CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,406 vulnerabilities with CWE-89
CVE-2026-41490 HIGH
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations
CVSS 8.3
CVE-2026-4348 HIGH
BetterDocs Pro <= 3.7.0 - Unauthenticated SQL Injection via Encyclopedia 'limit' Parameter
CVSS 7.5
CVE-2026-41641 HIGH
NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call
CVSS 7.2
CVE-2026-41143 HIGH
YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()
CVSS 8.8
CVE-2026-41640 HIGH
NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading
CVSS 7.5
CVE-2026-29090 HIGH
Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database
CVSS 8.8
CVE-2026-29080 HIGH
Rucio SQL Injection in FilterEngine Oracle JSON Path via DID Search API
CVSS 8.8
CVE-2026-1719 HIGH
Gravity Bookings <= 2.5.9 - Unauthenticated SQL Injection via 'category_id' Parameter
CVSS 7.5
CVE-2026-44331 HIGH
ProFTPD < 1.3.9a - SQL Injection via Reverse DNS Lookup Hostname
CVSS 8.1
CVE-2026-40331 CRITICAL
Masa CMS unauthenticated SQL injection via altTable parameter in JSON API
CVE-2026-40330 CRITICAL
Masa CMS SQL injection via sortDirection parameter in beanFeed
CVE-2026-40329 CRITICAL
SQL Injection vulnerability via sortBy in beanFeed
CVE-2026-33324 HIGH
SQLBot prompt injection allows arbitrary SQL execution and remote code execution
CVSS 8.8
CVE-2026-38428 CRITICAL
Kestra < 1.0.35 - SQL Injection via GET Parameter
CVSS 9.8
CVE-2026-4304 HIGH
WeePie Cookie Allow <= 3.4.11 - Unauthenticated SQL Injection via 'consent' Parameter
CVSS 7.5
CVE-2026-3359 HIGH
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'
CVSS 7.5
CVE-2026-40797 CRITICAL
WordPress WebinarIgnition plugin <= 4.08.253 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-7822 MEDIUM
itsourcecode Courier Management System print_pdets.php sql injection
CVSS 6.3
CVE-2026-3456 HIGH
GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.2.0 - Unauthenticated SQL Injection via 'attributekey'
CVSS 7.5
CVE-2026-35228 HIGH
Oracle MCP Server Helper Tool 1.0.1-1.0.156 - SQL Injection
CVSS 8.7
CVE-2026-5100 HIGH
AWP Classifieds <= 4.4.5 - Unauthenticated SQL Injection via 'regions'
CVSS 7.5
CVE-2026-7783 MEDIUM
CodeCanyon Perfex CRM Admin Kanban Endpoint AbstractKanban.php applySortQuery sql injection
CVSS 6.3
CVE-2026-42237 HIGH
n8n: SQL Injection in Snowflake and MySQL Nodes
CVSS 8.8
CVE-2026-42233 CRITICAL
n8n: SQL Injection in Oracle Database Node via Limit Field
CVSS 9.8
CVE-2026-42229 HIGH
n8n: SQL Injection in SeaTable Node
CVSS 8.8
Details
Vulnerabilities 19,406
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits