CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,493 vulnerabilities with CWE-89
CVE-2026-4530 MEDIUM
apconw Aix-DB terminology_retriever.py sql injection
CVSS 5.3
CVE-2026-4513 MEDIUM
vanna-ai vanna base.py ask sql injection
CVSS 6.3
CVE-2026-4087 MEDIUM
Pre* Party Resource Hints <= 1.8.20 - Authenticated (Subscriber+) SQL Injection via 'hint_ids' Parameter
CVSS 6.5
CVE-2026-3334 HIGH
CMS Commander <= 2.288 - Authenticated (Custom+) SQL Injection via 'or_blogname' Parameter
CVSS 8.8
CVE-2026-2503 MEDIUM
ElementCamp <= 2.3.6 - Authenticated (Author+) SQL Injection via 'meta_query[compare]' Parameter
CVSS 6.5
CVE-2026-2468 HIGH
Quentn WP <= 1.2.12 - Unauthenticated SQL Injection via 'qntn_wp_access' Cookie
CVSS 7.5
CVE-2026-2279 HIGH
myLinksDump <= 1.6 - Authenticated (Administrator+) SQL Injection via 'sort_by' and 'sort_order' Parameters
CVSS 7.2
CVE-2026-1800 HIGH
Fonts Manager | Custom Fonts <= 1.2 - Unauthenticated SQL Injection via fmcfIdSelectedFnt parameter
CVSS 7.5
CVE-2026-4508 HIGH
PbootCMS Member Login MemberController.php checkUsername sql injection
CVSS 7.3
CVE-2026-4507 MEDIUM
Mindinventory MindSQL mindsql_core.py ask_db sql injection
CVSS 6.3
CVE-2026-33142 HIGH
OneUptime: ClickHouse SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters
CVSS 8.1
CVE-2026-4504 HIGH
eosphoros-ai db-gpt Incomplete Fix editor sql injection
CVSS 7.3
CVE-2026-4485 MEDIUM
itsourcecode College Management System search_student.php sql injection
CVSS 6.3
CVE-2026-33134 CRITICAL
WeGIA has Authenticated Time-Based Blind SQL Injection in `restaurar_produto.php` via `id_produto` parameter
CVSS 9.3
CVE-2026-33133 HIGH
WeGIA 3.6.5-3.6.6 Backup Import - Arbitrary SQL Execution
CVSS 7.2
CVE-2026-4473 MEDIUM
itsourcecode Online Doctor Appointment System appointment_action.php sql injection
CVSS 4.7
CVE-2026-4472 MEDIUM
itsourcecode Online Frozen Foods Ordering System admin_edit_supplier.php sql injection
CVSS 6.3
CVE-2026-4471 MEDIUM
itsourcecode Online Frozen Foods Ordering System admin_edit_employee.php sql injection
CVSS 4.7
CVE-2026-4470 MEDIUM
itsourcecode Online Frozen Foods Ordering System admin_edit_menu.php sql injection
CVSS 4.7
CVE-2026-4469 MEDIUM
itsourcecode Online Frozen Foods Ordering System admin_edit_menu_action.php sql injection
CVSS 4.7
CVE-2026-33025 HIGH
AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause
CVSS 8.8
CVE-2026-32954 HIGH
ERPNext < 16.8.0 and < 15.100.0 - SQL Injection via Insufficient Parameter Validation
CVSS 7.1
CVE-2026-32950 HIGH
SQLBot: RCE via SQL Injection in Excel Upload Endpoint
CVSS 8.8
CVE-2026-32888 HIGH
Open Source Point of Sale is Vulnerable to SQL Injection Through its Item Search Functionality
CVSS 8.8
CVE-2026-32813 HIGH
Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)
CVSS 8.0
Details
Vulnerabilities 19,493
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits