CWE · MITRE source
CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (2)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CA-8 | Penetration Testing | CA | Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses. |
SI-10 | Information Input Validation | SI | Validates query inputs to prevent SQL syntax or command manipulation. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-42258 KEV | 9.6 | 9.8 | 0.9410 | 2021-10-22 |
CVE-2023-34362 KEV | 9.6 | 9.8 | 0.9425 | 2023-06-02 |
CVE-2023-48788 KEV | 9.6 | 9.8 | 0.9408 | 2024-03-12 |
CVE-2024-6670 KEV | 9.6 | 9.8 | 0.9447 | 2024-08-29 |
CVE-2019-12989 KEV | 9.5 | 9.8 | 0.9152 | 2019-07-16 |
CVE-2020-5722 KEV | 9.5 | 9.8 | 0.9274 | 2020-03-23 |
CVE-2024-9465 KEV | 9.5 | 9.1 | 0.9429 | 2024-10-09 |
CVE-2024-29824 KEV | 9.4 | 8.8 | 0.9397 | 2024-05-31 |
CVE-2020-12271 KEV | 9.3 | 9.8 | 0.8894 | 2020-04-27 |
CVE-2019-7481 KEV | 9.2 | 7.5 | 0.9434 | 2019-12-17 |
CVE-2021-20028 KEV | 8.9 | 9.8 | 0.8288 | 2021-08-04 |
CVE-2024-43468 KEV | 8.9 | 9.8 | 0.8311 | 2024-10-08 |
CVE-2017-18362 KEV | 8.8 | 9.8 | 0.8030 | 2019-02-05 |
CVE-2021-20016 KEV | 8.6 | 9.8 | 0.7800 | 2021-02-04 |
CVE-2025-57819 KEV | 8.6 | 9.8 | 0.7673 | 2025-08-28 |
CVE-2021-44026 KEV | 8.3 | 9.8 | 0.7253 | 2021-11-19 |
CVE-2024-9379 KEV | 8.2 | 6.5 | 0.8168 | 2024-10-08 |
CVE-2026-21643 KEV | 7.7 | 9.8 | 0.6252 | 2026-02-06 |
CVE-2017-8917 | 7.6 | 9.8 | 0.9451 | 2017-05-17 |
CVE-2020-10220 | 7.6 | 9.8 | 0.9426 | 2020-03-07 |
CVE-2020-12720 | 7.6 | 9.8 | 0.9387 | 2020-05-08 |
CVE-2020-35846 | 7.6 | 9.8 | 0.9393 | 2020-12-30 |
CVE-2020-35847 | 7.6 | 9.8 | 0.9397 | 2020-12-30 |
CVE-2020-35848 | 7.6 | 9.8 | 0.9321 | 2020-12-30 |
CVE-2023-25157 | 7.6 | 9.8 | 0.9398 | 2023-02-21 |