CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,510 vulnerabilities with CWE-89
CVE-2026-0816 MEDIUM
All push notification for WP <= 1.5.3 - Authenticated Time-Based SQL Injection via delete_id Parameter
CVSS 4.9
CVE-2026-25241 CRITICAL
pearweb < 1.33.0 - Unauthenticated SQL Injection via Package Version Parameter
CVSS 9.8
CVE-2026-25240 CRITICAL
PEAR PEARWeb < 1.33.0 - SQL Injection via Role Filter Array Interpolation
CVSS 9.8
CVE-2026-25239 HIGH
pearweb < 1.33.0 - SQL Injection via APIdoc Queue Filename
CVSS 7.5
CVE-2026-25238 CRITICAL
pearweb < 1.33.0 - SQL Injection via Crafted Email Value
CVSS 9.8
CVE-2026-25236 CRITICAL
PEAR pearweb < 1.33.0 - SQL Injection via Karma Query IN List
CVSS 9.8
CVE-2026-25234 CRITICAL
pearweb < 1.33.0 - Authenticated SQL Injection via Category ID
CVSS 9.8
CVE-2026-25022 HIGH
Iqonic Design KiviCare <3.6.16 - SQL Injection
CVSS 8.5
CVE-2026-1312 MEDIUM
Django 4.2-4.2.27, 5.2-5.2.10, 6.0-6.0.1 - SQL Injection via QuerySet.order_by() with FilteredRelation
CVSS 5.4
CVE-2026-1287 MEDIUM
Django 4.2-4.2.27, 5.2-5.2.10, 6.0-6.0.1 - SQL Injection via FilteredRelation Column Aliases
CVSS 5.4
CVE-2026-1207 MEDIUM
Django 4.2-4.2.27 5.2-5.2.10 6.0-6.0.1 - SQL Injection via RasterField Band Index Parameter
CVSS 5.4
CVE-2026-1432 CRITICAL
T-Systems Buroweb < 2505.0.13 - SQL Injection via Tablon Component Parameters
CVE-2026-1746 MEDIUM
JeecgBoot 3.9.0 - SQL Injection via Online Report API Keyword Parameter
CVSS 6.3
CVE-2026-0683 MEDIUM
SupportCandy <= 3.4.4 - Authenticated SQL Injection via Custom Field Filter
CVSS 6.5
CVE-2026-1701 HIGH
itsourcecode School Management System 1.0 - SQL Injection via ID Parameter in Enrollment Index
CVSS 7.3
CVE-2026-24854 HIGH
ChurchCRM < 6.7.2 - Authenticated SQL Injection via PaddleNumEditor.php PerID Parameter
CVSS 8.8
CVE-2026-1688 HIGH
itsourcecode Directory Management System 1.0 - SQL Injection via Username Parameter in /admin/index.php
CVSS 7.3
CVE-2026-1595 HIGH
Society Management System 1.0 - SQL Injection via student_id Parameter in edit_student_query.php
CVSS 7.3
CVE-2026-1594 HIGH
Society Management System 1.0 - SQL Injection via /admin/add_expenses.php Detail Parameter
CVSS 7.3
CVE-2026-1593 HIGH
Society Management System 1.0 - SQL Injection via Edit Expenses Detail Parameter
CVSS 7.3
CVE-2026-1590 HIGH
itsourcecode School Management System 1.0 - SQL Injection via ID Parameter in Faculty Index
CVSS 7.3
CVE-2026-1589 HIGH
itsourcecode School Management System 1.0 - SQL Injection via txtsearch Parameter
CVSS 7.3
CVE-2026-1552 MEDIUM
SEMCMS 5.0 - SQL Injection via searchml Parameter in SEMCMS_Info.php
CVSS 6.3
CVE-2026-1551 MEDIUM
itsourcecode School Management System 1.0 - SQL Injection via ID Parameter
CVSS 6.3
CVE-2026-1546 MEDIUM
jishenghua jshERP < 3.6 - SQL Injection via getBillItemByParam barCodes Argument
CVSS 6.3
Details
Vulnerabilities 19,510
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits