Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable SQL injection needing only a low-privileged login (PR:L) and no user interaction; privilege elevation yields high C/I/A within the unchanged scope of the database server.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated attacker to inject crafted SQL commands over the network and gain higher database privileges (CVSS 8.8). The flaw is a classic improper neutralization of special elements (CWE-89) reachable by any principal already holding low-level database access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold a valid low-privileged SQL Server authentication context (CVSS PR:L) and network connectivity to the SQL Server instance (AV:N), but no user interaction and no elevated privileges beyond that initial low-level access. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) indicates a genuinely high-priority, network-reachable, low-complexity flaw requiring only low privileges and no user interaction, with high impact to confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privileged SQL Server login (for example a compromised application service account or an over-permissioned analyst account) connects over the network and submits input crafted to break out of an intended query into an attacker-controlled SQL command. Because attack complexity is low and no user interaction is needed, the injected commands execute in a higher-privileged context, elevating the attacker's effective rights within the database server. … |
| Remediation | Apply the vendor-released security update for your specific SQL Server branch as tracked in the Microsoft MSRC update guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47295); Patch available per vendor advisory covers SQL Server 2016 SP3 (GDR and Azure Connect Feature Pack), 2017 (GDR/CU 31), 2019 (GDR/CU 32), 2022 (GDR/CU 25), and 2025 (GDR/CU 6) - select the GDR or CU package matching your current servicing train and install the corresponding fixed build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Microsoft SQL Server instances running versions 2016 SP3, 2017, 2019, 2022, or 2025, and document which accounts have database-level access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
Remote code execution in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated, low-privileged attacker t
Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user
Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user
SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges loca
SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges loca
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44114
GHSA-fxxm-g9hf-2q4h