Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated, low-complexity network SQLi (AV:N/AC:L/PR:N/UI:N) with data disclosure only, so C:H and I:N/A:N matching the stated confidentiality-only impact.
Primary rating from Vendor (Joomla).
CVSS VectorVendor: Joomla
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The Joomla extension DP Calendar is vulnerable to an unauthenticated SQL injection.
AnalysisAI
SQL injection in the DPCalendar extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a vulnerable parameter, per the CVSS:4.0 vector (PR:N/UI:N). With confidentiality-only impact rated High and no integrity or availability effect, the flaw primarily enables theft of Joomla database contents such as user records, session data, and configuration secrets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that a target Joomla site have the DPCalendar extension installed and its vulnerable component endpoint reachable over the network; the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special attack requirements. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 8.7 (High) is driven by AV:N/AC:L/AT:N/PR:N/UI:N - network-reachable, low complexity, no privileges, no user interaction - making it easy to exploit at scale against exposed Joomla sites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers a Joomla site running DPCalendar and sends a crafted HTTP request to a com_dpcalendar view with a malicious value in a vulnerable parameter, injecting a UNION-based or boolean/time-based SQL payload. Because no authentication or user interaction is required (PR:N/UI:N, AC:L), the attacker extracts sensitive database contents such as Joomla user tables and session data. … |
| Remediation | No vendor-released patch version identified at time of analysis - the only reference provided is the product page (https://joomla.digital-peak.com/products/dpcalendar), which does not cite a fixed release, so consult Digital Peak directly and upgrade to the latest DPCalendar version once a patched build is confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all systems running DPCalendar and document the installed version; flag affected instances as high-priority for remediation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44599
GHSA-r6gc-42q2-64m6