Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-943 (数据查询逻辑中特殊元素的不当中和) — Vulnerability Class 44

44 vulnerabilities classified as CWE-943 (数据查询逻辑中特殊元素的不当中和). AI Chinese analysis included.

CWE-943 represents a critical software weakness where applications fail to properly sanitize special characters within data query logic, allowing malicious input to alter intended database operations. Attackers typically exploit this vulnerability by injecting crafted strings that break out of the original query structure, enabling unauthorized data access, modification, or deletion through techniques like SQL injection. This occurs when developers directly concatenate user-supplied data into query statements without validation or escaping mechanisms. To prevent such exploits, developers must implement robust input validation and utilize parameterized queries or prepared statements, which separate code from data. By treating all user input as untrusted and ensuring that special elements are correctly neutralized or escaped, organizations can effectively mitigate the risk of logic manipulation and safeguard their data stores from unauthorized interference.

MITRE CWE Description
The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. Depending on the capabilities of the query language, an attacker could inject additional logic into the query to: Modify the intended selection criteria, thus changing which data entities (e.g., records) are returned, modified, or otherwise manipulated Append additional commands to the query Return more entities than intended Return fewer entities than intended Cause entities to be sorted in an unexpected way The ability to execute additional commands or change which entities are returned has obvious risks. But when the product logic depends on the order or number of entities, this can also lead to vulnerabilities. For example, if the query expects to return only one entity that specifies an administrative user, but an attacker can change which entities are returned, this could cause the logic to return information for a regular user and incorrectly assume that the user has administrative privileges. While this weakness is most commonly associated with SQL injection, there are many other query languages that are also subject to injection attacks, including HTSQL, LDAP, DQL, XQuery, Xpath, and "NoSQL" languages.
Common Consequences (1)
Confidentiality, Integrity, Availability, Access ControlBypass Protection Mechanism, Read Application Data, Modify Application Data, Varies by Context
Examples (2)
The following code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user.
... string userName = ctx.getAuthenticatedUserName(); string query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ItemName.Text + "'"; sda = new SqlDataAdapter(query, conn); DataTable dt = new DataTable(); sda.Fill(dt); ...
Bad · C#
SELECT * FROM items WHERE owner = <userName> AND itemname = <itemName>;
Informative
The code below constructs an LDAP query using user input address data:
context = new InitialDirContext(env); String searchFilter = "StreetAddress=" + address; NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-47835 Spring AI vector store metadata filtering to handle special characters in Elasticsearch, OpenSearch, and GemFire Vector Stores — Spring AI 8.6 High2026-06-15
CVE-2026-41697 Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern — Spring Data Relational 4.8 Medium2026-06-09
CVE-2026-41696 Spring Data MongoDB Bind Parameter Literal Quoting Breakout — Spring Data MongoDB 5.9 Medium2026-06-09
CVE-2026-53674 BuddyPress 14.4.0 REGEXP Injection via @Mention Username Resolution — BuddyPress 7.1 High2026-06-09
CVE-2026-40102 Plane: ORM Field Reference Injection via `segment` Parameter in Saved Analytics — plane 6.5 Medium2026-05-20
CVE-2026-42156 Flowsint: Cypher query injection in node type on node creation — flowsint--2026-05-12
CVE-2026-42316 KQL injection via kusto.tables.topics.mapping in kafka-sink-azure-kusto — kafka-sink-azure-kusto 5.9 Medium2026-05-11
CVE-2026-33566 LogonTracer 安全漏洞 — LogonTracer 7.5AIHighAI2026-04-27
CVE-2026-41327 Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field — dgraph 9.1 Critical2026-04-24
CVE-2026-41328 Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field — dgraph 9.1 Critical2026-04-24
CVE-2026-41274 Flowise: Cypher Injection in GraphCypherQAChain — Flowise 9.8AICriticalAI2026-04-23
CVE-2026-6626 Cockpit-HQ Cockpit Asset Handler/Aggregate data query logic injection — Cockpit 6.3 Medium2026-04-20
CVE-2026-40352 FastGPT: NoSQL Injection in updatePasswordByOld Leads to Account Takeover — FastGPT 8.8 High2026-04-17
CVE-2026-40351 FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass — FastGPT 9.8 Critical2026-04-17
CVE-2026-34973 phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure — phpMyFAQ 8.2AIHighAI2026-04-02
CVE-2026-33980 Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries — adx-mcp-server 8.3 High2026-03-27
CVE-2026-3023 Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web — Wakyma application web 4.3AIMediumAI2026-03-16
CVE-2026-3022 Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web — Wakyma application web 6.5AIMediumAI2026-03-16
CVE-2026-3021 Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web — Wakyma application web 6.5AIMediumAI2026-03-16
CVE-2026-32248 Parse Server: Account takeover via operator injection in authentication data identifier — parse-server 7.4AIHighAI2026-03-12
CVE-2026-32247 Graphiti vulnerable to Cypher Injection via unsanitized node_labels in search filters — graphiti 8.1 High2026-03-12
CVE-2026-29793 NoSQL Injection via WebSocket id Parameter in MongoDB Adapter — mongodb 9.4AICriticalAI2026-03-10
CVE-2026-30941 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints — parse-server 9.8AICriticalAI2026-03-10
CVE-2026-30833 Rocket.Chat: NoSQL injection in the EE ddp-streamer-service — Rocket.Chat 9.8 -2026-03-06
CVE-2026-28211 Arbitrary code execution in log reader via untrusted log file — NVDA-Dev-Test-Toolbox 7.8 High2026-02-26
CVE-2026-25591 New API has an SQL LIKE Wildcard Injection DoS via Token Search — new-api 6.5AIMediumAI2026-02-24
CVE-2025-36353 IBM Db2 Denial of Service — Db2 for Linux, UNIX and Windows 6.2 Medium2026-01-30
CVE-2025-36366 IBM Db2 Denial of Service — Db2 for Linux, UNIX and Windows 6.5 Medium2026-01-30
CVE-2025-36442 IBM Db2 Denial of Service — Db2 for Linux, UNIX and Windows 6.5 Medium2026-01-30
CVE-2026-0504 Insufficient Input Handling in JNDI Operations of SAP Identity Management — SAP Identity Management 3.8 Low2026-01-13

Vulnerabilities classified as CWE-943 (数据查询逻辑中特殊元素的不当中和) represent 44 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.