CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,406 vulnerabilities with CWE-89
CVE-2026-22599 HIGH
Strapi Vulnerable to SQL Injection in Content Type Builder
CVSS 7.2
CVE-2026-6638 LOW
PostgreSQL REFRESH PUBLICATION allows SQL injection via table name
CVSS 3.7
CVE-2026-6637 HIGH
PostgreSQL refint allows stack buffer overflow and SQL injection
CVSS 8.8
CVE-2026-6476 HIGH
PostgreSQL pg_createsubscriber allows SQL injection via subscription name
CVSS 7.2
CVE-2026-6225 MEDIUM
Taskbuilder <= 5.0.6 - Authenticated Time-Based Blind SQL Injection via project_search
CVSS 6.5
CVE-2026-5486 MEDIUM
Unlimited Elements For Elementor <= 2.0.7 - Authenticated (Contributor+) SQL Injection via 'filter_search' Parameter
CVSS 6.5
CVE-2026-46446 HIGH
Alinto SOGo < 5.12.7 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS 7.1
CVE-2026-46445 HIGH
Alinto SOGo < 5.12.7 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS 7.1
CVE-2026-29206 HIGH
Webpros cPanel - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS 8.1
CVE-2026-44447 HIGH
ERPNext: Possibility of SQL Injection due to missing validation
CVSS 8.8
CVE-2026-44446 HIGH
ERPNext: Possibility of SQL Injection due to missing validation
CVSS 8.8
CVE-2026-45054 MEDIUM
CubeCart: Authenticated SQL Injection via `sort[]` Parameter in Admin Orders Transactions Listing
CVSS 4.9
CVE-2026-44418 HIGH
Incomplete fix for CVE-2026-35184: SQL Injection in phili67/ecclesiacrm
CVE-2026-44381 MEDIUM
MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings
CVSS 5.3
CVE-2026-39358 HIGH
CubeCart: Time-based Blind SQL Injection
CVSS 7.2
CVE-2026-42550 HIGH
Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete
CVSS 8.8
CVE-2026-42031 CRITICAL
CKAN: Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql`
CVSS 9.8
CVE-2026-0242 MEDIUM
Trust Protection Foundation: SQL Injection Vulnerability
CVE-2026-4608 MEDIUM
ProfileGrid <= 5.9.8.4 - Authenticated (Subscriber+) SQL Injection via 'rid' Parameter
CVSS 6.5
CVE-2026-37429 MEDIUM
qihang-wms - SQL Injection via SysUserMapper.xml datascope Parameter
CVSS 6.5
CVE-2026-37428 MEDIUM
qihang-wms - SQL Injection via SysDeptMapper.xml datascope Parameter
CVSS 6.5
CVE-2026-4798 HIGH
Avada Builder <= 3.15.1 - Unauthenticated SQL Injection via 'product_order' Parameter
CVSS 7.5
CVE-2026-6929 HIGH
JoomSport <= 5.7.7 - Unauthenticated SQL Injection via 'sortf' Parameter
CVSS 7.5
CVE-2026-7619 MEDIUM
Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injection via 's' Search Parameter
CVSS 6.5
CVE-2026-6888 HIGH
Advantech SaaS Composer < 3.4.17 - Authenticated SQL Injection via Specific Interface
CVSS 7.2
Details
Vulnerabilities 19,406
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits