CWE-564: SQL Injection: Hibernate
Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
Last updated
Overview
CWE-564 (SQL Injection: Hibernate) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
9 recorded CVEs are caused by CWE-564 (SQL Injection: Hibernate). The highest-severity and most recent are shown first. 6 new CWE-564 CVEs have been recorded so far in 2026 (3 in 2025).
- CVE-2025-0959
Eventer - WordPress Event & Booking Manager Plugin <= 3.9.9.2 - Authenticated (Subscriber+) SQL Injection via reg_id
High · CVSS 8.8 · EPSS 33th2025-03-07 - CVE-2024-58352
Landray OA Unauthenticated HQL Injection via wechatLoginHelper.do
High · CVSS 8.7 · EPSS 43th2026-07-02 - CVE-2024-48988
Apache StreamPark: SQL injection vulnerability
High · CVSS 7.6 · EPSS 43th