CWE-943

Improper Neutralization of Special Elements in Data Query Logic

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

56 vulnerabilities with CWE-943
CVE-2026-47835 HIGH
Spring AI vector store metadata filtering to handle special characters in Elasticsearch, OpenSearch, and GemFire Vector Stores
CVSS 8.6
CVE-2026-49482 MEDIUM
ClipBucket: SQL Wildcard Injection in Subtitle Edit Endpoint Allows Mass Subtitle Overwrite
CVSS 4.3
CVE-2026-47181 HIGH
PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover
CVE-2026-53674 HIGH
BuddyPress 14.4.0 REGEXP Injection via @Mention Username Resolution
CVSS 7.1
CVE-2026-41697 MEDIUM
Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern
CVSS 4.8
CVE-2026-41696 MEDIUM
Spring Data MongoDB Bind Parameter Literal Quoting Breakout
CVSS 5.9
CVE-2026-40102 MEDIUM
Plane: ORM Field Reference Injection via `segment` Parameter in Saved Analytics
CVSS 6.5
CVE-2026-27886 HIGH
Strapi may leak sensitive data via relational filtering due to lack of query sanitization
CVSS 7.5
CVE-2026-44425 MEDIUM
ShellHub: Crash-DoS via field injection in filter and sort-by parameters
CVSS 5.4
CVE-2026-42156 HIGH
Flowsint: Cypher query injection in node type on node creation
CVE-2026-42316 MEDIUM
KQL injection via kusto.tables.topics.mapping in kafka-sink-azure-kusto
CVSS 6.5
CVE-2026-33566 MEDIUM
LogonTracer <2.0.0 - Cypher Injection
CVSS 4.3
CVE-2026-41328 CRITICAL
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field
CVSS 9.1
CVE-2026-41327 CRITICAL
Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field
CVSS 9.1
CVE-2026-41274 CRITICAL
Flowise: Cypher Injection in GraphCypherQAChain
CVSS 9.8
CVE-2026-6626 MEDIUM
Cockpit-HQ Cockpit Asset Handler/Aggregate data query logic injection
CVSS 6.3
CVE-2026-40352 HIGH
FastGPT: NoSQL Injection in updatePasswordByOld Leads to Account Takeover
CVSS 8.8
CVE-2026-40351 CRITICAL
FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass
CVSS 9.8
CVE-2026-34973 MEDIUM
phpMyFAQ <4.1.1 Search.php - LIKE Wildcard Injection
CVSS 5.3
CVE-2026-33980 HIGH
Azure Data Explorer MCP Server <=0.1.1 - KQL Injection
CVSS 8.3
CVE-2026-22558 HIGH
UniFi Network Application 9.0.118-10.1.89, 10.2.97 - Authenticated NoSQL Injection
CVSS 7.7
CVE-2026-3023 HIGH
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
CVSS 8.8
CVE-2026-3022 MEDIUM
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
CVSS 6.5
CVE-2026-3021 MEDIUM
Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web
CVSS 6.5
CVE-2026-32248 CRITICAL
Parse Server <9.6.0-alpha.12/8.6.38 - Auth Bypass
CVSS 9.8
Details
Vulnerabilities 56
Links
MITRE CWE Entry Search this CWE With Exploits