CWE-89 (SQL命令中使用的特殊元素转义处理不恰当(SQL注入)) — Vulnerability Class 8857

8857 vulnerabilities classified as CWE-89 (SQL命令中使用的特殊元素转义处理不恰当(SQL注入)). AI Chinese analysis included.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-4485	itsourcecode College Management System search_student.php sql injection — College Management System	6.3	Medium	2026-03-20
CVE-2026-33134	WeGIA has Authenticated Time-Based Blind SQL Injection in `restaurar_produto.php` via `id_produto` parameter — WeGIA	9.3	Critical	2026-03-20
CVE-2026-33133	WeGIA has an arbitrary SQL execution vulnerability via crafted backup archive — WeGIA	8.8	-	2026-03-20
CVE-2026-4473	itsourcecode Online Doctor Appointment System appointment_action.php sql injection — Online Doctor Appointment System	4.7	Medium	2026-03-20
CVE-2026-4472	itsourcecode Online Frozen Foods Ordering System admin_edit_supplier.php sql injection — Online Frozen Foods Ordering System	6.3	Medium	2026-03-20
CVE-2026-4471	itsourcecode Online Frozen Foods Ordering System admin_edit_employee.php sql injection — Online Frozen Foods Ordering System	4.7	Medium	2026-03-20
CVE-2026-33025	AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause — AVideo-Encoder	9.8	-	2026-03-20
CVE-2026-4470	itsourcecode Online Frozen Foods Ordering System admin_edit_menu.php sql injection — Online Frozen Foods Ordering System	4.7	Medium	2026-03-20
CVE-2026-32954	ERP has a possibility SQL Injection vulnerability due to missing validation — erpnext	7.1	High	2026-03-20
CVE-2026-32950	SQLBot: RCE via SQL Injection in Excel Upload Endpoint — SQLBot	8.8	-	2026-03-20
CVE-2026-4469	itsourcecode Online Frozen Foods Ordering System admin_edit_menu_action.php sql injection — Online Frozen Foods Ordering System	4.7	Medium	2026-03-20
CVE-2026-32888	Open Source Point of Sale is Vulnerable to SQL Injection Through its Item Search Functionality — opensourcepos	8.8	High	2026-03-20
CVE-2026-32813	Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter) — admidio	8.0	High	2026-03-20
CVE-2026-32767	SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API — siyuan	9.8	Critical	2026-03-20
CVE-2026-32763	SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`. — kysely	8.2	High	2026-03-19
CVE-2026-33288	SuiteCRM has Authenticated SQL Injection in Authentication Module — SuiteCRM	8.8	High	2026-03-19
CVE-2026-29099	SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality. — SuiteCRM	8.8	High	2026-03-19
CVE-2026-29096	SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Report Fields — SuiteCRM	8.1	High	2026-03-19
CVE-2026-3658	Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter — Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	7.5	High	2026-03-19
CVE-2026-27413	WordPress Profile Builder Pro plugin < 3.14.0 - SQL Injection vulnerability — Profile Builder Pro	9.3	Critical	2026-03-19
CVE-2026-32698	OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution — openproject	9.1	Critical	2026-03-18
CVE-2026-32321	ClipBucket v5 has time-based Blind SQL Injection in ajax.php that leads to Data Exfiltration — clipbucket-v5	8.8	High	2026-03-18
CVE-2026-32611	Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements — glances	7.0	High	2026-03-18
CVE-2026-31891	Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw() — Cockpit	7.7	High	2026-03-18
CVE-2026-33058	Kanboard has Authenticated SQL Injection in Project Permissions Handler — kanboard	6.5	-	2026-03-18
CVE-2026-26001	GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report — glpi-inventory-plugin	7.1	High	2026-03-17
CVE-2026-25936	GLPI Vulnerable to Authenticated SQL Injection — glpi	6.5	Medium	2026-03-17
CVE-2026-4319	code-projects Simple Food Order System add-item.php sql injection — Simple Food Order System	7.3	High	2026-03-17
CVE-2026-4324	Rubygem-katello: katello: denial of service and potential information disclosure via sql injection — Red Hat Satellite 6.17 for RHEL 9	5.4	Medium	2026-03-17
CVE-2026-2579	WowStore – Store Builder & Product Blocks for WooCommerce <= 4.4.3 - Unauthenticated SQL Injection via 'search' Parameter — WowStore – Store Builder & Product Blocks for WooCommerce	7.5	High	2026-03-17

Vulnerabilities classified as CWE-89 (SQL命令中使用的特殊元素转义处理不恰当(SQL注入)) represent 8857 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-89 (SQL命令中使用的特殊元素转义处理不恰当(SQL注入)) — Vulnerability Class 8857