CWE-89
High likelihoodImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
19,396 vulnerabilities with CWE-89
CVE-2026-10203
MEDIUM
OFCMS JSON Query SystemParamController.java query sql injection
CVSS 6.3
CVE-2026-10202
MEDIUM
OFCMS JSON Query SystemDictController.java query sql injection
CVSS 6.3
CVE-2026-10193
MEDIUM
OFCMS ComnController ComnController.java query sql injection
CVSS 6.3
CVE-2026-10186
HIGH
code-projects Online Hospital Management System patient.php sql injection
CVSS 7.3
CVE-2026-10185
HIGH
SourceCodester Hospitals Patient Records Management System Users.php save sql injection
CVSS 7.3
CVE-2026-10184
HIGH
SourceCodester Hospitals Patient Records Management System Users.php delete sql injection
CVSS 7.3
CVE-2026-49490
HIGH
OpenCATS - SQL Injection in DataGrid Filter Handling for Tags Column
CVSS 8.1
CVE-2026-49489
HIGH
OpenCATS - SQL Injection in DataGrid sortDirection Parameter
CVSS 8.5
CVE-2026-10178
HIGH
code-projects Online Music Site AdminEditAlbum.php sql injection
CVSS 7.3
CVE-2026-10176
MEDIUM
Aider-AI Aider Code Generation Workflow sql injection
CVSS 6.3
CVE-2026-10171
MEDIUM
code-projects Online Music Site AdminUpdateAlbum.php sql injection
CVSS 4.7
CVE-2026-10170
MEDIUM
code-projects Visitor Management System phone_0.php sql injection
CVSS 6.3
CVE-2026-10155
MEDIUM
Bdtask Multi-Store Inventory Management System Accounts Report Accounts.php accounts_report_search sql injection
CVSS 4.7
CVE-2026-9757
HIGH
GEO my WP <= 4.5.5 - Unauthenticated SQL Injection
CVSS 7.5
CVE-2026-10111
HIGH
sambitraj STUDENT-MANAGEMENT-SYSTEM Login Page sql injection
CVSS 7.3
CVE-2026-10110
HIGH
code-projects Student Details Management System index.php sql injection
CVSS 7.3
CVE-2026-10105
HIGH
agno 2.6.5 SQL Injection via ClickHouse delete_by_metadata()
CVSS 8.3
CVE-2026-39229
MEDIUM
Bolt CMS <= 3.7.0 - Authenticated SQL Injection via Order Parameter
CVSS 6.5
CVE-2026-44238
HIGH
FreePBX: Authenticated SQL Injection via ORDER BY in CDR Reports
CVSS 8.8
CVE-2026-10039
MEDIUM
Frontend Admin by DynamiApps <= 3.28.28 - Authenticated (Administrator+) SQL Injection via 'order' Parameter
CVSS 4.9
CVE-2026-4776
HIGH
Mautic - Authenticated SQL Injection via API Contact Filtering Mechanism
CVSS 7.1
CVE-2026-45288
CRITICAL
Marten < 8.36.1 - SQL Injection in regConfig Parameter
CVSS 9.8
CVE-2026-7048
MEDIUM
Photo Gallery by 10Web <= 1.8.40 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute
CVSS 6.5
CVE-2026-7797
HIGH
Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_where_sql' Parameter
CVSS 7.5
CVE-2026-44886
HIGH
Pi.Alert: Web Interface Vulnerable to Unauthenticated Blind SQL Injection
Details
Vulnerabilities
19,396
Exploit Likelihood
High