Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CVEs (19,368)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2005-3817 2Softbiz Softbizscripts 2Web Hosting Directory Script Web Hosting Directory Script Apr 6, 2026 Nov 26, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in Softbiz Web Host Directory Script 1.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) cid parameter in search_result.php, (2) sbres_id parameter...Show more Multiple SQL injection vulnerabilities in Softbiz Web Host Directory Script 1.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) cid parameter in search_result.php, (2) sbres_id parameter in review.php, (3) cid parameter in browsecats.php, (4) h_id parameter in email.php, and (5) an unspecified parameter to the search module.Show less
CVE-2005-3748 1Tru Zone 1Nukeet Apr 16, 2026 Nov 22, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in the Search module in Tru-Zone Nuke ET 3.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the query parameter.
CVE-2005-3744 1Phpcomasy 1Phpcomasy Apr 16, 2026 Nov 22, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in index.php in phpComasy 0.7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: an examination of the 0.7.5 source code suggests that there i...Show more SQL injection vulnerability in index.php in phpComasy 0.7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: an examination of the 0.7.5 source code suggests that there is no id parameter being handled directly by index.php.Show less
CVE-2005-3686 1Newsboard 1Unclassified Newsboard Apr 16, 2026 Nov 19, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in search.inc.php in Unclassified NewsBoard before 1.5.3 Patch 4 allows remote attackers to execute arbitrary SQL commands via the (1) DateFrom or (2) DateUntil parameter to forum.php.
CVE-2005-3646 2Phpadsnew Phppgads 2Phpadsnew Phppgads Apr 16, 2026 Nov 17, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in lib-sessions.inc.php in phpAdsNew and phpPgAds 2.0.6 and possibly earlier versions allow remote attackers to execute arbitrary SQL commands via the sessionID parameter in (1) log...Show more Multiple SQL injection vulnerabilities in lib-sessions.inc.php in phpAdsNew and phpPgAds 2.0.6 and possibly earlier versions allow remote attackers to execute arbitrary SQL commands via the sessionID parameter in (1) logout.php and (2) index.php.Show less
CVE-2005-3553 1Phpkit 1Phpkit Apr 16, 2026 Nov 16, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in include.php in PHPKIT 1.6.1 R2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in conjunction with the login/userinfo.php path and (...Show more Multiple SQL injection vulnerabilities in include.php in PHPKIT 1.6.1 R2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in conjunction with the login/userinfo.php path and (2) the session parameter (aka the PHPKITSID variable).Show less
CVE-2005-3543 1Phorum 1Phorum Apr 16, 2026 Nov 16, 2005 N/A· v4 N/A· v3 6.8 MEDIUM· v2 SQL injection vulnerability in search.php in Phorum 5.0.0alpha through 5.0.20, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands via the forum_ids parameter.
CVE-2005-3497 1Phphandicapper 1Php Handicapper Apr 16, 2026 Nov 4, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in process_signup.php in PHP Handicapper allows remote attackers to execute arbitrary SQL commands via the serviceid parameter. NOTE: on 20060210, the vendor disputed this issue, saying "this...Show more SQL injection vulnerability in process_signup.php in PHP Handicapper allows remote attackers to execute arbitrary SQL commands via the serviceid parameter. NOTE: on 20060210, the vendor disputed this issue, saying "this is 100% false reporting, this is a slander campaign from a customer who had a vulnerability in his SERVER not the software." However, followup investigation strongly suggests that the original report is correctShow less
CVE-2005-3365 1Codeworx Technologies 1Dcp Portal Apr 16, 2026 Oct 30, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in DCP-Portal 6 and earlier allow remote attackers to execute arbitrary SQL commands, possibly requiring encoded characters, via (1) the name parameter in register.php, (2) the emai...Show more Multiple SQL injection vulnerabilities in DCP-Portal 6 and earlier allow remote attackers to execute arbitrary SQL commands, possibly requiring encoded characters, via (1) the name parameter in register.php, (2) the email parameter in lostpassword.php, (3) the year parameter in calendar.php, and the (4) cid parameter to index.php. NOTE: the mid parameter for forums.php is already associated with CVE-2005-0454. NOTE: the index.php/cid vector was later reported to affect 6.11.Show less
CVE-2005-3325 2Acid Secureideas 2Analysis Console For Intrusion Databases Basic Analysis And Security Engine Apr 16, 2026 Oct 27, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in (1) acid_qry_main.php in Analysis Console for Intrusion Databases (ACID) 0.9.6b20 and (2) base_qry_main.php in Basic Analysis and Security Engine (BASE) 1.2, and unspecified othe...Show more Multiple SQL injection vulnerabilities in (1) acid_qry_main.php in Analysis Console for Intrusion Databases (ACID) 0.9.6b20 and (2) base_qry_main.php in Basic Analysis and Security Engine (BASE) 1.2, and unspecified other console scripts in these products, allow remote attackers to execute arbitrary SQL commands via the sig[1] parameter and possibly other parameters.Show less
CVE-2005-3046 1Phpmyfaq 1Phpmyfaq Apr 16, 2026 Sep 24, 2005 N/A· v4 N/A· v3 6.8 MEDIUM· v2 SQL injection vulnerability in password.php in PhpMyFaq 1.5.1 allows remote attackers to modify SQL queries and gain administrator privileges via the user field.
