SQL Injection
SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.
How It Works
SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.
Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.
Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.
Impact
- Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
- Authentication bypass — logging in as any user without knowing passwords
- Data manipulation — unauthorized modification or deletion of critical records
- Privilege escalation — granting administrative rights to attacker-controlled accounts
- Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
- Lateral movement — using compromised database credentials to access other connected systems
Real-World Examples
FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.
E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.
Mitigation
- Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
- Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
- Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
- Least privilege database accounts — applications should use credentials with minimal necessary permissions
- Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
- Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts
Recent CVEs (4633)
ERP is a free and open source Enterprise Resource Planning tool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability has been found in PHPGurukul Online Course Registration 3.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous allows Blind SQL Injection. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
index.em7 in ScienceLogic SL1 before 12.1.1 allows SQL Injection via a parameter in a request. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A security vulnerability has been detected in Portabilis i-Educar up to 2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus New Simple Gallery allows Blind SQL Injection.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeisle WP Full Stripe Free allows SQL Injection.3.0. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal License Manager for WooCommerce allows Blind SQL Injection.0.12. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A weakness has been identified in Portabilis i-Educar up to 2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In multiple locations, there is a possible way to read files belonging to other apps due to SQL injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In multiple functions of PickerDbFacade.java, there is a possible unauthorized data access due to SQL injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An authenticated SQL injection vulnerability in VX Guestbook 1.07 allows attackers with admin access to inject malicious SQL payloads via the "word" POST parameter in the words.php admin panel. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Input from search query parameter in GOV CMS is not sanitized properly, leading to a Blind SQL injection vulnerability, which might be exploited by an unauthenticated remote attacker. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An SQL injection vulnerability has been found in appRain CMF 4.0.5. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An SQL injection vulnerability has been found in appRain CMF 4.0.5. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An SQL injection vulnerability has been found in appRain CMF 4.0.5. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability has been found in PHPGurukul Beauty Parlour Management System 1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw has been found in PHPGurukul Beauty Parlour Management System 1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in 1000projects Beauty Parlour Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
A vulnerability was determined in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in projectworlds Travel Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability has been found in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in 1000projects Beauty Parlour Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL Injection vulnerability in FoxCMS v1.2.6 and before allows a remote attacker to execute arbitrary code via the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFunnels Mail Mint allows SQL Injection.18.5. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
phpgurukul Complaint Management System 2.0 is vulnerable to SQL Injection in /complaint-details.php via the cid parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A SQL Injection vulnerability was found in phpgurukul Complaint Management System 2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
phpgurukul Complaint Management System in PHP 2.0 is vulnerable to SQL Injection in user/reset-password.php via the mobileno parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A weakness has been identified in itsourcecode Sports Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in itsourcecode Student Information Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in itsourcecode Student Information Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was determined in itsourcecode Student Information Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was detected in SourceCodester Online Farm Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in SourceCodester Food Ordering Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A weakness has been identified in PHPGurukul Beauty Parlour Management System 1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in PHPGurukul Beauty Parlour Management System 1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in PHPGurukul Beauty Parlour Management System 1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FireShare FileShare 1.2.25 contains a time-based blind SQL injection vulnerability in the sort parameter of the endpoint: GET /api/videos/public?sort= This parameter is unsafely evaluated in a SQL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Doubo ERP 1.0 has an SQL injection vulnerability due to a lack of filtering of user input, which can be remotely initiated by an attacker. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL Injection vulnerability exists in Tirreno v0.9.5, specifically in the /admin/loadUsers API endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
rsbi-pom 4.7 is vulnerable to SQL Injection in the /bi/service/model/DatasetService path. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in PHPGurukul Beauty Parlour Management System 1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in Campcodes Farm Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was detected in RemoteClinic 2.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A flaw has been found in Campcodes Computer Sales and Inventory System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was detected in itsourcecode Apartment Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in itsourcecode Apartment Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in SourceCodester Hotel Reservation System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in SourceCodester Online Hotel Reservation System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was determined in SourceCodester/Campcodes School Log Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in Campcodes Online Learning Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in SourceCodester Eye Clinic Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A weakness has been identified in Campcodes Hospital Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in itsourcecode Sports Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was determined in itsourcecode Sports Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in itsourcecode Sports Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability has been found in itsourcecode Sports Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw has been found in itsourcecode Sports Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was detected in Campcodes Online Learning Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in Campcodes Online Feeds Product Inventory System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in Campcodes/SourceCodester Courier Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in deepakmisal24 Chemical Inventory Management System up to 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was determined in Campcodes/SourceCodester Courier Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in PHPGurukul User Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A weakness has been identified in Campcodes Online Learning Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in Campcodes Online Learning Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in HKritesh009 Grocery List Management Web App up to f491b681eb70d465f445c9a721415c965190f83b. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A weakness has been identified in Campcodes Online Loan Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in code-projects Human Resource Integrated System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in code-projects Human Resource Integrated System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was determined in code-projects Human Resource Integrated System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in code-projects Human Resource Integrated System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability has been found in Campcodes Online Water Billing System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in code-projects Human Resource Integrated System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in itsourcecode Apartment Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was detected in PHPGurukul Online Course Registration 3.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in Campcodes Farm Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in SourceCodester Water Billing System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A weakness has been identified in SourceCodester Water Billing System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security flaw has been discovered in SourceCodester Water Billing System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in SourceCodester Simple Cafe Billing System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was determined in SourceCodester Simple Cafe Billing System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw has been found in SourceCodester Online Book Store 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was detected in SourceCodester Online Polling System Code 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was determined in Campcodes Advanced Online Voting System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in Campcodes Online Shopping System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 4633