CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,569 vulnerabilities with CWE-89
CVE-2025-10047 MEDIUM
Email Tracker for WordPress <= 5.3.15 - Authenticated SQL Injection via orderby
CVSS 4.9
CVE-2025-61194 MEDIUM
daicuo V1.3.13 - SQL Injection in Builder.php
CVSS 6.5
CVE-2025-56450 MEDIUM
Log2Space Subscriber Management Software 1.1 - SQL Injection
CVSS 6.5
CVE-2025-9339 HIGH
SIMPLE.ERP <[email protected] - SQL Injection
CVE-2025-9428 HIGH
ManageEngine Analytics Plus <= 6171 - Authenticated SQL Injection via Key Update API
CVSS 8.3
CVE-2025-26392 MEDIUM
SolarWinds Observability Self-Hosted < 2025.4 - Authenticated SQL Injection
CVSS 5.4
CVE-2025-62658 HIGH
MediaWiki WatchAnalytics <1.44 - SQL Injection
CVE-2025-60783 MEDIUM
Restaurant Management System DBMS Project v1.0 - SQL Injection
CVSS 6.5
CVE-2025-47902 HIGH
Microchip Time Provider 4100 < 2.5 - SQL Injection
CVSS 8.8
CVE-2025-61455 CRITICAL
Bhabishya-123 E-commerce 1.0 - SQL Injection
CVSS 9.8
CVE-2025-41028 CRITICAL
Epsilon RH >=3.03.36.010 <3.03.36.010 - SQL Injection via sEstadoUsr Parameter
CVE-2025-11944 MEDIUM
vvveb < 1.0.7.3 - SQL Injection via Import Function Raw SQL Handler
CVSS 4.7
CVE-2025-11691 HIGH
PPOM - Product Addons & Custom Fields for WooCommerce <33.0.15 - SQ...
CVSS 7.5
CVE-2025-10187 MEDIUM
GSpeech TTS - WordPress Text To Speech Plugin <3.17.13 - SQL Injection
CVSS 4.9
CVE-2025-62655 LOW
MediaWiki Cargo <1.44 - SQL Injection
CVE-2025-11912 MEDIUM
Streamax Crocus 1.3.40 - SQL Injection via DeviceState.do orderField Parameter
CVSS 6.3
CVE-2025-11911 MEDIUM
Streamax Crocus 1.3.40 - SQL Injection via DeviceFault.do sortField Parameter
CVSS 6.3
CVE-2025-11910 MEDIUM
Streamax Crocus 1.3.40 - SQL Injection via MemoryState.do orderField Parameter
CVSS 6.3
CVE-2025-56316 CRITICAL
MCMS 5.5.0-<6.0.2 - SQL Injection via Content Title Parameter
CVSS 9.8
CVE-2025-11909 MEDIUM
Streamax Crocus 1.3.40 - SQL Injection via RepairRecord.do orderField Parameter
CVSS 6.3
CVE-2025-62422 HIGH
DataEase < 2.10.14 - SQL Injection via tableName Parameter
CVSS 8.8
CVE-2025-60514 MEDIUM
Tillywork <= 0.1.3 - SQL Injection in Query Builder Helper
CVSS 6.5
CVE-2025-11904 MEDIUM
ChanCMS < 3.3.2 - SQL Injection via hasUse Function ID Parameter
CVSS 6.3
CVE-2025-11903 MEDIUM
ChanCMS < 3.3.2 - SQL Injection via Article Update CID Parameter
CVSS 6.3
CVE-2025-11902 MEDIUM
chancms < 3.3.2 - SQL Injection via cid Parameter in findField Function
CVSS 6.3
Details
Vulnerabilities 19,569
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits