Skip to main content

CWE-943

Improper Neutralization of Special Elements in Data Query Logic

50 CVEs Avg CVSS 7.2 MITRE
8
CRITICAL
18
HIGH
21
MEDIUM
2
LOW
5
POC
0
KEV

Monthly

CVE-2026-8649 CRITICAL PATCH Act Now

SQL/NoSQL query injection in Progress MOVEit Transfer (Custom Reports modules) lets remote unauthenticated attackers manipulate backend data-query logic to read, alter, or destroy managed-file-transfer data across versions before 2025.0.7, 2025.1.3, and 2026.0.0. Rated CVSS 9.8 with full confidentiality, integrity, and availability impact, though real-world exploitation is currently rated low (EPSS 0.22%, CISA SSVC exploitation 'none') and no public exploit has been identified at time of analysis. MOVEit's history as a mass-exploitation target (Cl0p, 2023) makes this a high-priority patch despite the currently quiet threat signal.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-10698 HIGH PATCH This Week

Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-40141 HIGH PATCH NEWS This Week

Improper data-query neutralization (NoSQL injection) in the web application component of BeyondTrust Remote Support and Privileged Remote Access allows an authenticated, low-privileged attacker to manipulate input parameters and read resources or data beyond their authorization scope. The flaw enables information disclosure across authorization boundaries and, per the vendor's CVSS 4.0 vector, can impact downstream systems. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation is restricted to accounts holding specific permissions.

Nosql Injection Information Disclosure Remote Support Privilege Remote Access
NVD
CVSS 4.0
8.5
EPSS
0.4%
CVE-2026-46591 HIGH PATCH This Week

Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMatchProperties map to execute arbitrary Cypher queries against the connected Neo4j database, enabling unauthorized read, modification, or deletion of any node or relationship. The flaw exists across three release streams (4.10.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) and is a direct bypass of the partial fix introduced in CVE-2025-66169, which bound property values as query parameters but left property names (JSON keys) concatenated verbatim into the WHERE clause. No public exploit code or CISA KEV listing has been identified at time of analysis, though the prior related CVE in the same producer indicates recurring injection exposure in this component.

Code Injection Nosql Injection Apache Apache Camel
NVD VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-44840 Go HIGH POC PATCH GHSA This Week

DQL (Dgraph Query Language) injection in Dgraph's GraphQL-to-DQL query rewriter (versions <= v25.3.3) lets remote unauthenticated attackers inject arbitrary query blocks through the unauthenticated checkUserPassword GraphQL query. User-supplied password values are interpolated into a checkpwd() DQL call via fmt.Sprintf without escaping, so a double-quote breaks out of the string literal and appends attacker-controlled DQL. A working PoC exists (publicly available exploit code exists); the issue is not in CISA KEV and no active exploitation is reported, but server-side execution of injected blocks is confirmed, enabling schema/data enumeration and resource exhaustion.

Denial Of Service Nosql Injection
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-45689 CRITICAL PATCH Act Now

{"$ne": null} for client_id, client_secret, and refresh_token returns a live token bound to whatever user Mongo matches first; iterating with $nin/$regex walks the entire token collection. No public exploit identified at time of analysis, but exploitation is trivial and capturing an admin token yields full /api/v1/* control and Apps-Engine app installation (server-side code execution). Fixed in the 8.5.0/8.4.1/8.3.3/8.2.3/8.1.4/8.0.5/7.13.7/7.10.11 release line.

Nosql Injection RCE
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-45688 CRITICAL PATCH Act Now

{"$gt": ""} matches the first unexpired credential-token document, yielding a full Meteor auth token bound to a legitimate victim - and full instance compromise if that victim is an administrator. No public exploit identified at time of analysis, but the CVSS 9.1 rating and trivial exploitability make this a high-priority patch.

Authentication Bypass Nosql Injection
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-47835 HIGH PATCH This Week

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text.

Nosql Injection Java Elastic Information Disclosure Spring Ai
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-48121 npm MEDIUM PATCH GHSA This Month

{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.

Checkpoint Nosql Injection Authentication Bypass
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-53674 HIGH This Week

Regex injection in BuddyPress 14.4.0's activity mention resolver allows authenticated WordPress users to manipulate a REGEXP clause against the users table when username compatibility mode is enabled, enabling boolean-based username inference and denial of service via catastrophic backtracking. CVSS 4.0 scores this 7.1 with low confidentiality impact and high availability impact, reflecting the dual data-leakage and DoS outcomes. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service Nosql Injection
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL/NoSQL query injection in Progress MOVEit Transfer (Custom Reports modules) lets remote unauthenticated attackers manipulate backend data-query logic to read, alter, or destroy managed-file-transfer data across versions before 2025.0.7, 2025.1.3, and 2026.0.0. Rated CVSS 9.8 with full confidentiality, integrity, and availability impact, though real-world exploitation is currently rated low (EPSS 0.22%, CISA SSVC exploitation 'none') and no public exploit has been identified at time of analysis. MOVEit's history as a mass-exploitation target (Cl0p, 2023) makes this a high-priority patch despite the currently quiet threat signal.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Improper data-query neutralization (NoSQL injection) in the web application component of BeyondTrust Remote Support and Privileged Remote Access allows an authenticated, low-privileged attacker to manipulate input parameters and read resources or data beyond their authorization scope. The flaw enables information disclosure across authorization boundaries and, per the vendor's CVSS 4.0 vector, can impact downstream systems. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation is restricted to accounts holding specific permissions.

Nosql Injection Information Disclosure Remote Support +1
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMatchProperties map to execute arbitrary Cypher queries against the connected Neo4j database, enabling unauthorized read, modification, or deletion of any node or relationship. The flaw exists across three release streams (4.10.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) and is a direct bypass of the partial fix introduced in CVE-2025-66169, which bound property values as query parameters but left property names (JSON keys) concatenated verbatim into the WHERE clause. No public exploit code or CISA KEV listing has been identified at time of analysis, though the prior related CVE in the same producer indicates recurring injection exposure in this component.

Code Injection Nosql Injection Apache +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

DQL (Dgraph Query Language) injection in Dgraph's GraphQL-to-DQL query rewriter (versions <= v25.3.3) lets remote unauthenticated attackers inject arbitrary query blocks through the unauthenticated checkUserPassword GraphQL query. User-supplied password values are interpolated into a checkpwd() DQL call via fmt.Sprintf without escaping, so a double-quote breaks out of the string literal and appends attacker-controlled DQL. A working PoC exists (publicly available exploit code exists); the issue is not in CISA KEV and no active exploitation is reported, but server-side execution of injected blocks is confirmed, enabling schema/data enumeration and resource exhaustion.

Denial Of Service Nosql Injection
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

{"$ne": null} for client_id, client_secret, and refresh_token returns a live token bound to whatever user Mongo matches first; iterating with $nin/$regex walks the entire token collection. No public exploit identified at time of analysis, but exploitation is trivial and capturing an admin token yields full /api/v1/* control and Apps-Engine app installation (server-side code execution). Fixed in the 8.5.0/8.4.1/8.3.3/8.2.3/8.1.4/8.0.5/7.13.7/7.10.11 release line.

Nosql Injection RCE
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

{"$gt": ""} matches the first unexpired credential-token document, yielding a full Meteor auth token bound to a legitimate victim - and full instance compromise if that victim is an administrator. No public exploit identified at time of analysis, but the CVSS 9.1 rating and trivial exploitability make this a high-priority patch.

Authentication Bypass Nosql Injection
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text.

Nosql Injection Java Elastic +2
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.

Checkpoint Nosql Injection Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Regex injection in BuddyPress 14.4.0's activity mention resolver allows authenticated WordPress users to manipulate a REGEXP clause against the users table when username compatibility mode is enabled, enabling boolean-based username inference and denial of service via catastrophic backtracking. CVSS 4.0 scores this 7.1 with low confidentiality impact and high availability impact, reflecting the dual data-leakage and DoS outcomes. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service Nosql Injection
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy