CWE-943 · Improper Neutralization of Special Elements in Data Query Logic
49 CVEs classified under CWE-943 (Improper Neutralization of Special Elements in Data Query Logic). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-4872 | Critical | 9.9 | 2024-08-27 | A vulnerability exists in the query validation of the MicroSCADA Pro/X SYS600 product. If exploited this could allow an authenticated attacker to inject code t… |
CVE-2022-36084 | Critical | 9.9 | 2022-09-08 | cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versi… |
CVE-2026-41274 | Critical | 9.8 | 2026-04-23 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided inp… |
CVE-2026-40351 | Critical | 9.8 | 2026-04-17 | FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime valid… |
CVE-2020-36195 | Critical | 9.8 | 2021-04-17 | An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability a… |
CVE-2026-41328 | Critical | 9.1 | 2026-04-24 | Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full re… |
CVE-2026-41327 | Critical | 9.1 | 2026-04-24 | Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full re… |
CVE-2026-40352 | High | 8.8 | 2026-04-17 | FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attack… |
CVE-2017-12904 | High | 8.8 | 2017-08-23 | Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to per… |
CVE-2025-24787 | High | 8.6 | 2025-02-06 | WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, whi… |
CVE-2026-33980 | High | 8.3 | 2026-03-27 | Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/… |
CVE-2026-32247 | High | 8.1 | 2026-03-12 | Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerabi… |
CVE-2026-28211 | High | 7.8 | 2026-02-26 | The NVDA Dev & Test Toolbox is an NVDA add-on for gathering tools to help NVDA development and testing. A vulnerability exists in versions 2.0 through 8.0 in t… |
CVE-2026-22558 | High | 7.7 | 2026-03-19 | An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to esc… |
CVE-2020-5257 | High | 7.7 | 2020-03-13 | In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated… |
CVE-2026-27886 | High | 7.5 | 2026-05-14 | Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query paramete… |
CVE-2026-40102 | Medium | 6.5 | 2026-05-20 | Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly… |
CVE-2026-42316 | Medium | 6.5 | 2026-05-11 | kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto). Prior to 5.2.3, kafka-sink-azure-kusto did not sani… |
CVE-2025-36366 | Medium | 6.5 | 2026-01-30 | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service by executing a query that invokes the JSON_Ob… |
CVE-2025-36442 | Medium | 6.5 | 2026-01-30 | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as the server may cr… |