CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,868 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 153 of 378
- CVE-2022-29600CRITICALCVSS 9.8EG 9.82022-07-12
The oelib (aka One is Enough Library) extension through 4.1.5 for TYPO3 allows SQL Injection.
- CVE-2022-29601CRITICALCVSS 9.8EG 9.82022-07-12
The seminars (aka Seminar Manager) extension through 4.1.3 for TYPO3 allows SQL Injection.
- CVE-2022-29603HIGHCVSS 8.1EG 8.12022-04-25
A SQL Injection vulnerability exists in UniverSIS UniverSIS-API through 1.2.1 via the $select parameter to multiple API endpoints. A remote authenticated attacker could send crafted SQL statements to a vulnerable endpoint (such as /api/stu…
- CVE-2022-29650CRITICALCVSS 9.8EG 9.82022-05-25
Online Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the Search parameter at /online-food-order/food-search.php.
- CVE-2022-29652MEDIUMCVSS 6.1EG 6.12022-05-19
Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client.
- CVE-2022-29656CRITICALCVSS 9.8EG 9.82022-05-11
Wedding Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /Wedding-Management/package_detail.php.
- CVE-2022-29659CRITICALCVSS 9.8EG 9.82022-06-02
Responsive Online Blog v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at single.php.
- CVE-2022-29660CRITICALCVSS 9.8EG 9.82022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/pic/del.
- CVE-2022-29661HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/save.
- CVE-2022-29662HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/news/save.
- CVE-2022-29663HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/hy.
- CVE-2022-29664HIGHCVSS 8.8EG 8.82022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/pl_save.
- CVE-2022-29665HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/topic/save.
- CVE-2022-29666HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/lists/zhuan.
- CVE-2022-29667HIGHCVSS 8.8EG 8.82022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via /admin.php/pic/admin/pic/hy. This vulnerability is exploited via restoring deleted photos.
- CVE-2022-29669HIGHCVSS 8.8EG 8.82022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/lists/zhuan.
- CVE-2022-29670HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/del.
- CVE-2022-29676HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/lists/zhuan.
- CVE-2022-29680HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/zu_del.
- CVE-2022-29681HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Links/del.
- CVE-2022-29682HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/vod/admin/topic/del.
- CVE-2022-29683HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Label/page_del.
- CVE-2022-29684HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Label/js_del.
- CVE-2022-29685HIGHCVSS 8.8EG 8.82022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/User/level_sort.
- CVE-2022-29686HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/lists/zhuan.
- CVE-2022-29687HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/level_del.
- CVE-2022-29688HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/hy.
- CVE-2022-29689HIGHCVSS 7.2EG 7.22022-05-26
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/del.
- CVE-2022-29704CRITICALCVSS 9.8EG 9.82022-06-02
BrowsBox CMS v4.0 was discovered to contain a SQL injection vulnerability.
- CVE-2022-29709HIGHCVSS 7.5EG 7.52022-07-25
CommuniLink Internet Limited CLink Office v2.0 was discovered to contain multiple SQL injection vulnerabilities via the username and password parameters.
- CVE-2022-29721HIGHCVSS 7.5EG 7.52022-05-26
74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/jobfairol/resumelist.
- CVE-2022-29738CRITICALCVSS 9.8EG 9.82022-05-12
Money Transfer Management System 1.0 is vulnerable to SQL Injection via /mtms/admin/?page=transaction/send&id=, id.
- CVE-2022-29739CRITICALCVSS 9.8EG 9.82022-05-12
Money Transfer Management System 1.0 is vulnerable to SQL Injection via /mtms/admin/?page=user/manage_user&id=.
- CVE-2022-29741CRITICALCVSS 9.8EG 9.82022-05-12
Money Transfer Management System 1.0 is vulnerable to SQL Injection via \mtms\classes\Master.php?f=delete_fee.
- CVE-2022-29745CRITICALCVSS 9.8EG 9.82022-05-12
Money Transfer Management System 1.0 is vulnerable to SQL Injection via \mtms\classes\Master.php?f=delete_transaction.
- CVE-2022-29746CRITICALCVSS 9.8EG 9.82022-05-12
Money Transfer Management System 1.0 is vulnerable to SQL Injection via /mtms/classes/Users.php?f=delete.
- CVE-2022-29747CRITICALCVSS 9.8EG 9.82022-05-12
Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/admin/?page=invoice/manage_invoice&id= // Leak place ---> id.
- CVE-2022-29748CRITICALCVSS 9.8EG 9.82022-05-12
Simple Client Management System 1.0 is vulnerable to SQL Injection via \cms\admin?page=client/manage_client&id=.
- CVE-2022-29749CRITICALCVSS 9.8EG 9.82022-05-12
Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Master.php?f=delete_invoice.
- CVE-2022-29750CRITICALCVSS 9.8EG 9.82022-05-12
Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Master.php?f=delete_service.
- CVE-2022-29751CRITICALCVSS 9.8EG 9.82022-05-12
Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Master.php?f=delete_client.
- CVE-2022-29807CRITICALCVSS 9.8EG 9.82022-08-02
A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that can allow for remote code execution via download_agent_installer.php.
- CVE-2022-29822CRITICALCVSS 10.0EG 10.02022-10-26
Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
- CVE-2022-29904CRITICALCVSS 9.8EG 9.82022-04-29
The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints.
- CVE-2022-29938HIGHCVSS 8.8EG 8.82022-05-05
In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameter payment_id in interface\billing\new_payment.php via interface\billing\payment_master.inc.php leads to SQL injection.
- CVE-2022-29979CRITICALCVSS 9.8EG 9.82022-05-12
Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Master.php?f=delete_designation.
- CVE-2022-29980CRITICALCVSS 9.8EG 9.82022-05-12
Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/admin/?page=user/manage_user&id=.
- CVE-2022-29981CRITICALCVSS 9.8EG 9.82022-05-12
Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/classes/Users.php?f=delete.
- CVE-2022-29982CRITICALCVSS 9.8EG 9.82022-05-12
Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/admin/maintenance/manage_service.php?id=.
- CVE-2022-29983CRITICALCVSS 9.8EG 9.82022-05-12
Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/admin/?page=invoice/view_invoice&id=.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →