CWE-89
SQL Injection
MITRENo catalog description on file. The MITRE CWE site has the canonical reference.
Recent CVEs
showing 50 of 105- CVE-2026-9848High· 7.56 h ago
The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress's `posts_request` filter with `wp_ticket_com_posts_request()
- CVE-2026-12131Medium· 6.311 h ago
A weakness has been identified in CodeAstro Human Resource Management System 1.0. This vulnerability affects the function Invoice of the file \application\controllers\Payroll.php of the component Payroll Invoice Module. This manipulation of
- CVE-2026-44172—EPSS 0%15 h ago
MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text proto
- CVE-2024-29824High· 8.8KEVEXPLOITEPSS 94%16 h ago
Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability
- CVE-2023-46748High· 8.8KEVEPSS 4%16 h ago
F5 BIG-IP Configuration Utility SQL Injection Vulnerability
- CVE-2025-57819Critical· 9.8KEVEXPLOITEPSS 77%16 h ago
Sangoma FreePBX Authentication Bypass Vulnerability
- CVE-2025-25181Medium· 5.8KEVEPSS 72%16 h ago
Advantive VeraCore SQL Injection Vulnerability
- CVE-2020-17463Critical· 9.8KEVEPSS 18%16 h ago
Fuel CMS SQL Injection Vulnerability
- CVE-2018-7841Critical· 9.8KEVEXPLOITEPSS 59%16 h ago
Schneider Electric U.motion Builder SQL Injection Vulnerability
- CVE-2024-43468Critical· 9.8KEVEPSS 83%16 h ago
Microsoft Configuration Manager SQL Injection Vulnerability
- CVE-2021-20016Critical· 9.8KEVEPSS 80%16 h ago
SonicWall SSLVPN SMA100 SQL Injection Vulnerability
- CVE-2016-2386Critical· 9.8KEVEXPLOITEPSS 44%16 h ago
SAP NetWeaver SQL Injection Vulnerability
- CVE-2021-44026Critical· 9.8KEVEPSS 73%16 h ago
Roundcube Webmail SQL Injection Vulnerability
- CVE-2026-21643Critical· 9.8KEVEPSS 71%16 h ago
Fortinet FortiClient EMS SQL Injection Vulnerability
- CVE-2021-27101Critical· 9.8KEVEPSS 1%16 h ago
Accellion FTA SQL Injection Vulnerability
- CVE-2023-34362Critical· 9.8KEVEXPLOITEPSS 94%16 h ago
Progress MOVEit Transfer SQL Injection Vulnerability
- CVE-2024-6670Critical· 9.8KEVEXPLOITEPSS 94%16 h ago
Progress WhatsUp Gold SQL Injection Vulnerability
- CVE-2017-18362Critical· 9.8KEVEPSS 81%16 h ago
Kaseya VSA SQL Injection Vulnerability
- CVE-2026-42208Critical· 9.8KEVEPSS 63%16 h ago
BerriAI LiteLLM SQL Injection Vulnerability
- CVE-2023-48788Critical· 9.8KEVEXPLOITEPSS 94%16 h ago
Fortinet FortiClient EMS SQL Injection Vulnerability
- CVE-2026-9082Critical· 9.8KEVEXPLOITEPSS 10%16 h ago
Drupal Core SQL Injection Vulnerability
- CVE-2021-20028Critical· 9.8KEVEPSS 80%16 h ago
SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability
- CVE-2019-7481High· 7.5KEVEPSS 94%16 h ago
SonicWall SMA100 SQL Injection Vulnerability
- CVE-2021-42258Critical· 9.8KEVEXPLOITEPSS 94%16 h ago
BQE BillQuick Web Suite SQL Injection Vulnerability
- CVE-2020-5722Critical· 9.8KEVEXPLOITEPSS 93%16 h ago
Grandstream Networks UCM6200 Series SQL Injection Vulnerability
- CVE-2020-12271Critical· 9.8KEVEPSS 87%16 h ago
Sophos SFOS SQL Injection Vulnerability
- CVE-2024-9465Critical· 9.1KEVEPSS 94%16 h ago
Palo Alto Networks Expedition SQL Injection Vulnerability
- CVE-2025-25257Critical· 9.8KEVEXPLOITEPSS 26%16 h ago
Fortinet FortiWeb SQL Injection Vulnerability
- CVE-2019-12989Critical· 9.8KEVEXPLOITEPSS 92%16 h ago
Citrix SD-WAN and NetScaler SQL Injection Vulnerability
- CVE-2020-29574Critical· 9.8KEVEPSS 10%16 h ago
CyberoamOS (CROS) SQL Injection Vulnerability
- CVE-2024-9379Medium· 6.5KEVEPSS 82%16 h ago
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
- CVE-2026-45418High· 8.8EPSS 0%17 h ago
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #132, any authenticated user who can upload videos can add multiple subtitles from different files and change their title (English, Spanish...). The POST /acti
- CVE-2026-48613Medium· 5.9EPSS 0%17 h ago
SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from
- CVE-2026-41581—EPSS 0%17 h ago
Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0.
- CVE-2026-45060Critical· 9.8EPSS 0%17 h ago
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #129, the actions/progress_video.php endpoint is vulnerable to blind SQL injection. Any unauthenticated user can exploit the ids parameter to execute SQL queri
- CVE-2023-34576Critical· 9.8EPSS 0%18 h ago
SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector.
- CVE-2023-34575Critical· 9.8EPSS 0%18 h ago
SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayA
- CVE-2026-42647Critical· 9.3EPSS 5%20 h ago
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7.7.
- CVE-2026-39494Critical· 9.3EPSS 0%20 h ago
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter by WBW: from n/a through 3.1.2.
- CVE-2026-11945Medium· 6.4EPSS 0%1 d ago
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or im
- CVE-2026-49498High· 8.8EPSS 0%1 d ago
Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can i
- CVE-2026-38581Critical· 9.8EPSS 0%1 d ago
SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The param
- CVE-2026-52758High· 8.8EPSS 0%1 d ago
Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user-supplied values directly into SQL queries without escaping or parameterization. Remote attackers can inject arbitrary SQL via the BSim netw
- CVE-2026-45779Critical· 9.8EPSS 0%2 d ago
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploi
- CVE-2026-3326High· 8.6EPSS 0%2 d ago
The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
- CVE-2026-53474Critical· 9.6EPSS 0%2 d ago
A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cel
- CVE-2026-3018High· 7.5EPSS 18%2 d ago
The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficie
- CVE-2026-50636High· 8.8EPSS 0%3 d ago
The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameteriza
- CVE-2026-8025Critical· 9.8EPSS 0%3 d ago
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in MOSK Information Technologies Ltd. CBS Platform allows SQL Injection. This issue affects CBS Platform: through 09062026. NOTE: The vendo
- CVE-2026-11531High· 7.3EPSS 0%3 d ago
A security flaw has been discovered in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This impacts an unknown function of the file admin/admin_login.php of the component Administrator Login Endpoint. Perf
CWE catalog data sourced from MITRE. CVE associations come from NVD weakness mappings; some CVEs carry multiple CWEs.