CVE-2005-2983 1Oracle 1Reports Apr 16, 2026 Sep 20, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in Oracle Reports that use Lexical References allows remote attackers to execute arbitrary SQL commands via the values in the parameter form that appears when the paramform parameter is set to...Show more SQL injection vulnerability in Oracle Reports that use Lexical References allows remote attackers to execute arbitrary SQL commands via the values in the parameter form that appears when the paramform parameter is set to yes.Show less
CVE-2005-2035 1Cool Cafe Chat 1Cool Cafe Chat Apr 16, 2026 Jun 16, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in login.asp for Cool Cafe (Cool Café) Chat 1.2.1 allows remote attackers to execute arbitrary SQL commands via the password.
CVE-2005-1500 1Mywebland 1Mybloggie Apr 16, 2026 May 11, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in myBloggie 2.1.1 allow remote attackers to execute arbitrary SQL commands via (1) the keyword parameter in search.php; or (2) the date_no parameter in viewdate mode, (3) the cat_i...Show more Multiple SQL injection vulnerabilities in myBloggie 2.1.1 allow remote attackers to execute arbitrary SQL commands via (1) the keyword parameter in search.php; or (2) the date_no parameter in viewdate mode, (3) the cat_id parameter in viewcat mode, the (4) month_no or (5) year parameter in viewmonth mode, or (6) post_id parameter in viewid mode to index.php. NOTE: item (1) was discovered to affect 2.1.3 as well.Show less
CVE-2005-1487 1Fishnet 1Fishcart Apr 16, 2026 May 11, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in FishCart 3.1 allow remote attackers to execute arbitrary SQL commands via the (1) cartid parameter to upstnt.php or (2) psku parameter to display.php. NOTE: the vendor disputes...Show more Multiple SQL injection vulnerabilities in FishCart 3.1 allow remote attackers to execute arbitrary SQL commands via the (1) cartid parameter to upstnt.php or (2) psku parameter to display.php. NOTE: the vendor disputes this report, saying that they are forced SQL errors. The original researcher is known to be unreliableShow less
CVE-2005-1017 1Maxwebportal 1Maxwebportal Apr 16, 2026 May 2, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in the Update_Events function in events_functions.asp in MaxWebPortal 1.33 and earlier allows remote attackers to execute arbitrary SQL commands via the EVENT_ID parameter, as demonstrated usi...Show more SQL injection vulnerability in the Update_Events function in events_functions.asp in MaxWebPortal 1.33 and earlier allows remote attackers to execute arbitrary SQL commands via the EVENT_ID parameter, as demonstrated using events.asp.Show less
CVE-2005-0252 1Guillaumegardey 1Biborb Apr 16, 2026 May 2, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in BibORB 1.3.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the (1) Username or (2) Password.
CVE-2005-0413 1Myphp Forum 1Myphp Forum Apr 16, 2026 Apr 27, 2005 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in MyPHP Forum 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the fid in forum.php, (2) the member parameter in member.php, (3) the email parameter in forgot.p...Show more Multiple SQL injection vulnerabilities in MyPHP Forum 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the fid in forum.php, (2) the member parameter in member.php, (3) the email parameter in forgot.php, or (4) the nbuser or nbpass parameters in include.php. NOTE: it was later reported that vector 2 exists in 3.0 and earlier.Show less
CVE-2004-2754 1Yabb 1Yabb Se Apr 16, 2026 Dec 31, 2004 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in SSI.php in YaBB SE 1.5.4, 1.5.3, and possibly other versions before 1.5.5 allows remote attackers to execute arbitrary SQL commands via the ID_MEMBER parameter to the (1) recentTopics and (...Show more SQL injection vulnerability in SSI.php in YaBB SE 1.5.4, 1.5.3, and possibly other versions before 1.5.5 allows remote attackers to execute arbitrary SQL commands via the ID_MEMBER parameter to the (1) recentTopics and (2) welcome functions.Show less
CVE-2004-2751 1Postnuke Software Foundation 1Postnuke Apr 16, 2026 Dec 31, 2004 N/A· v4 N/A· v3 6.8 MEDIUM· v2 SQL injection vulnerability in the members_list module in PostNuke 0.726, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the sortby parameter.

Previous 1...965 966967968 969 Next