CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,868 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 151 of 378
- CVE-2022-28022CRITICALCVSS 9.8EG 9.82022-04-21
Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_item.
- CVE-2022-28023CRITICALCVSS 9.8EG 9.82022-04-21
Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_supplier.
- CVE-2022-28024CRITICALCVSS 9.8EG 9.82022-04-21
Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=grade.
- CVE-2022-28025CRITICALCVSS 9.8EG 9.82022-04-21
Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=school_year.
- CVE-2022-28026CRITICALCVSS 9.8EG 9.82022-04-21
Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=student_p&id=.
- CVE-2022-28028CRITICALCVSS 9.8EG 9.82022-04-21
Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_amenity.
- CVE-2022-28029CRITICALCVSS 9.8EG 9.82022-04-21
Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_type.
- CVE-2022-2803MEDIUMCVSS 6.3EG 9.82022-08-12
A vulnerability was found in SourceCodester Zoo Management System and classified as critical. This issue affects some unknown processing of the file /pages/animals.php. The manipulation of the argument class_id leads to sql injection. The …
- CVE-2022-28030CRITICALCVSS 9.8EG 9.82022-04-21
Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_estate.
- CVE-2022-28032CRITICALCVSS 9.8EG 9.82022-04-12
AtomCMS 2.0 is vulnerable to SQL Injection via Atom.CMS_admin_ajax_pages.php
- CVE-2022-28033CRITICALCVSS 9.8EG 9.82022-04-12
Atom.CMS 2.0 is vulnerable to SQL Injection via Atom.CMS_admin_uploads.php
- CVE-2022-28034CRITICALCVSS 9.8EG 9.82022-04-12
AtomCMS 2.0 is vulnerabie to SQL Injection via Atom.CMS_admin_ajax_list-sort.php
- CVE-2022-28035CRITICALCVSS 9.8EG 9.82022-04-12
Atom.CMS 2.0 is vulnerable to SQL Injection via Atom.CMS_admin_ajax_blur-save.php
- CVE-2022-28036CRITICALCVSS 9.8EG 9.82022-04-12
AtomCMS 2.0 is vulnerable to SQL Injection via Atom.CMS_admin_ajax_navigation.php
- CVE-2022-28060HIGHCVSS 7.5EG 7.52022-04-28
SQL Injection vulnerability in Victor CMS v1.0, via the user_name parameter to /includes/login.php.
- CVE-2022-2807CRITICALCVSS 9.8EG 9.82022-12-02
SQL Injection vulnerability in Algan Software Prens Student Information System allows SQL Injection. This issue affects Prens Student Information System: before 2.1.11.
- CVE-2022-28079HIGHCVSS 8.8EG 8.82022-05-05
College Management System v1.0 was discovered to contain a SQL injection vulnerability via the course_code parameter.
- CVE-2022-28080HIGHCVSS 8.8EG 8.82022-05-05
Royal Event Management System v1.0 was discovered to contain a SQL injection vulnerability via the todate parameter.
- CVE-2022-28099HIGHCVSS 8.8EG 8.82022-05-04
Poultry Farm Management System v1.0 was discovered to contain a SQL injection vulnerability via the Item parameter at /farm/store.php.
- CVE-2022-28105CRITICALCVSS 9.8EG 9.82022-05-20
Online Sports Complex Booking System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /scbs/view_facility.php.
- CVE-2022-28110CRITICALCVSS 9.8EG 9.82022-05-10
Hotel Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at the login page.
- CVE-2022-28111CRITICALCVSS 9.8EG 9.82022-05-04
MyBatis PageHelper v1.x.x-v3.7.0 v4.0.0-v5.0.0,v5.1.0-v5.3.0 was discovered to contain a time-blind SQL injection vulnerability via the orderBy parameter.
- CVE-2022-28115CRITICALCVSS 9.8EG 9.82022-04-05
Online Sports Complex Booking v1.0 was discovered to contain a SQL injection vulnerability via the id parameter.
- CVE-2022-28116CRITICALCVSS 9.8EG 9.82022-04-05
Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter.
- CVE-2022-2812HIGHCVSS 7.3EG 9.82022-08-15
A vulnerability classified as critical was found in SourceCodester Guest Management System. This vulnerability affects unknown code of the file index.php. The manipulation of the argument username/pass leads to sql injection. The attack ca…
- CVE-2022-28132HIGHCVSS 7.2EG 7.22024-05-14
The T-Soft E-Commerce 4 web application is susceptible to SQL injection (SQLi) attacks when authenticated as an admin or privileged user. This vulnerability allows attackers to access and manipulate the database through crafted requests. B…
- CVE-2022-28163CRITICALCVSS 9.8EG 9.82022-05-06
In Brocade SANnav before Brocade SANnav 2.2.0, multiple endpoints associated with Zone management are susceptible to SQL injection, allowing an attacker to run arbitrary SQL commands.
- CVE-2022-28346CRITICALCVSS 9.8EG 9.82022-04-12
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary ex…
- CVE-2022-28347CRITICALCVSS 9.8EG 9.82022-04-12
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing…
- CVE-2022-2840CRITICALCVSS 9.8EG 9.82022-09-19
The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL…
- CVE-2022-28410CRITICALCVSS 9.8EG 9.82022-04-21
Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Users.php?f=delete_agent.
- CVE-2022-28411CRITICALCVSS 9.8EG 9.82022-04-21
Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/admin/?page=agents/manage_agent.
- CVE-2022-28412CRITICALCVSS 9.8EG 9.82022-04-21
Car Driving School Managment System v1.0 was discovered to contain a SQL injection vulnerability via /cdsms/classes/Master.php?f=delete_package.
- CVE-2022-28413CRITICALCVSS 9.8EG 9.82022-04-21
Car Driving School Management System v1.0 was discovered to contain a SQL injection vulnerability via /cdsms/classes/Master.php?f=delete_enrollment.
- CVE-2022-28414CRITICALCVSS 9.8EG 9.82022-04-21
Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_member.
- CVE-2022-28415CRITICALCVSS 9.8EG 9.82022-04-21
Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_collection.
- CVE-2022-28416CRITICALCVSS 9.8EG 9.82022-04-21
Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_phase.
- CVE-2022-28417CRITICALCVSS 9.8EG 9.82022-04-21
Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_phase.
- CVE-2022-2842HIGHCVSS 7.3EG 9.82022-08-22
A vulnerability classified as critical has been found in SourceCodester Gym Management System. This affects an unknown part of the file login.php. The manipulation of the argument user_email leads to sql injection. It is possible to initia…
- CVE-2022-28420CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via BabyCare/admin.php?id=theme&setid=.
- CVE-2022-28421CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=posts&action=display&value=1&postid=.
- CVE-2022-28422CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=edit.
- CVE-2022-28423CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=delete.
- CVE-2022-28424CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&find=.
- CVE-2022-28425CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=display&value=1&roleid=.
- CVE-2022-28426CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=edit&roleid=.
- CVE-2022-28427CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=read&msgid=.
- CVE-2022-28429CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=delete&msgid=.
- CVE-2022-28431CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&social=remove&sid=2.
- CVE-2022-28432CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=siteoptions&social=display&value=0&sid=2.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →