CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,402 vulnerabilities with CWE-89
CVE-2026-10039 MEDIUM
Frontend Admin by DynamiApps <= 3.28.28 - Authenticated (Administrator+) SQL Injection via 'order' Parameter
CVSS 4.9
CVE-2026-4776 HIGH
Mautic - Authenticated SQL Injection via API Contact Filtering Mechanism
CVSS 7.1
CVE-2026-45288 CRITICAL
Marten < 8.36.1 - SQL Injection in regConfig Parameter
CVSS 9.8
CVE-2026-7048 MEDIUM
Photo Gallery by 10Web <= 1.8.40 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute
CVSS 6.5
CVE-2026-7797 HIGH
Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_where_sql' Parameter
CVSS 7.5
CVE-2026-44886 HIGH
Pi.Alert: Web Interface Vulnerable to Unauthenticated Blind SQL Injection
CVE-2026-44635 HIGH
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`
CVSS 7.5
CVE-2026-44521 HIGH
elFinder: SQL Injection MySQL Volume Driver (elFinderVolumeMySQL)
CVSS 8.8
CVE-2026-38808 MEDIUM
uzy-ssm-mall 1.1.0 - SQL Injection via ProductMapper.xml and OrderUtil.java
CVSS 5.3
CVE-2026-38930 MEDIUM
OpenRapid RapidCMS 1.3.1 - Authentication Bypass via SQL Injection in Name Cookie Parameter
CVSS 6.5
CVE-2026-49046 HIGH
WordPress Duplicate Page and Post plugin <= 2.9.5 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-9617 MEDIUM
PostgreSQL Anonymizer: malicious column name allows SQL injection via anon.k_anonymity() function
CVSS 6.8
CVE-2026-42761 CRITICAL
WordPress Active Products Tables for WooCommerce plugin <= 1.0.9 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-42755 CRITICAL
WordPress TableOn plugin <= 1.0.5.1 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-42747 CRITICAL
WordPress Easy Form Builder plugin <= 4.0.6 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-42740 CRITICAL
WordPress Tainacan plugin <= 1.0.3 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-42730 HIGH
WordPress MasterStudy LMS plugin <= 3.7.29 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-42727 CRITICAL
WordPress Active Products Tables for WooCommerce plugin <= 1.0.8 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-8054 CRITICAL
Unauthenticated SQL Injection in dotCMS Publish Audit API
CVE-2026-40850 HIGH
MB connect line mbCONNECT24 - Unauthenticated SQLI in getAccountData Function
CVSS 7.5
CVE-2026-40849 MEDIUM
MB connect line mbCONNECT24 - Authenticated SQLI in user_alarmprofile View
CVSS 6.5
CVE-2026-40848 MEDIUM
MB connect line mbCONNECT24 - Authenticated SQLI in Tag View
CVSS 6.5
CVE-2026-40847 MEDIUM
MB connect line mbCONNECT24 - Authenticated SQLI in system_tag View
CVSS 6.5
CVE-2026-40846 MEDIUM
MB connect line mbCONNECT24 - Authenticated SQLI in System View
CVSS 6.5
CVE-2026-40845 MEDIUM
MB connect line mbCONNECT24 - Authenticated SQLI in devices_configuration View
CVSS 6.5
Details
Vulnerabilities 19,402
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits