Skip to main content

DPCalendar CVE-2026-57831

| EUVDEUVD-2026-44599 HIGH
SQL Injection (CWE-89)
2026-07-15 Joomla GHSA-r6gc-42q2-64m6
8.7
CVSS 4.0 · Vendor: Joomla
Share

Severity by source

Vendor (Joomla) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated, low-complexity network SQLi (AV:N/AC:L/PR:N/UI:N) with data disclosure only, so C:H and I:N/A:N matching the stated confidentiality-only impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 08:45 vuln.today
CVE Published
Jul 15, 2026 - 08:08 cve.org
HIGH 8.7

DescriptionCVE.org

The Joomla extension DP Calendar is vulnerable to an unauthenticated SQL injection.

AnalysisAI

SQL injection in the DPCalendar extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a vulnerable parameter, per the CVSS:4.0 vector (PR:N/UI:N). With confidentiality-only impact rated High and no integrity or availability effect, the flaw primarily enables theft of Joomla database contents such as user records, session data, and configuration secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Joomla site running DPCalendar
Delivery
Craft malicious SQL parameter in HTTP request
Exploit
Send to com_dpcalendar endpoint
Execution
Injection executes against database
Impact
Extract user and session data

Vulnerability AssessmentAI

Exploitation Exploitation requires only that a target Joomla site have the DPCalendar extension installed and its vulnerable component endpoint reachable over the network; the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special attack requirements. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 8.7 (High) is driven by AV:N/AC:L/AT:N/PR:N/UI:N - network-reachable, low complexity, no privileges, no user interaction - making it easy to exploit at scale against exposed Joomla sites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a Joomla site running DPCalendar and sends a crafted HTTP request to a com_dpcalendar view with a malicious value in a vulnerable parameter, injecting a UNION-based or boolean/time-based SQL payload. Because no authentication or user interaction is required (PR:N/UI:N, AC:L), the attacker extracts sensitive database contents such as Joomla user tables and session data. …
Remediation No vendor-released patch version identified at time of analysis - the only reference provided is the product page (https://joomla.digital-peak.com/products/dpcalendar), which does not cite a fixed release, so consult Digital Peak directly and upgrade to the latest DPCalendar version once a patched build is confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running DPCalendar and document the installed version; flag affected instances as high-priority for remediation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57831 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy