CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,868 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 152 of 378
- CVE-2022-28433CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Show&userid=.
- CVE-2022-28434CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=siteoptions&social=edit&sid=2.
- CVE-2022-28435CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&action=displaygoal&value=1&roleid=1.
- CVE-2022-28436CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Hide&userid=.
- CVE-2022-28437CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=Admin&userid=3.
- CVE-2022-28438CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=User&userid=.
- CVE-2022-28439CRITICALCVSS 9.8EG 9.82022-04-21
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&&action=delete&userid=4.
- CVE-2022-28452CRITICALCVSS 9.8EG 9.82022-04-29
Red Planet Laundry Management System 1.0 is vulnerable to SQL Injection.
- CVE-2022-28461CRITICALCVSS 9.8EG 9.82022-05-05
mingyuefusu Library Management System all versions as of 03-27-2022 is vulnerable to SQL Injection.
- CVE-2022-28467CRITICALCVSS 9.8EG 9.82022-04-05
Online Student Admission v1.0 was discovered to contain a SQL injection vulnerability via the txtapplicationID parameter.
- CVE-2022-28468CRITICALCVSS 9.8EG 9.82022-04-05
Payroll Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter.
- CVE-2022-2847MEDIUMCVSS 6.3EG 9.82022-08-16
A vulnerability, which was classified as critical, has been found in SourceCodester Guest Management System. This issue affects some unknown processing of the file /guestmanagement/front.php. The manipulation of the argument rid leads to s…
- CVE-2022-28505HIGHCVSS 7.2EG 7.22022-05-03
Jfinal_cms 5.1.0 is vulnerable to SQL Injection via com.jflyfox.system.log.LogController.java.
- CVE-2022-28512CRITICALCVSS 9.8EG 9.82022-05-04
A SQL injection vulnerability exists in Sourcecodester Fantastic Blog CMS 1.0 . An attacker can inject query in "/fantasticblog/single.php" via the "id=5" parameters.
- CVE-2022-28524CRITICALCVSS 9.8EG 9.82022-04-26
ED01-CMS v20180505 was discovered to contain a SQL injection vulnerability via the component post.php.
- CVE-2022-28530CRITICALCVSS 9.8EG 9.82022-05-05
Sourcecodester Covid-19 Directory on Vaccination System 1.0 is vulnerable to SQL Injection via cmdcategory.
- CVE-2022-28531CRITICALCVSS 9.8EG 9.82022-05-20
Sourcecodester Covid-19 Directory on Vaccination System1.0 is vulnerable to SQL Injection via the admin/login.php txtusername (aka Username) field.
- CVE-2022-28533CRITICALCVSS 9.8EG 9.82022-05-05
Sourcecodester Medical Hub Directory Site 1.0 is vulnerable to SQL Injection via /mhds/clinic/view_details.php.
- CVE-2022-28552HIGHCVSS 8.8EG 8.82022-05-04
Cscms 4.1 is vulnerable to SQL Injection. Log into the background, open the song module, create a new song, delete it to the recycle bin, and SQL injection security problems will occur when emptying the recycle bin.
- CVE-2022-28585CRITICALCVSS 9.8EG 9.82022-05-03
EmpireCMS 7.5 has a SQL injection vulnerability in AdClass.php
- CVE-2022-28623CRITICALCVSS 9.8EG 9.82022-07-08
Security vulnerabilities in HPE IceWall SSO 10.0 certd could be exploited remotely to allow SQL injection or unauthorized data injection. HPE has provided the following updated modules to resolve these vulnerabilities. HPE IceWall SSO vers…
- CVE-2022-2876MEDIUMCVSS 6.3EG 9.82022-08-18
A vulnerability, which was classified as critical, was found in SourceCodester Student Management System. Affected is an unknown function of the file index.php. The manipulation of the argument id leads to sql injection. It is possible to …
- CVE-2022-28813HIGHCVSS 7.5EG 7.52022-09-28
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a volatile temporary database with the current states of the devi…
- CVE-2022-28815LOWCVSS 2.7EG 4.72022-09-28
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy server was discovered to contain a SQL injection vulnerability allowing an attacker to query other tables of the Sentilo service.
- CVE-2022-28816MEDIUMCVSS 6.1EG 7.62022-09-28
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service.
- CVE-2022-28862CRITICALCVSS 9.8EG 9.82022-05-25
In Archibus Web Central before 26.2, multiple SQL Injection vulnerabilities occur in dwr/call/plaincall/workflow.runWorkflowRule.dwr. Through the injection of arbitrary SQL statements, a potential attacker can modify query syntax and perfo…
- CVE-2022-28929CRITICALCVSS 9.8EG 9.82022-05-15
Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the delid parameter at viewtreatmentrecord.php.
