CWE-89 19846 个 CVE MITRE 定义 ↗

CWE-89:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

概览

CWE-89(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))描述一种在漏洞数据库与安全评估中使用的弱点类型;定义、背景与映射 CVE 见下方各节。

安全影响
安全影响:因产品与场景而异;请结合 CVE 记录、严重度评分与 MITRE 说明进行优先级判断。

描述

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

适用平台

类型 名称 普遍性 OS / CPE
language Not Language-Specific Undetermined
language SQL Often
technology Database Server Undetermined

本库相关 CVE

下列 CVE 在本库中映射到该弱点,并保留以便追溯与检索。

CVE 公开时间 摘要
CVE-2026-16014 2026-07-17 A vulnerability was found in code-projects Hospital Bed Management System 1.0. This affects an unknown part of the component Login Form. Performing a manipulation of the argument Username results in s…
CVE-2026-16009 2026-07-17 A vulnerability was detected in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /prescriptionorderdetail.php. The manipulation of the argument delid results in…
CVE-2026-62238 2026-07-16 OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw…
CVE-2026-14782 2026-07-16 The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3 due to insufficient es…
CVE-2026-58078 2026-07-16 The Joomla extension Quix Page Builder Pro is vulnerable to an unauthenticated SQL injection.
CVE-2026-15727 2026-07-16 The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the 'delete_user_roles' parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the use…
CVE-2026-15651 2026-07-16 The WP TripAdvisor Review Slider plugin for WordPress is vulnerable to generic SQL Injection via the 'filtersource' parameter in all versions up to, and including, 14.6 due to insufficient escaping on…
CVE-2026-15022 2026-07-16 The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via Stored Quiz Answer Array in all versions up to, and including, 4.0.0 due to insuffi…
CVE-2026-13767 2026-07-16 The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied '…
CVE-2026-13754 2026-07-16 The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 3.6.0.0 due to insufficient escaping …
CVE-2026-12395 2026-07-16 The WP Job Portal WordPress plugin before 2.5.5 does not properly sanitize and escape a parameter before using it in a SQL query, allowing authenticated users with a subscriber-level (self-registerab…
CVE-2026-15458 2026-07-16 The SEO Booster plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_field' parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied…
CVE-2026-15445 2026-07-16 The SEO Booster plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied…
CVE-2026-12941 2026-07-16 The MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions plugin for WordPress is vulnerable to generic SQL Injection via the 'order_by' parameter in all versions up to, and includin…
CVE-2026-12753 2026-07-16 The Advance Product Search- Voice & Ajax Search for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 's' and 'match' parameter in all versions up to, and including, 1.4.…
CVE-2026-15907 2026-07-15 A flaw has been found in H3C SecPath F1000-C8300 up to 20260522. This impacts an unknown function of the file /webui/?g=log_fw_nbc_mail_jsondata. Executing a manipulation of the argument subject can l…
CVE-2026-62361 2026-07-15 listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to 6.2.0, listmonk’s GET /api/subscribers/export endpoint injects the user-controlled query parameter into QuerySubscr…
CVE-2026-52887 2026-07-15 NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.0.61, NocoBase @nocobase/plugin-notification-in-app-message exposed GET /api…
CVE-2026-50030 2026-07-15 DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase SQL preview exposes DatasetDataApi.previewSql/previewSqlCheck through /de2api/datasetData/previewSql, accept…
CVE-2026-45535 2026-07-15 DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase SQL-type datasets store attacker-controlled SQL variable defaultValue entries such as ${var} and SqlparserUt…

曾用名

  • SQL Injection (2008-04-11)
  • Failure to Sanitize Data into SQL Queries (aka 'SQL Injection') (2008-09-09)
  • Failure to Sanitize Data within SQL Queries (aka 'SQL Injection') (2009-01-12)
  • Failure to Preserve SQL Query Structure (aka 'SQL Injection') (2009-05-27)
  • Failure to Preserve SQL Query Structure ('SQL Injection') (2009-07-27)
  • Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (2010-06-21)

内容提交

名称
PLOVER
日期
2006-07-19
版本
Draft 3

内容修订

日期 名称 版本 重要性 评论
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-08-01 1.0 added/updated white box definitions
2008-08-15 1.0 Suggested OWASP Top Ten 2004 mapping
2008-09-08 CWE Content Team 1.0 updated Applicable_Platforms, Common_Consequences, Modes_of_Introduction, Name, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings
2008-10-14 CWE Content Team 1.0.1 updated Description
2008-11-24 CWE Content Team 1.1 updated Observed_Examples
2009-01-12 CWE Content Team 1.2 updated Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships
2009-03-10 CWE Content Team 1.3 updated Potential_Mitigations
2009-05-27 CWE Content Team 1.4 updated Demonstrative_Examples, Name, Related_Attack_Patterns
2009-07-17 KDM Analytics 1.5 Improved the White_Box_Definition
2009-07-27 CWE Content Team 1.5 updated Description, Name, White_Box_Definitions
2009-12-28 CWE Content Team 1.7 updated Potential_Mitigations
2010-02-16 CWE Content Team 1.8 updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2010-04-05 CWE Content Team 1.8.1 updated Demonstrative_Examples, Potential_Mitigations
2010-06-21 CWE Content Team 1.9 updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations, References, Relationships
2010-09-27 CWE Content Team 1.10 updated Potential_Mitigations
2011-03-29 CWE Content Team 1.12 updated Demonstrative_Examples
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2011-06-27 CWE Content Team 2.0 updated Relationships
2011-09-13 CWE Content Team 2.1 updated Potential_Mitigations, References
2012-05-11 CWE Content Team 2.2 updated Potential_Mitigations, References, Related_Attack_Patterns, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2013-07-17 CWE Content Team 2.5 updated Relationships
2014-06-23 CWE Content Team 2.7 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Detection_Factors, Relationships, Taxonomy_Mappings
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-05-03 CWE Content Team 2.11 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, Observed_Examples, References, Relationships, White_Box_Definitions
2018-03-27 CWE Content Team 3.1 updated References, Relationships
2019-01-03 CWE Content Team 3.2 updated References, Relationships, Taxonomy_Mappings
2019-06-20 CWE Content Team 3.3 updated Relationships
2019-09-19 CWE Content Team 3.4 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Potential_Mitigations, Relationships, Time_of_Introduction
2020-06-25 CWE Content Team 4.1 updated Demonstrative_Examples, Potential_Mitigations, Relationship_Notes
2020-08-20 CWE Content Team 4.2 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Potential_Mitigations, Relationships
2021-07-20 CWE Content Team 4.5 updated Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-06-28 CWE Content Team 4.8 updated Observed_Examples, Relationships
2022-10-13 CWE Content Team 4.9 updated Observed_Examples, References
2023-01-31 CWE Content Team 4.10 updated Demonstrative_Examples, Description
2023-04-27 CWE Content Team 4.11 updated References, Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2024-02-29 CWE Content Team 4.14 updated Demonstrative_Examples, Observed_Examples
2024-07-16 CWE Content Team 4.15 updated Alternate_Terms, Common_Consequences, Description, Diagram, References
2024-11-19 CWE Content Team 4.16 updated Relationships
2025-04-03 CWE Content Team 4.17 updated Applicable_Platforms, Demonstrative_Examples, References
2025-09-09 CWE Content Team 4.18 updated Detection_Factors, Potential_Mitigations, References
2025-12-11 CWE Content Team 4.19 updated Observed_Examples, Relationships, Weakness_Ordinalities

贡献

类型 名称 日期 评论
Content Abhi Balakrishnan 2024-02-29 Provided diagram to improve CWE usability
cvelogic Threat Intelligence