CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,716 vulnerabilities with CWE-89
CVE-2024-37112 CRITICAL
WishList Member X < 3.26.7 - Unauthenticated SQL Injection
CVSS 10.0
CVE-2024-6166 HIGH
Unlimited Elements For Elementor <1.5.112 - SQL Injection
CVSS 8.8
CVE-2024-5793 HIGH
Houzez Theme - Functionality <3.2.2 - SQL Injection
CVSS 8.8
CVE-2024-39677 MEDIUM
NHibernate < 5.4.9 - SQL Injection via ILiteralType.ObjectToSQLString
CVSS 5.9
CVE-2024-40614 CRITICAL
EGroupware <23.1.20240624 - SQL Injection
CVSS 9.8
CVE-2024-5753 HIGH
vanna-ai/vanna 0.3.4 - Unauthenticated SQL Injection via pg_read_file()
CVSS 7.5
CVE-2024-27709 CRITICAL
Eskooly Web Product <3.0 - SQL Injection
CVSS 9.8
CVE-2024-39027 HIGH
SeaCMS v12.9 - Unauthenticated SQL Injection via cid Parameter
CVSS 7.5
CVE-2024-6471 MEDIUM
SourceCodester Online Tours & Travels Management 1.0 - SQL Injection
CVSS 6.3
CVE-2024-6453 MEDIUM
itsourcecode Farm Management System 1.0 - SQL Injection
CVSS 6.3
CVE-2024-6452 MEDIUM
linlinjava litemall <1.8.0 - SQL Injection
CVSS 6.3
CVE-2024-6440 MEDIUM
Home Owners Collection Management System 1.0 - SQL Injection via Master.php id Parameter
CVSS 6.3
CVE-2024-6438 MEDIUM
Hitout Carsale 1.0 - SQL Injection via OrderController.java orderBy Parameter
CVSS 6.3
CVE-2024-6172 CRITICAL
Email Subscribers by Icegram Express - Time-Based SQL Injection
CVSS 9.8
CVE-2024-5606 HIGH
Quiz and Survey Master < 9.0.2 - Authenticated SQL Injection via question_id Parameter
CVSS 8.8
CVE-2024-39309 CRITICAL
Parse Server < 6.5.7 and 7.0.0-7.1.0 - SQL Injection via PostgreSQL Configuration
CVSS 9.8
CVE-2024-37765 HIGH
Machform < 19 - Authenticated Blind SQL Injection in User Account Settings Page
CVSS 8.8
CVE-2024-6419 MEDIUM
SourceCodester Medicine Tracker System 1.0 - SQL Injection
CVSS 6.3
CVE-2024-6418 HIGH
SourceCodester Medicine Tracker System 1.0 - SQL Injection
CVSS 7.3
CVE-2024-6417 MEDIUM
SourceCodester Simple Online Bidding System 1.0 - SQL Injection
CVSS 6.3
CVE-2024-6416 MEDIUM
SeaCMS 12.9 - SQL Injection via dmku Edit Endpoint cid Parameter
CVSS 6.3
CVE-2024-2386 HIGH
WP Maps - Display Google Maps Perfectly with Ease <= 4.6.1 - Authenticated SQL Injection via 'id' Parameter
CVSS 8.8
CVE-2024-6265 CRITICAL
UsersWP < 1.2.10 - Unauthenticated Time-Based SQL Injection via uwp_sort_by Parameter
CVSS 9.8
CVE-2024-5827 CRITICAL
vanna-ai/vanna < latest - SQL Injection via DuckDB Integration
CVSS 9.8
CVE-2024-3816 CRITICAL
conceptintermedia s@m_cms < 3.3 - SQL Injection via Search Bar
CVSS 9.8
Details
Vulnerabilities 19,716
Exploit Likelihood High