- CVE-2022-28930CRITICALCVSS 9.8EG 9.82022-05-15
ERP-Pro v3.7.5 was discovered to contain a SQL injection vulnerability via the component /base/SysEveMenuAuthPointMapper.xml..
- CVE-2022-28961HIGHCVSS 8.8EG 8.82022-05-19
Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters.
- CVE-2022-28962CRITICALCVSS 9.8EG 9.82022-05-19
Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client.
- CVE-2022-29006CRITICALCVSS 9.8EG 9.82022-05-11
Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Directory Management System v1.0 allows attackers to bypass authentication.
- CVE-2022-29007CRITICALCVSS 9.8EG 9.82022-05-11
Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Dairy Farm Shop Management System v1.0 allows attackers to bypass authentication.
- CVE-2022-29009CRITICALCVSS 9.8EG 9.82022-05-11
Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0 allows attackers to bypass authentication.
- CVE-2022-29058HIGHCVSS 7.8EG 7.82022-09-06
An improper neutralization of special elements [CWE-89] used in an OS command vulnerability [CWE-78] in the command line interpreter of FortiAP 6.0.0 through 6.4.7, 7.0.0 through 7.0.3, 7.2.0, FortiAP-S 6.0.0 through 6.4.7, FortiAP-W2 6.0.…
- CVE-2022-29059LOWCVSS 2.7EG 2.72025-03-14
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb version 7.0.1 and below, 6.4.2 and below, 6.3.20 and below, 6.2.7 and below may allow a privileged attacker to exec…
- CVE-2022-29155CRITICALCVSS 9.8EG 9.82022-05-04
In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the sea…
- CVE-2022-29250HIGHCVSS 8.1EG 8.12022-06-09
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to version 10.0.1 it is possible to add extra information by SQL injection on sea…
- CVE-2022-29304HIGHCVSS 8.8EG 8.82022-05-19
Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility.
- CVE-2022-29305HIGHCVSS 8.1EG 8.12022-05-24
imgurl v2.31 was discovered to contain a Blind SQL injection vulnerability via /upload/localhost.
- CVE-2022-29306CRITICALCVSS 9.8EG 9.82022-05-12
IonizeCMS v1.0.8.1 was discovered to contain a SQL injection vulnerability via the id_page parameter in application/models/article_model.php.
- CVE-2022-29316CRITICALCVSS 9.8EG 9.82022-05-11
Complete Online Job Search System v1.0 was discovered to contain a SQL injection vulnerability via /eris/index.php?q=result&searchfor=advancesearch.
- CVE-2022-29317CRITICALCVSS 9.8EG 9.82022-05-11
Simple Bus Ticket Booking System v1.0 was discovered to contain multiple SQL injection vulnerbilities via the username and password parameters at /assets/partials/_handleLogin.php.
- CVE-2022-29383CRITICALCVSS 9.8EG 9.82022-05-13
NETGEAR ProSafe SSL VPN firmware FVS336Gv2 and FVS336Gv3 was discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi.
- CVE-2022-29410HIGHCVSS 7.4EG 8.82022-04-28
Authenticated SQL Injection (SQLi) vulnerability in Mufeng's Hermit 音乐播放器 plugin <= 3.1.6 on WordPress allows attackers with Subscriber or higher user roles to execute SQLi attack via (&ids).
- CVE-2022-29411HIGHCVSS 8.3EG 9.82022-04-28
SQL Injection (SQLi) vulnerability in Mufeng's Hermit 音乐播放器 plugin <= 3.1.6 on WordPress allows attackers to execute SQLi attack via (&id).
- CVE-2022-29419MEDIUMCVSS 6.0EG 8.82022-04-25
SQL Injection (SQLi) vulnerability in Don Crowther's 3xSocializer plugin <= 0.98.22 at WordPress possible for users with a low role like a subscriber or higher.
- CVE-2022-29498HIGHCVSS 7.5EG 7.52022-04-21
Blazer before 2.6.0 allows SQL Injection. In certain circumstances, an attacker could get a user to run a query they would not have normally run.
- CVE-2022-29535CRITICALCVSS 9.8EG 9.82022-05-05
Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.
- CVE-2022-2957MEDIUMCVSS 6.3EG 9.82022-08-25
A vulnerability classified as critical was found in SourceCodester Simple and Nice Shopping Cart Script. Affected by this vulnerability is an unknown functionality of the file /mkshop/Men/profile.php. The manipulation of the argument mem_i…
- CVE-2022-2958HIGHCVSS 8.8EG 8.82022-09-19
The BadgeOS WordPress plugin before 3.7.1.3 does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →