CWE-89

SQL Injection (SQLi) allows attackers to execute malicious SQL statements. Learn how Precogs AI detects and prevents this critical vulnerability.

Verified by Precogs Threat Research
BASE SCORE
9.8 CRITICAL

Precogs AI Insight

"Precogs AI detected unsanitized string concatenation in your database queries. This pattern leaves the application vulnerable to injection attacks, allowing attackers to access, modify, or delete internal database records without authorization."

EXPLOIT PROBABILITYHigh
PUBLIC POCAvailable

What is CWE-89 (SQL Injection)?

SQL Injection (SQLi) is a critical web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It typically occurs when user input is incorrectly filtered for string literal escape characters embedded in SQL statements, or user input is not strongly typed and unexpectedly executed.

Impact on Systems

  • Data Exfiltration: Unauthorized access to sensitive user data, financial records, or internal system configurations.
  • Data Modification: Attackers can modify or delete database contents (Insert/Update/Delete operations), violating data integrity.
  • Authentication Bypass: By manipulating login queries, attackers can log in as an administrator without knowing the password.
  • Remote Code Execution: In certain configurations (e.g., using xp_cmdshell in SQL Server), an attacker can execute OS-level commands on the database server.

Vulnerability Signature

// Example of a vulnerable Node.js/Express snippet

const category = req.query.category;

// DANGEROUS: Direct string concatenation of user input
const query = `SELECT * FROM products WHERE category = '${category}'`;

db.query(query, (err, result) => {
  if (err) throw err;
  console.log(result);
});

Remediation

The most effective way to prevent SQL Injection is to use Parameterized Queries (Prepared Statements) or an Object-Relational Mapping (ORM) library that handles parameterization automatically.

1. Parametrized Queries

Use libraries that support secure parameter binding instead of concatenating raw strings.

// SECURED: Using parameterized queries avoids SQL injection
const category = req.query.category;

// Safe: The database driver treats '?' strictly as data, not executable code
const query = 'SELECT * FROM products WHERE category = ?';

db.query(query, [category], (err, result) => {
  if (err) throw err;
  console.log(result);
});

2. Input Validation

Implement strict input validation on the server side using allowlists rather than denylists. Ensure that input strongly matches expected data types (e.g., converting a string to an integer explicitly if an ID is expected).

CVEs Classified Under CWE-8925 vulnerabilities

The following CVEs have been classified under CWE-89 (SQL Injection). Each CVE represents a specific vulnerability instance of this weakness type.

CVE-2026-0501SAP S/4HANA Financials SQL Injection — Maximum CVSS 9
CVSS 9.9CRITICALMar 21, 2026
CVE-2025-27892SQL Injection in Shopware e-commerce platform
CVSS 9.8CRITICALMar 21, 2026
CVE-2026-32767SiYuan is a personal knowledge management system
CVSS 9.8CRITICALMar 20, 2026
CVE-2025-67830Mura before 10
CVSS 9.8CRITICALMar 18, 2026
CVE-2025-67829Mura before 10
CVSS 9.8CRITICALMar 18, 2026
CVE-2026-28430Chamilo LMS is a learning management system
CVSS 9.8CRITICALMar 16, 2026
CVE-2025-62319Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields
CVSS 9.8CRITICALMar 16, 2026
CVE-2026-33134WeGIA is a web manager for charitable institutions
CVSS 9.3CRITICALMar 20, 2026
CVE-2026-27413Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection
CVSS 9.3CRITICALMar 19, 2026
CVE-2026-32698OpenProject is an open-source, web-based project management software
CVSS 9.1CRITICALMar 18, 2026
CVE-2024-34226SQL Injection in WordPress Plugin
CVSS 8.8HIGHMar 21, 2026
CVE-2026-3334The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2
CVSS 8.8HIGHMar 21, 2026
CVE-2026-32888Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework
CVSS 8.8HIGHMar 20, 2026
CVE-2026-33288SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS 8.8HIGHMar 20, 2026
CVE-2026-29099SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS 8.8HIGHMar 19, 2026
CVE-2026-32321ClipBucket v5 is an open source video sharing platform
CVSS 8.8HIGHMar 18, 2026
CVE-2025-58112Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9
CVSS 8.8HIGHMar 18, 2026
CVE-2026-22730A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands
CVSS 8.8HIGHMar 18, 2026
CVE-2026-30881Chamilo LMS is a learning management system
CVSS 8.8HIGHMar 16, 2026
CVE-2026-3023Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets
CVSS 8.8HIGHMar 16, 2026
CVE-2026-32628AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting
CVSS 8.8HIGHMar 16, 2026
CVE-2019-25581i-doit CMDB 1
CVSS 8.2HIGHMar 21, 2026
CVE-2019-25576Kepler Wallpaper Script 1
CVSS 8.2HIGHMar 21, 2026
CVE-2019-25575SimplePress CMS 1
CVSS 8.2HIGHMar 21, 2026
CVE-2026-32763Kysely is a type-safe TypeScript SQL query builder
CVSS 8.2HIGHMar 20, 2026

Supplemental Intelligence & References

📋 OWASP Top 10

📖 Security Guides

🛡️ Notable Vulnerabilities

🔗 External References