CWE-564: SQL Injection: Hibernate
Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
Last updated
Overview
CWE-564 (SQL Injection: Hibernate) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
9 recorded CVEs are caused by CWE-564 (SQL Injection: Hibernate). The highest-severity and most recent are shown first. 6 new CWE-564 CVEs have been recorded so far in 2026 (3 in 2025).
- CVE-2025-0959
Eventer - WordPress Event & Booking Manager Plugin <= 3.9.9.2 - Authenticated (Subscriber+) SQL Injection via reg_id
High · CVSS 8.8 · EPSS 33th2025-03-07 - CVE-2024-58352
Landray OA Unauthenticated HQL Injection via wechatLoginHelper.do
High · CVSS 8.7 · EPSS 43th2026-07-02 - CVE-2024-48988
Apache StreamPark: SQL injection vulnerability
High · CVSS 7.6 · EPSS 43th2025-08-22 - CVE-2026-4594
erupts erupt EruptJpaUtils.java geneEruptHqlOrderBy sql injection
Medium · CVSS 6.9 · EPSS 17th2026-03-23 - CVE-2026-23959
CoreShop Vulnerable to SQL Injection via Admin customer-company-modifier
Medium · CVSS 6.9 · EPSS 30th2026-01-22 - CVE-2025-67280Medium · CVSS 5.4 · EPSS 9th2026-01-09
- CVE-2026-4593
erupts erupt MCP Tool EruptDataQuery.java EruptDataQuery sql injection
Medium · CVSS 5.3 · EPSS 9th2026-03-23 - CVE-2026-22242
CoreShop Vulnerable to SQL Injection via Admin Reports
Medium · CVSS 4.9 · EPSS 31th2026-01-08 - CVE-2025-8052
HQL Injection vulnerability has been discovered in Opentext Flipper.
Low · CVSS 1.0 · EPSS 25th2025-10-20
Common consequences
What can happen when CWE-564 is exploited.
Read Application Data, Modify Application Data
Affects: Confidentiality, Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
Technologies
How to prevent it
Practical mitigations for CWE-564, grouped by where in the lifecycle they apply.
A non-SQL style database which is not subject to this flaw may be chosen.
Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data.
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack.
Use vigorous allowlist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code excerpt uses Hibernate's HQL syntax to build a dynamic query that's vulnerable to SQL injection.
Vulnerable example
String street = getStreetFromUser();Terminology & mappings
Mapped taxonomies
- Software Fault Patterns: Tainted input to command (SFP24)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-564.
- What is CWE-564?
- Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
- What CVEs are caused by CWE-564?
- 9 recorded CVEs are attributed to CWE-564, including CVE-2025-0959, CVE-2024-58352, CVE-2024-48988.
- How do you prevent CWE-564?
- A non-SQL style database which is not subject to this flaw may be chosen.
- What are the consequences of CWE-564?
- Exploiting CWE-564 can lead to: Read Application Data, Modify Application Data.
- Is CWE-564 actively exploited?
- 9 recorded CVEs are caused by CWE-564; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-564) (opens in a new tab)
- CWE-564 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-564
Get alerted the moment a new CWE-564 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.