Microsoft Sql Server 2022 vulnerabilities
119 known vulnerabilities affecting microsoft/microsoft_sql_server_2022.
Total CVEs
119
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH111MEDIUM6
Vulnerabilities
Page 1 of 6
CVE-2026-33120HIGHCVSS 8.8≥ 16.0.0, < 16.0.1175.12026-04-14
CVE-2026-33120 [HIGH] CWE-822 CVE-2026-33120: Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a net
Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network.
cvelistv5nvd
CVE-2026-32176MEDIUMCVSS 6.7≥ 16.0.0, < 16.0.1175.12026-04-14
CVE-2026-32176 [MEDIUM] CWE-89 CVE-2026-32176: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server a
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
cvelistv5nvd
CVE-2026-32167MEDIUMCVSS 6.7≥ 16.0.0, < 16.0.1175.12026-04-14
CVE-2026-32167 [MEDIUM] CWE-89 CVE-2026-32167: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server a
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
cvelistv5nvd
CVE-2026-21262HIGHCVSS 8.8≥ 16.0.0, < 16.0.1170.52026-03-10
CVE-2026-21262 [HIGH] CWE-284 CVE-2026-21262: Improper access control in SQL Server allows an authorized attacker to elevate privileges over a net
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
cvelistv5nvd
CVE-2026-26115HIGHCVSS 8.8≥ 16.0.0, < 16.0.1170.52026-03-10
CVE-2026-26115 [HIGH] CWE-1287 CVE-2026-26115: Improper validation of specified type of input in SQL Server allows an authorized attacker to elevat
Improper validation of specified type of input in SQL Server allows an authorized attacker to elevate privileges over a network.
cvelistv5nvd
CVE-2026-20803HIGHCVSS 7.2≥ 16.0.0, < 16.0.1165.12026-01-13
CVE-2026-20803 [HIGH] CWE-306 CVE-2026-20803: Missing authentication for critical function in SQL Server allows an authorized attacker to elevate
Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network.
cvelistv5nvd
CVE-2025-59499HIGHCVSS 8.8≥ 16.0.0.0, < 16.0.4222.2≥ 16.0.0, < 16.0.1160.12025-11-11
CVE-2025-59499 [HIGH] CWE-89 CVE-2025-59499: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server a
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
cvelistv5nvd
CVE-2025-55227HIGHCVSS 8.8≥ 16.0.0.0, < 16.0.4212.1≥ 16.0.0, < 16.0.1150.12025-09-09
CVE-2025-55227 [HIGH] CWE-77 CVE-2025-55227: Improper neutralization of special elements used in a command ('command injection') in SQL Server al
Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
cvelistv5nvd
CVE-2025-47997MEDIUMCVSS 5.3≥ 16.0.0.0, < 16.0.4212.1≥ 16.0.0, < 16.0.1150.12025-09-09
CVE-2025-47997 [MEDIUM] CWE-200 CVE-2025-47997: Concurrent execution using shared resource with improper synchronization ('race condition') in SQL S
Concurrent execution using shared resource with improper synchronization ('race condition') in SQL Server allows an authorized attacker to disclose information over a network.
cvelistv5nvd
CVE-2025-49759HIGHCVSS 8.8≥ 16.0.0.0, < 16.0.4210.1≥ 16.0.0, < 16.0.1145.12025-08-12
CVE-2025-49759 [HIGH] CWE-89 CVE-2025-49759: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server a
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
cvelistv5nvd
CVE-2025-24999HIGHCVSS 8.8≥ 16.0.0.0, < 16.0.4210.1≥ 16.0.0, < 16.0.1145.12025-08-12
CVE-2025-24999 [HIGH] CWE-284 CVE-2025-24999: Improper access control in SQL Server allows an authorized attacker to elevate privileges over a net
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
cvelistv5nvd
CVE-2025-47954HIGHCVSS 8.8≥ 16.0.0.0, < 16.0.4210.1≥ 16.0.0, < 16.0.1145.12025-08-12
CVE-2025-47954 [HIGH] CWE-89 CVE-2025-47954: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server a
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
cvelistv5nvd
CVE-2025-49758HIGHCVSS 8.8≥ 16.0.0.0, < 16.0.4210.1≥ 16.0.0, < 16.0.1145.12025-08-12
CVE-2025-49758 [HIGH] CWE-269 CVE-2025-49758: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server a
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
cvelistv5nvd
CVE-2025-53727HIGHCVSS 8.8≥ 16.0.0.0, < 16.0.4210.1≥ 16.0.0, < 16.0.1145.12025-08-12
CVE-2025-53727 [HIGH] CWE-89 CVE-2025-53727: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server a
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
cvelistv5nvd
CVE-2025-49719HIGHCVSS 7.5≥ 16.0.0.0, < 16.0.4200.1≥ 16.0.0, < 16.0.1140.62025-07-08
CVE-2025-49719 [HIGH] CWE-20 CVE-2025-49719: Improper input validation in SQL Server allows an unauthorized attacker to disclose information over
Improper input validation in SQL Server allows an unauthorized attacker to disclose information over a network.
cvelistv5nvd
CVE-2025-49717HIGHCVSS 8.5≥ 16.0.0.0, < 16.0.4200.1≥ 16.0.0, < 16.0.1140.62025-07-08
CVE-2025-49717 [HIGH] CWE-122 CVE-2025-49717: Heap-based buffer overflow in SQL Server allows an authorized attacker to execute code over a networ
Heap-based buffer overflow in SQL Server allows an authorized attacker to execute code over a network.
cvelistv5nvd
CVE-2025-49718HIGHCVSS 7.5≥ 16.0.0.0, < 16.0.4200.1≥ 16.0.0, < 16.0.1140.62025-07-08
CVE-2025-49718 [HIGH] CWE-908 CVE-2025-49718: Use of uninitialized resource in SQL Server allows an unauthorized attacker to disclose information
Use of uninitialized resource in SQL Server allows an unauthorized attacker to disclose information over a network.
cvelistv5nvd
CVE-2024-49021HIGHCVSS 7.8≥ 16.0.0, < 16.0.1135.22024-11-12
CVE-2024-49021 [HIGH] CWE-416 CVE-2024-49021: Microsoft SQL Server Remote Code Execution Vulnerability
Microsoft SQL Server Remote Code Execution Vulnerability
cvelistv5nvd
CVE-2024-49043HIGHCVSS 7.8≥ 16.0.0, < 16.0.1135.22024-11-12
CVE-2024-49043 [HIGH] CWE-426 CVE-2024-49043: Microsoft.SqlServer.XEvent.Configuration.dll Remote Code Execution Vulnerability
Microsoft.SqlServer.XEvent.Configuration.dll Remote Code Execution Vulnerability
cvelistv5nvd
CVE-2024-37341CRITICALCVSS 9.8≥ 16.0.0, < 16.0.1130.52024-09-10
CVE-2024-37341 [CRITICAL] CWE-284 CVE-2024-37341: Microsoft SQL Server Elevation of Privilege Vulnerability
Microsoft SQL Server Elevation of Privilege Vulnerability
cvelistv5nvd
1 / 6Next →