Falhas do tipo CWE-89

11.853 resultados

Injeção de SQL

Fraqueza onde entrada do usuário é concatenada diretamente em comandos SQL sem validação ou sanitização, permitindo que um atacante insira código SQL malicioso. O banco de dados executa comandos não intencionais, comprometendo confidencialidade, integridade e disponibilidade dos dados.

Exemplo

Um formulário de login concatena o usuário digitado direto na query: `SELECT * FROM users WHERE login = '` + input + `'`. Se o usuário digita `admin' OR '1'='1`, a query vira `SELECT * FROM users WHERE login = 'admin' OR '1'='1'`, retornando todos os usuários e burlando autenticação.

Como mitigar

Use prepared statements (consultas parametrizadas) com placeholders, nunca concatene entrada do usuário. Valide e restrinja entrada (whitelist), aplique princípio do menor privilégio na conta do BD e use WAF como camada adicional.

CVE-2025-63451CRITICALCar-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/sign-in.php.EPSS 0.5%CVE-2025-10448MEDIUMCampcodes Online Job Finder System index.php sql injectionEPSS 0.5%CVE-2025-9469MEDIUMitsourcecode Apartment Management System add_fund.php sql injectionEPSS 0.5%CVE-2025-62423MEDIUMClipBucket V5 Blind SQL injection in the Admin PanelEPSS 0.5%CVE-2023-44755CRITICALSacco Management system v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /sacco/ajax.php.EPSS 0.5%CVE-2024-3592CRITICALQuiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress <= 9.0.1 - Authenticated (Contributor+) SQL InjectionEPSS 0.5%CVE-2026-46624CRITICALTwenty: SQL Injection via the timeZone fieldEPSS 0.5%CVE-2025-25516CRITICALSeacms <=13.3 is vulnerable to SQL Injection in admin_paylog.php.EPSS 0.5%CVE-2024-5357MEDIUMPHPGurukul Zoo Management System forgot-password.php sql injectionEPSS 0.5%CVE-2024-53354MEDIUMMultiple SQL injection vulnerabilities in EasyVirt DCScope <= 8.6.0 and CO2Scope <= 1.3.0 allows remote authenticated attackers to execute aEPSS 0.5%CVE-2025-25519CRITICALSeacms <=13.3 is vulnerable to SQL Injection in admin_zyk.php.EPSS 0.5%CVE-2025-25517CRITICALSeacms <=13.3 is vulnerable to SQL Injection in admin_reslib.php.EPSS 0.5%CVE-2025-61028HIGHAn issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via craftEPSS 0.5%CVE-2024-42404HIGHSQL injection vulnerability in Welcart e-Commerce prior to 2.11.2 allows an attacker who can login to the product to obtain or alter the infEPSS 0.5%CVE-2024-45755HIGHAn issue was discovered in Centreon centreon-dsm-server 24.10.x before 24.10.0, 24.04.x before 24.04.3, 23.10.x before 23.10.1, 23.04.x befoEPSS 0.5%CVE-2024-8624CRITICALMDTF – Meta Data and Taxonomies Filter <= 1.3.3.3 - Authenticated (Contributor+) SQL InjectionEPSS 0.5%CVE-2024-12832HIGHArista NG Firewall ReportEntry SQL Injection Arbitrary File Read and Write VulnerabilityEPSS 0.5%CVE-2024-45756HIGHAn issue was discovered in Centreon centreon-open-tickets 24.10.x before 24.10.0, 24.04.x before 24.04.2, 23.10.x before 23.10.1, 23.04.x beEPSS 0.5%CVE-2025-61018HIGHAn issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via EPSS 0.5%CVE-2025-25521CRITICALSeacms <=13.3 is vulnerable to SQL Injection in admin_type_news.php.EPSS 0.5%