CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,868 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 150 of 378
- CVE-2022-27385HIGHCVSS 7.5EG 7.52022-04-12
An issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
- CVE-2022-27386HIGHCVSS 7.5EG 7.52022-04-12
MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component sql/sql_class.cc.
- CVE-2022-27412CRITICALCVSS 9.8EG 9.82022-05-09
Explore CMS v1.0 was discovered to contain a SQL injection vulnerability via a /page.php?id= request.
- CVE-2022-27413CRITICALCVSS 9.8EG 9.82022-05-03
Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the adminname parameter in admin.php.
- CVE-2022-27420CRITICALCVSS 9.8EG 9.82022-05-04
Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the patient_contact parameter in patientsearch.php.
- CVE-2022-27423CRITICALCVSS 9.8EG 9.82022-04-15
Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php.
- CVE-2022-27431CRITICALCVSS 9.8EG 9.82022-05-04
Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the groupid parameter at /coreframe/app/member/admin/group.php.
- CVE-2022-27434CRITICALCVSS 9.8EG 9.82022-07-18
UNIT4 TETA Mobile Edition (ME) before 29.5.HF17 was discovered to contain a SQL injection vulnerability via the ProfileName parameter in the errorReporting page.
- CVE-2022-2745MEDIUMCVSS 6.3EG 9.82022-08-11
A vulnerability, which was classified as critical, was found in SourceCodester Gym Management System. This affects an unknown part of the file /admin/add_trainers.php of the component Add New Trainer. The manipulation of the argument train…
- CVE-2022-27466CRITICALCVSS 9.8EG 9.82022-05-02
MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do.
- CVE-2022-2747MEDIUMCVSS 6.3EG 9.82022-08-11
A vulnerability was found in SourceCodester Simple Online Book Store and classified as critical. This issue affects some unknown processing of the file book.php. The manipulation of the argument book_isbn leads to sql injection. The attack…
- CVE-2022-27472CRITICALCVSS 9.8EG 9.82022-04-12
SQL injection vulnerability in Topics Counting feature of Roothub 2.6.0 allows unauthorized attackers to execute arbitrary SQL commands via the "s" parameter remotely.
- CVE-2022-27473CRITICALCVSS 9.8EG 9.82022-04-12
SQL injection vulnerability in Topics Searching feature of Roothub 2.6.0 allows unauthorized attackers to execute arbitrary SQL commands via the "s" parameter remotely.
- CVE-2022-27479CRITICALCVSS 9.8EG 9.82022-04-13
Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue.
- CVE-2022-27485MEDIUMCVSS 6.5EG 6.52023-04-11
A improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-89] in Fortinet FortiSandbox version 4.2.0, 4.0.0 through 4.0.2, 3.2.0 through 3.2.3, 3.1.x and 3.0.x allows a remote and authenticat…
- CVE-2022-2754CRITICALCVSS 9.8EG 9.82022-09-19
The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks
- CVE-2022-27596CRITICALCVSS 9.8EG 9.82023-01-30
A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS h…
- CVE-2022-27613HIGHCVSS 8.3EG 8.82022-07-28
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in webapi component in Synology CardDAV Server before 6.0.10-0153 allows remote authenticated users to inject SQL commands via unspecified v…
- CVE-2022-2766HIGHCVSS 7.3EG 9.82022-08-11
A vulnerability was found in SourceCodester Loan Management System. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument password leads to sql injectio…
- CVE-2022-2770MEDIUMCVSS 6.3EG 9.82022-08-11
A vulnerability, which was classified as critical, was found in SourceCodester Simple Online Book Store System. Affected is an unknown function of the file /obs/book.php. The manipulation of the argument bookisbn leads to sql injection. It…
- CVE-2022-2771MEDIUMCVSS 6.3EG 9.82022-08-11
A vulnerability has been found in SourceCodester Simple Online Book Store System and classified as critical. Affected by this vulnerability is an unknown functionality of the file /obs/bookPerPub.php. The manipulation of the argument booki…
- CVE-2022-2772MEDIUMCVSS 6.3EG 9.82022-08-11
A vulnerability was found in SourceCodester Apartment Visitor Management System and classified as critical. Affected by this issue is some unknown functionality of the file action-visitor.php. The manipulation of the argument editid/remark…
- CVE-2022-2774MEDIUMCVSS 6.3EG 9.82022-08-11
A vulnerability was found in SourceCodester Library Management System. It has been declared as critical. This vulnerability affects unknown code of the file librarian/student.php. The manipulation of the argument title leads to sql injecti…
- CVE-2022-27908HIGHCVSS 8.8EG 8.82022-04-18
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.
