CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,871 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 157 of 378
- CVE-2022-31353CRITICALCVSS 9.8EG 9.82022-06-02
Online Car Wash Booking System v1.0 is vulnerable to SQL Injection via /ocwbs/admin/services/view_service.php?id=.
- CVE-2022-31354CRITICALCVSS 9.8EG 9.82022-06-02
Online Car Wash Booking System v1.0 is vulnerable to SQL Injection via /ocwbs/classes/Master.php?f=get_vehicle_service.
- CVE-2022-31355CRITICALCVSS 9.8EG 9.82022-06-17
Online Ordering System v2.3.2 was discovered to contain a SQL injection vulnerability via /ordering/index.php?q=category&search=.
- CVE-2022-31356CRITICALCVSS 9.8EG 9.82022-06-17
Online Ordering System v2.3.2 was discovered to contain a SQL injection vulnerability via /ordering/admin/store/index.php?view=edit&id=.
- CVE-2022-31357CRITICALCVSS 9.8EG 9.82022-06-17
Online Ordering System v2.3.2 was discovered to contain a SQL injection vulnerability via /ordering/admin/inventory/index.php?view=edit&id=.
- CVE-2022-31361CRITICALCVSS 9.8EG 9.82022-06-23
Docebo Community Edition v4.0.5 and below was discovered to contain a SQL injection vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
- CVE-2022-31367HIGHCVSS 8.8EG 8.82022-09-27
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
- CVE-2022-31382CRITICALCVSS 9.8EG 9.82022-06-16
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the searchdata parameter in search-dirctory.php.
- CVE-2022-31383CRITICALCVSS 9.8EG 9.82022-06-16
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in view-directory.php.
- CVE-2022-31384CRITICALCVSS 9.8EG 9.82022-06-16
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the fullname parameter in add-directory.php.
- CVE-2022-3141HIGHCVSS 8.8EG 8.82022-09-19
The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be …
- CVE-2022-31415MEDIUMCVSS 6.5EG 6.52022-06-14
Online Fire Reporting System v1.0 was discovered to contain a SQL injection vulnerability via the GET parameter in /report/list.php.
- CVE-2022-3142HIGHCVSS 8.8EG 8.82022-09-19
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics c…
- CVE-2022-31487HIGHCVSS 7.5EG 7.52022-05-23
Inout Blockchain AltExchanger 1.2.1 and Inout Blockchain FiatExchanger 2.2.1 allow Chart/TradingView/chart_content/master.php symbol SQL injection.
- CVE-2022-31488HIGHCVSS 7.5EG 7.52022-05-23
Inout Blockchain AltExchanger 1.2.1 allows index.php/coins/update_marketboxslider marketcurrency SQL injection.
- CVE-2022-31489HIGHCVSS 7.5EG 7.52022-05-23
Inout Blockchain AltExchanger 1.2.1 allows index.php/home/about inoutio_language cookie SQL injection.
- CVE-2022-3150HIGHCVSS 7.2EG 7.22022-10-17
The WP Custom Cursors WordPress plugin before 3.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users such as admin
- CVE-2022-3158HIGHCVSS 8.8EG 8.82022-10-17
Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an input validation vulnerability. The FactoryTalk VantagePoint SQL Server lacks input validation when users enter SQL statements to retrie…
- CVE-2022-31659HIGHCVSS 7.2EG 7.22022-08-05
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution.
- CVE-2022-31768CRITICALCVSS 9.8EG 9.82022-06-06
IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
- CVE-2022-31787CRITICALCVSS 9.8EG 9.82022-06-23
IdeaTMS 2022 is vulnerable to SQL Injection via the PATH_INFO
- CVE-2022-31788CRITICALCVSS 9.8EG 9.82022-06-10
IdeaLMS 2022 allows SQL injection via the IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID= pathname.
- CVE-2022-31856CRITICALCVSS 9.8EG 9.82022-07-05
Newsletter Module v3.x was discovered to contain a SQL injection vulnerability via the zemez_newsletter_email parameter at /index.php.
- CVE-2022-31879HIGHCVSS 8.8EG 8.82022-07-26
Online Fire Reporting System 1.0 is vulnerable to SQL Injection via the date parameter.
- CVE-2022-31890CRITICALCVSS 9.8EG 9.82023-04-05
SQL Injection vulnerability in audit/class.audit.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae via the order parameter to the getOrder function.
- CVE-2022-31908HIGHCVSS 7.2EG 7.22022-06-16
Student Registration and Fee Payment System v1.0 is vulnerable to SQL Injection via /scms/student.php.
- CVE-2022-31911HIGHCVSS 7.2EG 7.22022-06-16
Online Discussion Forum Site v1.0 is vulnerable to SQL Injection via /odfs/classes/Master.php?f=delete_team.
- CVE-2022-31912HIGHCVSS 7.2EG 7.22022-06-16
Online Tutor Portal Site v1.0 is vulnerable to SQL Injection via /otps/classes/Master.php?f=delete_team.
- CVE-2022-31941CRITICALCVSS 9.8EG 9.82022-06-17
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via \rdms\admin?page=user\manage_user&id=.
- CVE-2022-31946CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/classes/Master.php?f=delete_team.
- CVE-2022-31948CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/classes/Master.php?f=delete_report.
- CVE-2022-31951CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/classes/Master.php?f=delete_respondent_type.
- CVE-2022-31952CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL injection via /rdms/classes/Master.php?f=delete_incident.
- CVE-2022-31953CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/admin/incident_reports/view_report.php?id=.
- CVE-2022-31956CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/admin/incident_reports/manage_report.php?id=.
- CVE-2022-31957CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via rdms/admin/teams/view_team.php?id=.
- CVE-2022-31959CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/admin/teams/manage_team.php?id=.
- CVE-2022-31961CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/admin/incidents/manage_incident.php?id=.
- CVE-2022-31962CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/admin/incidents/view_incident.php?id=.
- CVE-2022-31964CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via rdms/admin/respondent_types/view_respondent_type.php?id=.
- CVE-2022-31965CRITICALCVSS 9.8EG 9.82022-06-02
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/admin/respondent_types/manage_respondent_type.php?id=.
- CVE-2022-31969CRITICALCVSS 9.8EG 9.82022-06-02
ChatBot App with Suggestion v1.0 is vulnerable to SQL Injection via /simple_chat_bot/admin/?page=user/manage_user&id=.
- CVE-2022-31970HIGHCVSS 7.2EG 7.22022-06-02
ChatBot App with Suggestion v1.0 is vulnerable to SQL Injection via /simple_chat_bot/admin/?page=responses/manage_response&id=.
- CVE-2022-31971HIGHCVSS 7.2EG 7.22022-06-02
ChatBot App with Suggestion v1.0 is vulnerable to SQL Injection via /simple_chat_bot/admin/?page=responses/view_response&id=.
- CVE-2022-31974HIGHCVSS 7.2EG 7.22022-06-02
Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=reports&date=.
- CVE-2022-31975HIGHCVSS 7.2EG 7.22022-06-02
Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=user/manage_user&id=.
- CVE-2022-31976CRITICALCVSS 9.8EG 9.82022-06-02
Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=delete_request.
- CVE-2022-31977CRITICALCVSS 9.8EG 9.82022-06-02
Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=delete_team.
- CVE-2022-31978CRITICALCVSS 9.8EG 9.82022-06-02
Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=delete_inquiry.
- CVE-2022-31980HIGHCVSS 7.2EG 7.22022-06-02
Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=teams/manage_team&id=.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →