CVEs classified under CWE-89 (SQL Injection), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-54350 — CVSS 10.0 (critical): Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every…
CVE-2026-8054: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints…
CVE-2026-42287: Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions…
CVE-2026-3325: SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias�…
CVE-2025-10878 — CVSS 10.0 (critical): A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and…
CVE-2025-57792 — CVSS 10.0 (critical): Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web…
CVE-2025-52694 — CVSS 10.0 (critical): Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands…
CVE-2025-65091 — CVSS 10.0 (critical): XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the…
CVE-2024-57521 — CVSS 10.0 (critical): SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in…
CVE-2025-63531 — CVSS 10.0 (critical): A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the receiverLogin.php component. The application fails…
CVE-2025-63689 — CVSS 10.0 (critical): Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14)…
CVE-2025-57870 — CVSS 10.0 (critical): A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This…
CVE-2025-50567 — CVSS 10.0 (critical): Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the…
CVE-2012-10047: Cyclope Employee Surveillance Solution versions 6.x are vulnerable to a SQL injection flaw in its login mechanism. The username parameter…
CVE-2025-54119 — CVSS 10.0 (critical): ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and…
CVE-2014-125123: An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version…
CVE-2014-125115: An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to…
CVE-2025-4285 — CVSS 10.0 (critical): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolantis Information Technologies…
CVE-2025-46337 — CVSS 10.0 (critical): ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9…
CVE-2025-22954 — CVSS 10.0 (critical): GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or…
CVE-2024-13152 — CVSS 10.0 (critical): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSS Software Mobuy Online Machinery…
CVE-2024-55971 — CVSS 10.0 (critical): SQL Injection vulnerability in the default configuration of the Logitime WebClock application <= 5.43.0 allows an unauthenticated user to…
CVE-2024-54261 — CVSS 10.0 (critical): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HK Digital Agency LLC TAX SERVICE…
CVE-2024-8529 — CVSS 10.0 (critical): The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_fields' parameter of the…
CVE-2024-8522 — CVSS 10.0 (critical): The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the…
CVE-2024-6795 — CVSS 10.0 (critical): In Connex health portal released before8/30/2024, SQL injection vulnerabilities were found that could have allowed an unauthenticated…
CVE-2024-43918 — CVSS 10.0 (critical): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WBW Product Table PRO allows SQL…
CVE-2024-7854 — CVSS 10.0 (critical): The Woo Inquiry plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 0.1 due to insufficient escaping…
CVE-2024-39911 — CVSS 10.0 (critical): 1Panel is a web-based linux server management control panel. 1Panel contains an unspecified sql injection via User-Agent handling. This…
CVE-2024-37112 — CVSS 10.0 (critical): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Membership Software WishList Member…
CVE-2024-1839 — CVSS 10.0 (critical): Intrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an…
CVE-2024-3605 — CVSS 10.0 (critical): The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms…
CVE-2024-3922 — CVSS 10.0 (critical): The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due…
CVE-2024-36412 — CVSS 10.0 (critical): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability…
CVE-2024-3820 — CVSS 10.0 (critical): The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the…
CVE-2024-0851: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Grup Arge Energy and Control Systems…
CVE-2024-32888 — CVSS 10.0 (critical): The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application…
CVE-2024-27298 — CVSS 10.0 (critical): parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the…
CVE-2024-1597 — CVSS 10.0 (critical): pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the…
CVE-2023-25960 — CVSS 10.0 (critical): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zendrop Zendrop – Global…
CVE-2023-34976 — CVSS 10.0 (critical): A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to…
CVE-2023-4309 — CVSS 10.0 (critical): Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These…
CVE-2023-39344 — CVSS 10.0 (critical): social-media-skeleton is an uncompleted social media project. A SQL injection vulnerability in the project allows UNION based injections…
CVE-2023-25813 — CVSS 10.0 (critical): Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are…
CVE-2022-2422 — CVSS 10.0 (critical): Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in…
CVE-2022-2421 — CVSS 10.0 (critical): Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which…