CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,493 vulnerabilities with CWE-89
CVE-2026-32767 CRITICAL
SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
CVSS 9.8
CVE-2026-33288 HIGH
SuiteCRM has Authenticated SQL Injection in Authentication Module
CVSS 8.8
CVE-2026-32763 HIGH
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
CVSS 8.2
CVE-2026-29099 HIGH
SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality.
CVSS 8.8
CVE-2026-29096 HIGH
SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Report Fields
CVSS 8.1
CVE-2026-30711 HIGH
Devome GRR 4.5.0 - Authenticated SQL Injection
CVSS 8.8
CVE-2026-3658 HIGH
Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter
CVSS 7.5
CVE-2026-27413 CRITICAL
WordPress Profile Builder Pro plugin <= 3.13.9 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-32698 CRITICAL
OpenProject Custom Field Names - SQL Injection to Code Execution
CVSS 9.1
CVE-2026-32321 HIGH
ClipBucket v5 has time-based Blind SQL Injection in ajax.php that leads to Data Exfiltration
CVSS 8.8
CVE-2026-32611 HIGH
Glances DuckDB Export - SQL Injection
CVSS 7.0
CVE-2026-22730 HIGH
CVE-2026-22730: SQL Injection in Spring AI MariaDBFilterExpressionConverter
CVSS 8.8
CVE-2026-33058 MEDIUM
Kanboard has Authenticated SQL Injection in Project Permissions Handler
CVSS 6.5
CVE-2026-31891 HIGH
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
CVSS 7.7
CVE-2026-26001 HIGH
GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report
CVSS 7.1
CVE-2026-25936 MEDIUM
GLPI Vulnerable to Authenticated SQL Injection
CVSS 6.5
CVE-2026-4319 HIGH
code-projects Simple Food Order System add-item.php sql injection
CVSS 7.3
CVE-2026-4324 MEDIUM
Rubygem-katello: katello: denial of service and potential information disclosure via sql injection
CVSS 5.4
CVE-2026-2579 HIGH
WowStore – Store Builder & Product Blocks for WooCommerce <= 4.4.3 - Unauthenticated SQL Injection via 'search' Parameter
CVSS 7.5
CVE-2026-4289 HIGH
Tiandy Easy7 Integrated Management Platform getRecByTemplateId sql injection
CVSS 7.3
CVE-2026-4288 HIGH
Tiandy Easy7 Integrated Management Platform Endpoint getDevDetailedInfo sql injection
CVSS 7.3
CVE-2026-4287 HIGH
Tiandy Easy7 Integrated Management Platform Endpoint queryResources sql injection
CVSS 7.3
CVE-2026-30881 HIGH
Chamilo LMS: SQL Injection in the statistics AJAX endpoint
CVSS 8.8
CVE-2026-28430 CRITICAL
Chamilo LMS Vulnerable to Unauthenticated SQL Injection in chamiko-lms model.ajax.php
CVSS 9.8
CVE-2026-4241 MEDIUM
itsourcecode College Management System time-table.php sql injection
CVSS 6.3
Details
Vulnerabilities 19,493
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits