Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CVEs (19,296)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-37346 - - Apr 17, 2026 Apr 16, 2026 N/A· v4 4.7 MEDIUM· v3 N/A· v2 SourceCodester Payroll Management and Information System v1.0 is vulnerable to SQL Injection in the file /payroll/view_account.php?emp_id=.
CVE-2026-37345 - - Apr 17, 2026 Apr 16, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_park.php.
CVE-2026-37344 - - Apr 18, 2026 Apr 16, 2026 N/A· v4 7.2 HIGH· v3 N/A· v2 SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_location.php.
CVE-2026-37343 - - Apr 18, 2026 Apr 16, 2026 N/A· v4 7.2 HIGH· v3 N/A· v2 SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_user.php.
CVE-2026-37342 - - Apr 18, 2026 Apr 16, 2026 N/A· v4 7.2 HIGH· v3 N/A· v2 SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/view_parked_details.php.
CVE-2026-37341 - - Apr 18, 2026 Apr 16, 2026 N/A· v4 7.2 HIGH· v3 N/A· v2 SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/manage_category.php.
CVE-2026-37340 - - Apr 18, 2026 Apr 16, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/edit_music.php.
CVE-2026-37339 - - Apr 18, 2026 Apr 16, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_genre.php.
CVE-2026-37338 - - Apr 17, 2026 Apr 16, 2026 N/A· v4 9.4 CRITICAL· v3 N/A· v2 SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php.
CVE-2026-37337 - - Apr 17, 2026 Apr 16, 2026 N/A· v4 7.3 HIGH· v3 N/A· v2 SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php.
CVE-2026-37336 - - Apr 17, 2026 Apr 16, 2026 N/A· v4 7.3 HIGH· v3 N/A· v2 SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php.
CVE-2026-5785 - - Apr 17, 2026 Apr 16, 2026 N/A· v4 8.1 HIGH· v3 N/A· v2 Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.
CVE-2026-3489 - - Apr 22, 2026 Apr 16, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on...Show more The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.Show less
CVE-2026-3773 - - Apr 22, 2026 Apr 16, 2026 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Accessibility Suite by Ability, Inc plugin for WordPress is vulnerable to SQL Injection via the 'scan_id' parameter in all versions up to, and including, 4.20. This is due to insufficient escaping on the user supplie...Show more The Accessibility Suite by Ability, Inc plugin for WordPress is vulnerable to SQL Injection via the 'scan_id' parameter in all versions up to, and including, 4.20. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.Show less
CVE-2026-3599 - - Apr 22, 2026 Apr 16, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all v...Show more The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied parameter and insufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.Show less
CVE-2026-30995 - - Apr 17, 2026 Apr 15, 2026 N/A· v4 8.6 HIGH· v3 N/A· v2 Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint.
CVE-2026-20061 1Cisco 1Unity Connection Apr 28, 2026 Apr 15, 2026 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability,...Show more A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device.Show less
CVE-2025-63029 - - Apr 23, 2026 Apr 15, 2026 N/A· v4 7.6 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n...Show more Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through <= 3.7.1.Show less
CVE-2026-40745 - - Apr 22, 2026 Apr 15, 2026 N/A· v4 7.6 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Elemen...Show more Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2.Show less
CVE-2026-40744 - - Apr 22, 2026 Apr 15, 2026 N/A· v4 8.5 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue affects Beaver Builder...Show more Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue affects Beaver Builder: from n/a through <= 2.10.1.2.Show less

Previous 1...282930...965 Next