CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableExploit Likelihood: High🏆 #3 in Top 25 (2024)

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

View on MITRE
1,467Related CVEs
34.27Severity Score
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
SQLNot Language-Specific
Platforms

🏆 CWE Top 25 Historical Ranking

2023:#3
Score: 34.27
1,352 CVEs
2024:#3=
Score: 34.27
1,467 CVEs
Trend:Stable (no rank change)

Learn More

Find Related CVEs

Search for vulnerabilities that exploit CWE-89

CWE Top 25 Most Dangerous

See how this weakness ranks against others

CVE vs CWE: What's the Difference?

Understanding vulnerabilities vs weaknesses

Understanding CVSS Scoring

How vulnerability severity is measured

View Full MITRE Entry

Complete technical details and references