CVE-2026-26116

Published Mar 10, 2026

Last updated 3 months ago

CVSS high 8.8

SQL injection

Overview

Description: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
Source: secure@microsoft.com
NVD status: Analyzed
Products: sql_server_2016, sql_server_2017, sql_server_2019, sql_server_2022, sql_server_2025

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

secure@microsoft.com: CWE-89

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "0512F204-5C6C-416C-BAE9-37A46C517A5B",
            "versionEndExcluding": "13.0.6480.4",
            "versionStartIncluding": "13.0.6300.2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2016:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "FF21E018-C759-44FA-B1BF-1A97054606E7",
            "versionEndExcluding": "13.0.7075.5",
            "versionStartIncluding": "13.0.7000.253",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "36B7482B-D75C-4EFD-AD60-251BAD0A9FE4",
            "versionEndExcluding": "14.0.2100.4",
            "versionStartIncluding": "14.0.1000.169",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2017:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "AAE03DE1-E3F6-4450-9B06-695C0BEC4517",
            "versionEndExcluding": "14.0.3520.4",
            "versionStartIncluding": "14.0.3006.16",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "EB3E749F-531E-4516-A23E-C62FB6564CE3",
            "versionEndExcluding": "15.0.2160.4",
            "versionStartIncluding": "15.0.2000.5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2019:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "52924A9F-292A-4A73-9A9C-6A59763AD615",
            "versionEndExcluding": "15.0.4460.4",
            "versionStartIncluding": "15.0.4003.23",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "930A8DB4-E8DF-4C8B-8D7C-43DDB705D5E6",
            "versionEndExcluding": "16.0.1170.5",
            "versionStartIncluding": "16.0.1000.6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2022:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "DA833891-A29B-46C0-8945-693E70C0AA57",
            "versionEndExcluding": "16.0.4240.4",
            "versionStartIncluding": "16.0.4003.1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "9498FF0D-E8A3-4430-AE23-EC2BF0631002",
            "versionEndExcluding": "17.0.1105.2",
            "versionStartIncluding": "17.0.1000.7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:microsoft:sql_server_2025:*:*:*:*:*:*:x64:*",
            "matchCriteriaId": "EE7E80DA-728A-4BA2-9D72-71577FE83723",
            "versionEndExcluding": "17.0.4020.2",
            "versionStartIncluding": "17.0.4006.2",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References