CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,493 vulnerabilities with CWE-89
CVE-2026-5575 HIGH
SourceCodester/jkev Record Management System Login index.php sql injection
CVSS 7.3
CVE-2026-5565 HIGH
code-projects Simple Laundry System Parameter delmemberinfo.php sql injection
CVSS 7.3
CVE-2026-5564 HIGH
code-projects Simple Laundry System Parameter searchguest.php sql injection
CVSS 7.3
CVE-2026-5563 MEDIUM
AutohomeCorp frostmourne Alarm Preview previewData httpTest sql injection
CVSS 6.3
CVE-2026-5560 MEDIUM
PHPGurukul Online Shopping Portal Project Parameter payment-method.php sql injection
CVSS 6.3
CVE-2026-5558 MEDIUM
PHPGurukul PHPGurukul Online Shopping Portal Project Parameter pending-orders.php sql injection
CVSS 6.3
CVE-2026-5555 HIGH
code-projects Concert Ticket Reservation System Parameter login.php sql injection
CVSS 7.3
CVE-2026-5554 HIGH
code-projects Concert Ticket Reservation System Parameter process_search.php sql injection
CVSS 7.3
CVE-2026-5553 MEDIUM
itsourcecode Online Cellphone System Parameter available.php sql injection
CVSS 6.3
CVE-2026-5552 MEDIUM
PHPGurukul Online Shopping Portal Project Parameter sub-category.php sql injection
CVSS 6.3
CVE-2026-5551 HIGH
itsourcecode Free Hotel Reservation System Parameter login.php sql injection
CVSS 7.3
CVE-2026-5543 MEDIUM
PHPGurukul User Registration & Login and User Management System yesterday-reg-users.php sql injection
CVSS 6.3
CVE-2026-5540 HIGH
code-projects Simple Laundry System Parameter modifymember.php sql injection
CVSS 7.3
CVE-2026-5537 MEDIUM
halex CourseSEL HTTP GET Parameter IndexController.class.php check_sel sql injection
CVSS 6.3
CVE-2026-5534 HIGH
itsourcecode Online Enrollment System Parameter index.php sql injection
CVSS 7.3
CVE-2026-34934 CRITICAL
PraisonAI: Second-Order SQL Injection in `get_all_user_threads`
CVSS 9.8
CVE-2026-34788 MEDIUM
Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters
CVSS 6.5
CVE-2026-34612 CRITICAL
Kestra: Remote Code Execution via SQL Injection
CVSS 9.9
CVE-2026-27885 HIGH
Piwigo: SQL Injection in Activity.getList
CVSS 7.2
CVE-2026-27834 HIGH
Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter
CVSS 7.2
CVE-2026-27634 CRITICAL
Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter
CVSS 9.8
CVE-2026-25773 HIGH
Focalboard Second-Order SQL Injection in category reorder endpoint allows data exfiltration (unsupported product, no fix)
CVSS 8.1
CVE-2026-34825 MEDIUM
NocoBase Has SQL Injection via template variable substitution in workflow SQL node
CVSS 6.5
CVE-2026-5368 HIGH
projectworlds Car Rental Project Parameter login.php sql injection
CVSS 7.3
CVE-2026-34717 CRITICAL
OpenProject: SQL Injection in Cost Reporting =n Operator via parse_number_string
CVSS 9.9
Details
Vulnerabilities 19,493
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits