability allows attackers to dump the application's database via crafted HTTP requests.
- CVE-2022-26284CRITICALCVSS 9.8EG 9.82022-03-21
Simple Client Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the manage_client endpoint. This vulnerability allows attackers to dump the application's database via crafted HTTP reques…
- CVE-2022-26285CRITICALCVSS 9.8EG 9.82022-03-21
Simple Subscription Website v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the apply endpoint. This vulnerability allows attackers to dump the application's database via crafted HTTP requests.
- CVE-2022-26293CRITICALCVSS 9.8EG 9.82022-03-16
Online Project Time Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the function save_employee at /ptms/classes/Users.php.
- CVE-2022-26301CRITICALCVSS 9.8EG 9.82022-03-24
TuziCMS v2.0.6 was discovered to contain a SQL injection vulnerability via the component App\Manage\Controller\ZhuantiController.class.php.
- CVE-2022-26338CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerPageP_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and ex…
- CVE-2022-26348HIGHCVSS 8.2EG 5.52022-07-06
Command Centre Server is vulnerable to SQL Injection via Windows Registry settings for date fields on the server. The Windows Registry setting allows an attacker using the Visitor Management Kiosk, an application designed for public use, t…
- CVE-2022-26349CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_eccoefficientHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database co…
- CVE-2022-2643MEDIUMCVSS 6.3EG 9.82022-08-04
A vulnerability has been found in SourceCodester Online Admission System and classified as critical. This vulnerability affects unknown code of the component POST Parameter Handler. The manipulation of the argument shift leads to sql injec…
- CVE-2022-2644MEDIUMCVSS 5.5EG 9.82022-08-04
A vulnerability was found in SourceCodester Online Admission System and classified as critical. This issue affects some unknown processing of the component GET Parameter Handler. The manipulation of the argument eid leads to sql injection.…
- CVE-2022-2648MEDIUMCVSS 6.3EG 9.82022-08-04
A vulnerability was found in SourceCodester Multi Language Hotel Management Software. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument room_id leads to sql injection. The attack ma…
- CVE-2022-26514CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_tagHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, an…
- CVE-2022-2656MEDIUMCVSS 6.3EG 9.82022-08-04
A vulnerability classified as critical has been found in SourceCodester Multi Language Hotel Management Software. Affected is an unknown function. The manipulation of the argument email leads to sql injection. It is possible to launch the …
- CVE-2022-26585CRITICALCVSS 9.8EG 9.82022-04-05
Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list.
- CVE-2022-26613CRITICALCVSS 9.8EG 9.82022-04-06
PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability via the category parameter in categorymenu.php.
- CVE-2022-26628CRITICALCVSS 9.8EG 9.82022-04-05
Matrimony v1.0 was discovered to contain a SQL injection vulnerability via the Password parameter.
- CVE-2022-26631CRITICALCVSS 9.8EG 9.82022-04-18
Automatic Question Paper Generator v1.0 contains a Time-Based Blind SQL injection vulnerability via the id GET parameter.
- CVE-2022-26632CRITICALCVSS 9.8EG 9.82022-05-20
Multi-Vendor Online Groceries Management System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /products/view_product.php.
- CVE-2022-26633CRITICALCVSS 9.8EG 9.82022-05-20
Simple Student Quarterly Result/Grade System v1.0 was discovered to contain a SQL injection vulnerability via /sqgs/Actions.php.
- CVE-2022-2665MEDIUMCVSS 6.3EG 8.82022-08-05
A vulnerability classified as critical was found in SourceCodester Simple E-Learning System. Affected by this vulnerability is an unknown functionality of the file classroom.php. The manipulation of the argument post_id leads to sql inject…
- CVE-2022-26651CRITICALCVSS 9.8EG 9.82022-04-15
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data …
- CVE-2022-2666MEDIUMCVSS 6.3EG 9.82023-01-07
A vulnerability has been found in SourceCodester Loan Management System and classified as critical. This vulnerability affects unknown code of the file login.php. The manipulation of the argument username leads to sql injection. The attack…
- CVE-2022-26666CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerECC.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute …
- CVE-2022-26667CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetDemandAnalysisData. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, a…
- CVE-2022-26669HIGHCVSS 8.8EG 8.82022-06-20
ASUS Control Center is vulnerable to SQL injection. An authenticated remote attacker with general user privilege can inject SQL command to specific API parameters to acquire database schema or access data.
- CVE-2022-2667MEDIUMCVSS 6.3EG 8.82022-08-05
A vulnerability was found in SourceCodester Loan Management System and classified as critical. This issue affects some unknown processing of the file delete_lplan.php. The manipulation of the argument lplan_id leads to sql injection. The a…
- CVE-2022-2671MEDIUMCVSS 6.3EG 8.82022-08-05
A vulnerability was found in SourceCodester Garage Management System and classified as critical. This issue affects some unknown processing of the file removeUser.php. The manipulation of the argument id leads to sql injection. The attack …
- CVE-2022-2672MEDIUMCVSS 6.3EG 8.82022-08-05
A vulnerability was found in SourceCodester Garage Management System. It has been classified as critical. Affected is an unknown function of the file createUser.php. The manipulation of the argument userName/uemail leads to sql injection. …
- CVE-2022-2673MEDIUMCVSS 6.3EG 8.82022-08-05
A vulnerability was found in Rigatur Online Booking and Hotel Management System aff6409. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file login.php of the component POST Request Handl…
- CVE-2022-2674HIGHCVSS 7.3EG 9.82022-08-05
A vulnerability was found in SourceCodester Best Fee Management System. It has been rated as critical. Affected by this issue is the function login of the file admin_class.php. The manipulation of the argument username leads to sql injecti…
- CVE-2022-2676MEDIUMCVSS 6.3EG 9.82022-08-05
A vulnerability was found in SourceCodester Electronic Medical Records System and classified as critical. Affected by this issue is some unknown functionality of the component POST Request Handler. The manipulation of the argument user_ema…
- CVE-2022-2677MEDIUMCVSS 6.3EG 9.82022-08-05
A vulnerability was found in SourceCodester Apartment Visitor Management System 1.0. It has been classified as critical. This affects an unknown part of the file index.php. The manipulation of the argument username with the input ' AND (SE…
- CVE-2022-2679MEDIUMCVSS 6.3EG 9.82022-08-05
A vulnerability was found in SourceCodester Interview Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /viewReport.php. The manipulation of the argument id with the input (UPDATEX…
- CVE-2022-2680MEDIUMCVSS 6.3EG 8.82022-08-05
A vulnerability classified as critical has been found in SourceCodester Church Management System 1.0. Affected is an unknown function of the file /login.php. The manipulation of the argument username with the input ' OR (SELECT 7064 FROM(S…
- CVE-2022-26836CRITICALCVSS 9.8EG 9.82022-03-29
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database conte…
- CVE-2022-2687MEDIUMCVSS 6.3EG 9.82022-08-06
A vulnerability, which was classified as critical, was found in SourceCodester Gym Management System. Affected is an unknown function. The manipulation of the argument user_pass leads to sql injection. It is possible to launch the attack r…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →