CWE-89 · Improper Neutralization of Special Elements used in an SQL Command

SQL Injection

CWE-89 3 case studies

SQL Injection remains the most consistently exploited vulnerability class because the underlying pattern — concatenating user input into a SQL string — is still common in new code, especially in ORMs that expose a raw query escape hatch, and in codebases that have historically mixed safe and unsafe query construction styles.

Code review misses SQLi when the user-controlled value travels several layers before reaching the query, when a framework method accepts a string argument that looks safe at the call site, or when a column name (rather than a value) is interpolated — a case that parameterized queries do not protect against. The Django JSONField vulnerability (CVE-2024-42005) is a perfect example: column aliases rather than values were injectable.

PullLight flags all SQL string construction that involves variables, checks ORM query builders for column-name interpolation (which parameterization can't fix), and traces the full data path from request input to query execution — surfacing the exact lines where the injection occurs.

Case studies in this class

9.8

CVSS

CVE-2026-33352

SQL Injection via Backslash-Escape Bypass

CVE-2026-33352 — AVideo SQL Injection

SQL Injection via Unvalidated Column Aliases

CVE-2024-42005 — Django JSONField SQL Injection

SQL Injection leading to OS Command Execution via timeZone

CVE-2026-46624 — Twenty CRM SQLi to RCE

twentyhq/twenty

→

Frequently asked questions

What is SQL Injection?

SQL Injection occurs when user-controlled data is incorporated into a SQL query without proper escaping or parameterization, allowing attackers to alter query logic — reading private data, bypassing authentication, or executing destructive commands.

How do you prevent SQL Injection?

Always use parameterized queries or prepared statements. For column/table names that must be dynamic, use a strict allowlist. Never use string concatenation or template literals to build SQL with user-supplied values.

Can AI catch SQL Injection in code review?

Yes — AI review can trace data flow across files to catch cases where the injection point and the query are far apart, and it recognizes column-name injection patterns that parameterization cannot prevent.

Has PullLight caught real SQL Injection vulnerabilities?

Yes. PullLight flagged SQLi in Django (CVE-2024-42005, CVSS 9.3), AVideo (CVE-2026-33352, CVSS 9.8), and Twenty CRM (CVE-2026-46624, CVSS 9.1, chaining to RCE).

PullLight catches SQL Injection in live code review.
Hooks into GitHub PRs automatically — flags taint flows, not just lint rules.

Try the live demo →

See an example review comment: Browse AI code review examples →