CVE-2026-26116

HIGH

Microsoft SQL Server 2016-2025 Authenticated SQL Injection

Title source: llm

Description

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26116

Scores

CVSS v3 8.8

EPSS 0.0006

EPSS Percentile 19.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (7)

Microsoft/Microsoft SQL Server 2025 (CU 2) 17.0.0.0 - 17.0.4020.2

Microsoft/Microsoft SQL Server 2025 for x64-based Systems (GDR) 17.0.1050.2 - 17.0.1105.2

microsoft/sql_server_2016 13.0.6300.2 - 13.0.6480.4

microsoft/sql_server_2017 14.0.1000.169 - 14.0.2100.4

microsoft/sql_server_2019 15.0.2000.5 - 15.0.2160.4

microsoft/sql_server_2022 16.0.1000.6 - 16.0.1170.5

microsoft/sql_server_2025 17.0.1000.7 - 17.0.1105.2

Published Mar 10, 2026

Tracked Since Mar 11, 2026