CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,406 vulnerabilities with CWE-89
CVE-2026-1250 HIGH
Court Reservation – Manage Your Court Bookings Online <= 1.10.11 - Unauthenticated SQL Injection
CVSS 7.5
CVE-2026-44864 HIGH
Hewlett Packard Enterprise (hpe) Hpe Aruba Networking Wireless Operating System (aos) < 8.13.1.1 - SQL Injection
CVSS 7.2
CVE-2026-44863 HIGH
Hewlett Packard Enterprise (hpe) Hpe Aruba Networking Wireless Operating System (aos) < 8.13.1.1 - SQL Injection
CVSS 7.2
CVE-2026-44862 HIGH
Hewlett Packard Enterprise (hpe) Hpe Aruba Networking Wireless Operating System (aos) < 8.13.1.1 - SQL Injection
CVSS 7.2
CVE-2026-44861 HIGH
Hewlett Packard Enterprise (hpe) Hpe Aruba Networking Wireless Operating System (aos) < 8.13.1.1 - SQL Injection
CVSS 7.2
CVE-2026-44860 HIGH
Hewlett Packard Enterprise (hpe) Hpe Aruba Networking Wireless Operating System (aos) < 8.13.1.1 - SQL Injection
CVSS 7.2
CVE-2026-44204 MEDIUM
Shelf: SQL Injection via sortBy Parameter
CVSS 6.5
CVE-2026-25088 MEDIUM
Fortinet FortiNDR - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS 5.4
CVE-2026-34187 CRITICAL
Pandora FMS 777-800 - SQL Injection via Graph Container Parameter
CVSS 9.8
CVE-2026-8111 HIGH
Ivanti Endpoint Manager - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS 8.8
CVE-2026-43937 HIGH
YAF.NET: Pre-Handler Authorization Bypass on Admin Pages Enabling Blind SQL Execution via `/Admin/RunSql`
CVSS 8.8
CVE-2026-32687 HIGH
SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3
CVSS 7.8
CVE-2026-45218 HIGH
WordPress WP Travel plugin <= 11.4.0 - SQL Injection vulnerability
CVSS 7.7
CVE-2026-45214 HIGH
WordPress Xpro Elementor Addons plugin <= 1.5.1 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-45213 HIGH
WordPress BEAR plugin <= 1.1.7.1 - SQL Injection vulnerability
CVSS 7.6
CVE-2026-45211 HIGH
WordPress APIExperts Square for WooCommerce plugin <= 4.7.1 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-42742 HIGH
WordPress Views for WPForms plugin <= 3.4.6 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-42741 HIGH
WordPress Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend plugin <= 3.3.2 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-41125 MEDIUM
Siemens Blueplanet 100 NX3 M8 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS 6.0
CVE-2026-5028 MEDIUM
Eight Day Week Print Workflow <= 1.2.6 - Authenticated (Subscriber+) SQL Injection via 'title' Parameter
CVSS 6.5
CVE-2026-2993 HIGH
AI Chatbot & Workflow Automation by AIWU <= 1.4.17 - Unauthenticated SQL Injection in getListForTbl()
CVSS 7.5
CVE-2026-40131 LOW
SQL Injection vulnerability in SAP HANA Deployment Infrastructure (HDI) deploy library
CVSS 3.4
CVE-2026-34260 CRITICAL
SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)
CVSS 9.6
CVE-2026-38567 CRITICAL
HireFlow 1.2 - Unauthenticated SQL Injection via Login and Search Endpoints
CVSS 9.8
CVE-2026-36962 HIGH
MuuCMF T6 1.9.4.20260115 - SQL Injection
CVSS 7.3
Details
Vulnerabilities 19,406
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits