Skip to main content

Joomla Cms CVE-2026-21630

| EUVDEUVD-2026-17855 MEDIUM
SQL Injection (CWE-89)
2026-04-01 Joomla
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 10:00 euvd
EUVD-2026-17855
Analysis Generated
Apr 01, 2026 - 10:00 vuln.today
CVE Published
Apr 01, 2026 - 09:03 nvd
MEDIUM 6.9

DescriptionCVE.org

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

AnalysisAI

SQL injection in Joomla CMS articles webservice endpoint allows remote attackers to execute arbitrary SQL queries through improperly constructed ORDER BY clauses, affecting all versions of Joomla CMS. The vulnerability exists in the com_content component's webservice endpoint and permits unauthenticated query manipulation. No CVSS score or patch version information is available at time of analysis, limiting severity quantification.

Technical ContextAI

The vulnerability stems from CWE-89 (SQL Injection) in Joomla CMS's content component webservice handler, where user-supplied input is insufficiently sanitized before being incorporated into SQL ORDER BY clauses. The articles webservice endpoint fails to properly validate or escape sort parameters, allowing attackers to inject malicious SQL syntax. Joomla is a PHP-based content management system; the affected CPE (cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:*) indicates all versions across all branches are potentially impacted. The root cause is improper input validation in query construction rather than parameterized query use.

RemediationAI

Consult the official Joomla Security Centre advisory at https://developer.joomla.org/security-centre/1028-20260302-core-sql-injection-in-com-content-articles-webservice-endpoint.html for vendor-released patch information and exact upgrade version. At time of analysis, no specific patched version is provided in available data. Interim mitigation may include disabling or restricting access to the com_content webservice endpoint if not required for production operations, and implementing Web Application Firewall rules to block SQL injection patterns in webservice requests. Apply patches immediately upon release from Joomla.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

CVE-2026-21630 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy