Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CVEs (19,296)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-33714 1Chamilo 1Chamilo Lms Apr 23, 2026 Apr 14, 2026 7.1 HIGH· v4 7.2 HIGH· v3 N/A· v2 Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 w...Show more Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.Show less
CVE-2026-32176 1Microsoft 5Sql Server 2016 Sql Server 2017Sql Server 2019+2 more May 7, 2026 Apr 14, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
CVE-2026-32167 1Microsoft 5Sql Server 2016 Sql Server 2017Sql Server 2019+2 more May 7, 2026 Apr 14, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
CVE-2026-39815 1Fortinet 1Fortiddos F Apr 20, 2026 Apr 14, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending cra...Show more A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requestsShow less
CVE-2026-39809 1Fortinet 1Forticlientems Apr 21, 2026 Apr 14, 2026 N/A· v4 6.7 MEDIUM· v3 N/A· v2 A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5, FortiClientEMS 7.2.0 through 7.2.12, FortiClientEMS 7.0 all versions ma...Show more A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5, FortiClientEMS 7.2.0 through 7.2.12, FortiClientEMS 7.0 all versions may allow attacker to execute unauthorized code or commands via sending crafted requestsShow less
CVE-2026-38528 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 7.1 HIGH· v3 N/A· v2 Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.
CVE-2025-65135 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter.
CVE-2025-65133 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manip...Show more A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database information.Show less
CVE-2025-63939 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter.
CVE-2025-61848 1Fortinet 4Fortianalyzer Fortianalyzer CloudFortimanager+1 more Apr 20, 2026 Apr 14, 2026 N/A· v4 7.2 HIGH· v3 N/A· v2 An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, Fort...Show more An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.8, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.8, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.8, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged authenticated attacker to execute unauthorized code or commands via JSON RPC APIShow less
CVE-2026-37602 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 2.7 LOW· v3 N/A· v2 SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php.
CVE-2026-37601 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 2.7 LOW· v3 N/A· v2 SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/manage_appointment.php.
CVE-2026-37600 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 2.7 LOW· v3 N/A· v2 SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view_details.php.
CVE-2026-37598 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 2.7 LOW· v3 N/A· v2 SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings.
CVE-2026-37597 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 2.7 LOW· v3 N/A· v2 SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php.
CVE-2026-37596 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 2.7 LOW· v3 N/A· v2 SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_department.php.
CVE-2026-37595 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 2.7 LOW· v3 N/A· v2 SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_employee.php.
CVE-2026-37594 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 2.7 LOW· v3 N/A· v2 SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php.
CVE-2026-37593 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 2.7 LOW· v3 N/A· v2 SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_att.php.
CVE-2026-37592 - - Apr 17, 2026 Apr 14, 2026 N/A· v4 2.7 LOW· v3 N/A· v2 Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL in the file /storage/admin/maintenance/manage_pricing.php.

Previous 1...293031...965 Next