CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,395 vulnerabilities with CWE-89
CVE-2026-39441 CRITICAL
WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-24637 HIGH
WordPress PowerPress Podcasting plugin <= 11.15.10 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-48114 CRITICAL
Metacat has an unauthenticated SQL injection vulnerability
CVSS 9.8
CVE-2026-12206 MEDIUM
Grit42 Grit data_table_entity.rb DataTableEntity sql injection
CVSS 6.3
CVE-2026-12188 MEDIUM
Grit42 Grit GritEntityController grit_entity_controller.rb sql injection
CVSS 6.3
CVE-2026-12175 MEDIUM
CodeAstro Student Attendance Management System createStudents.php sql injection
CVSS 4.7
CVE-2026-6428 HIGH
Koha - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS 7.6
CVE-2026-9848 HIGH
WP Ticket <= 6.0.4 - Unauthenticated SQL Injection via WordPress Search 's' Parameter
CVSS 7.5
CVE-2026-12131 MEDIUM
CodeAstro Human Resource Management System Payroll Invoice Payroll.php sql injection
CVSS 6.3
CVE-2026-44172 MEDIUM
MariaDB: mysql_real_escape_string() incorrectly handled big5
CVE-2026-41581 MEDIUM
Frappe Vulnerable to Possible SQL Injection via get_blog_list
CVE-2026-48613 MEDIUM
phpBB < 3.3.16 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS 5.9
CVE-2026-45418 HIGH
ClipBucket: Blind SQL Injection in subtitle_edit.php
CVSS 8.8
CVE-2026-45060 CRITICAL
ClipBucket: Blind SQL Injection in progress_video.php
CVSS 9.8
CVE-2026-42647 CRITICAL
WordPress JoomSport plugin <= 5.7.7 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-39494 CRITICAL
WordPress Product Filter by WBW plugin <= 3.1.2 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-11945 MEDIUM
PostgreSQL Anonymizer: SQL injection in the rules import functions
CVSS 6.4
CVE-2026-38581 CRITICAL
damasac thaipalliative_lte <= 3.0 - SQL Injection via idFormMain or id Parameter
CVSS 9.8
CVE-2026-53474 CRITICAL
Migration-planner: second-order sql injection via rvtools upload
CVSS 9.6
CVE-2026-52758 HIGH
Ghidra < 12.1 - SQL Injection via Unescaped Filter Values in BSim Search
CVSS 8.8
CVE-2026-49498 HIGH
Ghidra 11.0 < 12.1 - SQL Injection in PostgreSQL Password Change via Unescaped Username
CVSS 8.8
CVE-2026-3018 HIGH
Newsletters <= 4.13 - Unauthenticated SQL Injection via wpmlsubscriber_id Parameter
CVSS 7.5
CVE-2026-3326 HIGH
XStore < 9.7.3 - Unauthenticated SQLi
CVSS 8.6
CVE-2026-50636 HIGH
LimeSurvey RemoteControl invite_participants/remind_participants SQL Injection
CVSS 8.8
CVE-2026-8025 CRITICAL
SQLi in MOSK Informatics' CBS Platform
CVSS 9.8
Details
Vulnerabilities 19,395
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits