CVE-2026-47295 is a Microsoft SQL Server elevation of privilege vulnerability caused by improper neutralization of special elements in an SQL command (SQL injection). Microsoft says an attacker could inject arbitrary T-SQL commands by crafting a malicious database name and could gain sysadmin privileges if successful. The CVSS v3.1 base score is 8.8 (HIGH) with a temporal score of 7.7; the vector is NETWORK, LOW attack complexity, LOW privileges required, and NO user interaction, with HIGH confidentiality, integrity, and availability impact. Microsoft lists exploit status as not publicly disclosed and not exploited, with exploit code maturity UNPROVEN. Because it is network-reachable and requires only low privileges, it is relevant for enterprise SQL Server deployments, especially where attacker-controlled database naming or related inputs may be exposed. Highlights: - CVSS scores: Base 8.8 - Temporal 7.7 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality, integrity, and availability impacts are all HIGH. - Exploitation likelihood: Exploitation Less Likely; vector context is NETWORK, LOW attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High. The network vector and no user interaction increase risk for deployed SQL Server instances, though Microsoft does not report active exploitation. - Patch status: available; customer action required. Affected systems: - SQL Server 2025 CU6+GDR - SQL Server 2025 RTM+GDR - SQL Server 2022 CU25+GDR - SQL Server 2022 RTM+GDR - SQL Server 2019 CU32+GDR - SQL Server 2019 RTM+GDR - SQL Server 2017 CU31+GDR - SQL Server 2017 RTM+GDR - SQL Server 2016 Azure Connect Feature Pack+GDR - SQL Server 2016 SP3+GDR