What is the CVSS score of CVE-2025-40636?

CVE-2025-40636 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. EPSS exploitation probability: 0.0%.

Which versions of Joomla are affected by CVE-2025-40636?

Organizations using Joomla module mod_vvisit_counter face critical risk from CVE-2025-40636, a SQL injection vulnerability rated CVSS 9.3.

How to fix or mitigate CVE-2025-40636?

Within 24 hours: Identify all affected systems running Joomla module mod_vvisit_counter and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Joomla CVE-2025-40636

EUVD-2025-32533 CRITICAL

SQL Injection (CWE-89)

2025-10-03 cve-coordination@incibe.es

SQLi Joomla

9.3

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

EUVD ID Assigned

Mar 13, 2026 - 19:29 euvd

EUVD-2025-32533

Analysis Generated

Mar 13, 2026 - 19:29 vuln.today

CVE Published

Oct 03, 2025 - 12:15 nvd

CRITICAL 9.3

DescriptionNVD

SQL injection vulnerability in Joomla module mod_vvisit_counter v2.0.4j3. This vulnerability allows an attacker to retrieve database content via the ‘cip_vvisitcounter’ cookie at all endpoints where the plugin counts visits.

AnalysisAI

SQL injection in Joomla mod_vvisit_counter v2.0.4j3.

Technical ContextAI

CWE-89.

RemediationAI

Update.

CVE-2025-40636 vulnerability details – vuln.today

Back