cbcvebase.
CVE-2026-32167
published 2026-04-14

CVE-2026-32167: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

Affected

20 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_sql_server_2016_service_pack_3>= 13.0.0 < 13.0.6485.113.0.6485.1
microsoftmicrosoft_sql_server_2016_service_pack_3_azure_connect_feature_pack>= 13.0.0 < 13.0.7080.113.0.7080.1
microsoftmicrosoft_sql_server_2017>= 14.0.0 < 14.0.3525.114.0.3525.1
microsoftmicrosoft_sql_server_2017>= 14.0.0 < 14.0.2105.114.0.2105.1
microsoftmicrosoft_sql_server_2019>= 15.0.0 < 15.0.2165.115.0.2165.1
microsoftmicrosoft_sql_server_2019>= 15.0.0.0 < 15.0.4465.115.0.4465.1
microsoftmicrosoft_sql_server_2022>= 16.0.0 < 16.0.1175.116.0.1175.1
microsoftmicrosoft_sql_server_2022_for_x64-based_systems>= 16.0.0.0 < 16.0.4250.116.0.4250.1
microsoftmicrosoft_sql_server_2025>= 17.0.4030.1 < 17.0.4030.117.0.4030.1
microsoftmicrosoft_sql_server_2025_for_x64-based_systems>= 17.0.1050.2 < 17.0.1110.117.0.1110.1
microsoftsql_server_2016>= 13.0.6300.2 < 13.0.6485.113.0.6485.1
microsoftsql_server_2016>= 13.0.7000.253 < 13.0.7080.113.0.7080.1
microsoftsql_server_2017>= 14.0.1000.169 < 14.0.2105.114.0.2105.1
microsoftsql_server_2017>= 14.0.3006.16 < 14.0.3525.114.0.3525.1
microsoftsql_server_2019>= 15.0.2000.5 < 15.0.2165.115.0.2165.1
microsoftsql_server_2019>= 15.0.4003.23 < 15.0.4465.115.0.4465.1
microsoftsql_server_2022>= 16.0.1000.6 < 16.0.1175.116.0.1175.1
microsoftsql_server_2022>= 16.0.4003.1 < 16.0.4250.116.0.4250.1
microsoftsql_server_2025>= 17.0.1000.7 < 17.0.1110.117.0.1110.1
microsoftsql_server_2025>= 17.0.4006.2 < 17.0.4030.117.0.4030.1