CVE-2026-26116
published 2026-03-10CVE-2026-26116: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a…
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_sql_server_2025 | >= 17.0.0.0 < 17.0.4020.2 | 17.0.4020.2 |
| microsoft | microsoft_sql_server_2025_for_x64-based_systems | >= 17.0.1050.2 < 17.0.1105.2 | 17.0.1105.2 |
| microsoft | sql_server_2016 | >= 13.0.6300.2 < 13.0.6480.4 | 13.0.6480.4 |
| microsoft | sql_server_2016 | >= 13.0.7000.253 < 13.0.7075.5 | 13.0.7075.5 |
| microsoft | sql_server_2017 | >= 14.0.1000.169 < 14.0.2100.4 | 14.0.2100.4 |
| microsoft | sql_server_2017 | >= 14.0.3006.16 < 14.0.3520.4 | 14.0.3520.4 |
| microsoft | sql_server_2019 | >= 15.0.2000.5 < 15.0.2160.4 | 15.0.2160.4 |
| microsoft | sql_server_2019 | >= 15.0.4003.23 < 15.0.4460.4 | 15.0.4460.4 |
| microsoft | sql_server_2022 | >= 16.0.1000.6 < 16.0.1170.5 | 16.0.1170.5 |
| microsoft | sql_server_2022 | >= 16.0.4003.1 < 16.0.4240.4 | 16.0.4240.4 |
| microsoft | sql_server_2025 | >= 17.0.1000.7 < 17.0.1105.2 | 17.0.1105.2 |
| microsoft | sql_server_2025 | >= 17.0.4006.2 < 17.0.4020.2 | 17.0.4020.2 |
| msrc | microsoft_sql_server_2025_for_x64-based_systems | — | — |