- CVE-2022-27927CRITICALCVSS 9.8EG 9.82022-04-19
A SQL injection vulnerability exists in Microfinance Management System 1.0 when MySQL is being used as the application database. An attacker can issue SQL commands to the MySQL database through the vulnerable course_code and/or customer_nu…
- CVE-2022-27962CRITICALCVSS 9.8EG 9.82022-05-03
Bluecms 1.6 has a SQL injection vulnerability at cooike.
- CVE-2022-2797MEDIUMCVSS 6.3EG 9.82022-08-12
A vulnerability classified as critical was found in SourceCodester Student Information System. Affected by this vulnerability is an unknown functionality of the file /admin/students/view_student.php. The manipulation of the argument id lea…
- CVE-2022-27984CRITICALCVSS 9.8EG 9.82022-04-26
CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php.
- CVE-2022-27985CRITICALCVSS 9.8EG 9.82022-04-26
CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php.
- CVE-2022-27991MEDIUMCVSS 6.5EG 6.52022-04-08
Online Banking System in PHP v1 was discovered to contain multiple SQL injection vulnerabilities at /staff_login.php via the Staff ID and Staff Password parameters.
- CVE-2022-27992HIGHCVSS 8.8EG 8.82022-04-08
Zoo Management System v1.0 was discovered to contain a SQL injection vulnerability at /public_html/animals via the class_id parameter.
- CVE-2022-28000HIGHCVSS 8.8EG 8.82022-04-08
Car Rental System v1.0 was discovered to contain a SQL injection vulnerability at /Car_Rental/booking.php via the id parameter.
- CVE-2022-28001CRITICALCVSS 9.8EG 9.82022-04-08
Movie Seat Reservation v1 was discovered to contain a SQL injection vulnerability at /index.php?page=reserve via the id parameter.
- CVE-2022-28006HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\employee_delete.php.
- CVE-2022-28007HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\cashadvance_delete.php.
- CVE-2022-28008HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\attendance_delete.php.
- CVE-2022-28009HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\attendance_delete.php.
- CVE-2022-2801MEDIUMCVSS 6.3EG 9.82022-08-12
A vulnerability, which was classified as critical, was found in SourceCodester Automated Beer Parlour Billing System. This affects an unknown part of the component Login. The manipulation of the argument username leads to sql injection. It…
- CVE-2022-28010HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\overtime_delete.php.
- CVE-2022-28011HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\schedule_delete.php.
- CVE-2022-28012HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\position_delete.php.
- CVE-2022-28013HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\schedule_employee_edit.php.
- CVE-2022-28014HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\attendance_edit.php.
- CVE-2022-28015HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\cashadvance_edit.php.
- CVE-2022-28016HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\deduction_edit.php.
- CVE-2022-28017HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\overtime_edit.php.
- CVE-2022-28018HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\schedule_edit.php.
- CVE-2022-28019HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\employee_edit.php.
- CVE-2022-2802HIGHCVSS 7.3EG 9.82022-08-12
A vulnerability has been found in SourceCodester Gas Agency Management System and classified as critical. This vulnerability affects unknown code of the file gasmark/login.php. The manipulation of the argument username leads to sql injecti…
- CVE-2022-28020HIGHCVSS 8.8EG 8.82022-04-21
Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\position_edit.php.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →