Falhas do tipo CWE-89

11.853 resultados

Injeção de SQL

Fraqueza onde entrada do usuário é concatenada diretamente em comandos SQL sem validação ou sanitização, permitindo que um atacante insira código SQL malicioso. O banco de dados executa comandos não intencionais, comprometendo confidencialidade, integridade e disponibilidade dos dados.

Exemplo

Um formulário de login concatena o usuário digitado direto na query: `SELECT * FROM users WHERE login = '` + input + `'`. Se o usuário digita `admin' OR '1'='1`, a query vira `SELECT * FROM users WHERE login = 'admin' OR '1'='1'`, retornando todos os usuários e burlando autenticação.

Como mitigar

Use prepared statements (consultas parametrizadas) com placeholders, nunca concatene entrada do usuário. Valide e restrinja entrada (whitelist), aplique princípio do menor privilégio na conta do BD e use WAF como camada adicional.

CVE-2026-33442HIGHKysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.EPSS 0.4%CVE-2024-41944MEDIUMSensitive Information Disclosure abusing SQL Injection in Xibo CMS proof of play reportEPSS 0.4%CVE-2024-7800MEDIUMSourceCodester Simple Online Bidding System ajax.php sql injectionEPSS 0.4%CVE-2026-31844HIGHAuthenticated SQL Injection in Koha displayby parameter of suggestion.plEPSS 0.4%CVE-2025-69562CRITICALcode-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /insertmessage.php via the userid parameter.EPSS 0.4%CVE-2025-0488MEDIUMFanli2012 native-php-cms product_list.php sql injectionEPSS 0.4%CVE-2025-9789MEDIUMSourceCodester Online Hotel Reservation System edituser.php sql injectionEPSS 0.4%CVE-2024-35750HIGHWordPress Gallery – Image and Video Gallery with Thumbnails plugin <= 2.0.3 - SQL Injection vulnerabilityEPSS 0.4%CVE-2025-11473MEDIUMSourceCodester Hotel and Lodge Management System edit_curr.php sql injectionEPSS 0.4%CVE-2025-11608MEDIUMcode-projects E-Banking System POST Parameter register.php sql injectionEPSS 0.4%CVE-2025-11066MEDIUMcode-projects Online Bidding System bidlist.php sql injectionEPSS 0.4%CVE-2025-11074MEDIUMcode-projects Project Monitoring System login.php sql injectionEPSS 0.4%CVE-2024-35678HIGHWordPress Contact Form to DB by BestWebSoft plugin <= 1.7.2 - SQL Injection vulnerabilityEPSS 0.4%CVE-2025-11432MEDIUMitsourcecode Leave Management System reset.php sql injectionEPSS 0.4%CVE-2025-11505MEDIUMPHPGurukul Beauty Parlour Management System new-appointment.php sql injectionEPSS 0.4%CVE-2025-11110MEDIUMCampcodes Online Learning Management System school_year.php sql injectionEPSS 0.4%CVE-2025-11111MEDIUMCampcodes Advanced Online Voting Management System candidates_edit.php sql injectionEPSS 0.4%CVE-2025-3957MEDIUMopplus springboot-admin SysLogDao.xml sql injectionEPSS 0.4%CVE-2025-11061MEDIUMCampcodes Online Learning Management System edit_student.php sql injectionEPSS 0.4%CVE-2025-10788MEDIUMSourceCodester Online Hotel Reservation System deleteroominventory.php sql injectionEPSS 0.4%