CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,447 vulnerabilities with CWE-89
CVE-2026-6833 MEDIUM
aEnrich|a+HRD - SQL Injection
CVSS 6.5
CVE-2026-41457 MEDIUM
OwnTone Server < 29.1 SQL Injection via query and filter Parameters
CVE-2026-40906 CRITICAL
Electric: SQL Injection via ORDER BY Parameter in Shape API
CVSS 9.9
CVE-2026-41320 MEDIUM
Frappe HR has possibility of SQL Injection due to improper field sanitization
CVSS 6.5
CVE-2026-40887 CRITICAL
Vendure Shop API - SQL Injection
CVSS 9.1
CVE-2026-40871 HIGH
mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API
CVSS 7.2
CVE-2026-6674 MEDIUM
Plugin: CMS für Motorrad Werkstätten <= 1.0.0 - Authenticated (Subscriber+) SQL Injection via 'arttype' Parameter
CVSS 6.5
CVE-2026-39946 MEDIUM
OpenBao allows SQL Injection in PostgreSQL database secrets engine
CVSS 4.9
CVE-2026-35588 MEDIUM
Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values
CVSS 6.3
CVE-2026-39111 HIGH
Apartment Visitors Management System 1.1 - SQL Injection
CVSS 7.5
CVE-2026-39110 HIGH
Apartment Visitors Management System V1.1 - SQL Injection
CVSS 8.2
CVE-2026-39109 CRITICAL
Apartment Visitors Management System 1.1 - SQL Injection
CVSS 9.4
CVE-2026-6629 HIGH
Metasoft 美特软件 MetaCRM Interface sql.jsp Statement.executeUpdate sql injection
CVSS 7.3
CVE-2026-6628 MEDIUM
phili67 Ecclesia CRM Query Viewer view ValidateInput sql injection
CVSS 6.3
CVE-2026-5964 CRITICAL
Digiwin|EasyFlow .NET - SQL Injection
CVSS 9.8
CVE-2026-5963 CRITICAL
Digiwin|EasyFlow .NET - SQL Injection
CVSS 9.8
CVE-2026-6595 HIGH
ProjectsAndPrograms School Management System HTTP GET Parameter buslocation.php sql injection
CVSS 7.3
CVE-2026-6562 HIGH
dameng100 muucmf index.html getListByPage sql injection
CVSS 7.3
CVE-2026-40482 HIGH
ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}`
CVE-2026-40285 HIGH
WeGIA has SQL Injection via Session Variable Override in DespachoControle.php
CVSS 8.8
CVE-2026-37749 CRITICAL
Simple Attendance Management System 1.0 - SQL Injection
CVSS 9.8
CVE-2026-6490 HIGH
QueryMine sms GET Request Parameter deletecourse.php sql injection
CVSS 7.3
CVE-2026-6488 MEDIUM
QueryMine sms GET Request Parameter editcourse.php sql injection
CVSS 6.3
CVE-2026-34018 CRITICAL
CubeCart < 6.6.0 - SQL Injection
CVSS 9.8
CVE-2026-6080 MEDIUM
Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter
CVSS 6.5
Details
Vulnerabilities 19,447
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits