CWE-894 advisories

SQL Injection

What it is

User input is concatenated into a SQL query, letting an attacker alter the query and read or modify the database.

How to fix it

Patch the dependency and replace string-built queries with parameterized statements.

How to avoid it

Always use parameterized queries / an ORM; never interpolate user input into SQL.

Known SQL Injection vulnerabilities

AI-VIBE-CODED-INSECURE-2025 — high · AI coding/AI-generated application code (LLM coding assistants)
SC-MOVEIT-CLOP-2023 — critical · Managed file transfer/Progress MOVEit Transfer
CVE-2023-34362 — critical · Progress MOVEit/Progress MOVEit Transfer · exploited
APPSEC-SQLI — critical · Web app/SQL Injection · exploited

Stateward flags SQL Injection in your own code and dependencies on every pull request.

Scan my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.