Skip to main content

JoomCCK CVE-2026-49048

| EUVDEUVD-2026-40003 HIGH
SQL Injection (CWE-89)
2026-06-28 Joomla GHSA-488g-5q94-889g
8.7
CVSS 4.0 · Vendor: Joomla
Share

Severity by source

Vendor (Joomla) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable front-end SQLi (AV:N/AC:L/PR:N/UI:N); confidentiality-only data disclosure (C:H, I:N, A:N) with no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:N/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Jun 29, 2026 - 15:23 vuln.today
Severity Changed
Jun 29, 2026 - 15:22 NVD
CRITICAL HIGH
CVSS changed
Jun 29, 2026 - 15:22 NVD
9.8 (CRITICAL) 8.7 (HIGH)
CVE Published
Jun 28, 2026 - 18:37 cve.org
HIGH 8.7
CVE Published
Jun 28, 2026 - 18:37 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation.

AnalysisAI

SQL injection in the JoomCCK content-construction-kit extension for Joomla (versions 1.0 through 6.4.0) lets remote attackers read arbitrary database contents by injecting into a front-end controller task that concatenates an unescaped request parameter into two SQL statements. The flaw is reachable over the network without authentication or user interaction, and SSVC rates it automatable with total technical impact; however, there is no public exploit identified at time of analysis and EPSS is low at 0.28% (20th percentile).

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Joomla site running JoomCCK
Delivery
Locate vulnerable front-end controller task
Exploit
Inject SQL payload into request parameter
Execution
Database executes concatenated query
Impact
Exfiltrate sensitive table contents

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Joomla site has the JoomCCK extension installed and enabled (version 1.0-6.4.0) and that the specific vulnerable front-end controller task is reachable - which it is by default for front-end visitors, since the controller is exposed publicly. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward 'real but not yet urgent.' The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes trivially reachable, network-based, unauthenticated, low-complexity exploitation, and SSVC marks it Automatable=yes with Technical Impact=total, which would normally justify prioritisation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker browses to a JoomCCK-enabled Joomla site, identifies the front-end controller task URL, and appends a crafted value (e.g. a UNION-based or boolean/time-based payload) to the vulnerable request parameter. …
Remediation No vendor-released patch version is identified at time of analysis - the references list only the vendor site (https://www.joomcoder.com/) and advisory trackers (https://nvd.nist.gov/vuln/detail/CVE-2026-49048, https://vuldb.com/vuln/374583), with no fixed release number disclosed; check https://www.joomcoder.com/ for an update beyond 6.4.0 and upgrade to the first patched build once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and catalog all Joomla instances running JoomCCK versions 1.0-6.4.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy