Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network-reachable front-end SQLi (AV:N/AC:L/PR:N/UI:N); confidentiality-only data disclosure (C:H, I:N, A:N) with no scope change.
Primary rating from Vendor (Joomla).
CVSS VectorVendor: Joomla
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation.
AnalysisAI
SQL injection in the JoomCCK content-construction-kit extension for Joomla (versions 1.0 through 6.4.0) lets remote attackers read arbitrary database contents by injecting into a front-end controller task that concatenates an unescaped request parameter into two SQL statements. The flaw is reachable over the network without authentication or user interaction, and SSVC rates it automatable with total technical impact; however, there is no public exploit identified at time of analysis and EPSS is low at 0.28% (20th percentile).
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Joomla site has the JoomCCK extension installed and enabled (version 1.0-6.4.0) and that the specific vulnerable front-end controller task is reachable - which it is by default for front-end visitors, since the controller is exposed publicly. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but lean toward 'real but not yet urgent.' The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes trivially reachable, network-based, unauthenticated, low-complexity exploitation, and SSVC marks it Automatable=yes with Technical Impact=total, which would normally justify prioritisation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker browses to a JoomCCK-enabled Joomla site, identifies the front-end controller task URL, and appends a crafted value (e.g. a UNION-based or boolean/time-based payload) to the vulnerable request parameter. … |
| Remediation | No vendor-released patch version is identified at time of analysis - the references list only the vendor site (https://www.joomcoder.com/) and advisory trackers (https://nvd.nist.gov/vuln/detail/CVE-2026-49048, https://vuldb.com/vuln/374583), with no fixed release number disclosed; check https://www.joomcoder.com/ for an update beyond 6.4.0 and upgrade to the first patched build once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and catalog all Joomla instances running JoomCCK versions 1.0-6.4.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40003
GHSA-488g-5q94-889g