CVE-2026-26116 — SQL Injection in Microsoft SQL Server 2025

CWE-89 — SQL Injection5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 73.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft SQL Server 2025 Microsoft SQL Server 2025 FOR X64-based Systems Microsoft SQL Server 2016 +4 more

Timeline

PublishedMar 10

Description

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5microsoft/microsoft_sql_server_202517.0.0.0 — 17.0.4020.2

▶CVEListV5microsoft/microsoft_sql_server_2025_for_x64-based_systems17.0.1050.2 — 17.0.1105.2

▶NVDmicrosoft/sql13.0.6300.2 — 13.0.6480.4+9

🔴Vulnerability Details

GHSA

GHSA-qmc2-fr3x-59pg: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges↗2026-03-10

▶

CVEList

SQL Server Elevation of Privilege Vulnerability↗2026-03-10

▶

📋Vendor Advisories

Microsoft

SQL Server Elevation of Privilege Vulnerability↗2026-03-10

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26116 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