Skip to main content

Joomla! CMS EUVDEUVD-2026-31887

| CVE-2026-35222 MEDIUM
SQL Injection (CWE-89)
2026-05-26 Joomla GHSA-pqh8-m9hh-m26w
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 11:09 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.9 (MEDIUM)
CVE Published
May 26, 2026 - 16:45 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.

AnalysisAI

Authenticated blind SQL injection in Joomla! CMS's com_tags component allows high-privileged attackers to exfiltrate database contents by supplying maliciously crafted ORDER BY clauses that are not properly validated. Affected versions span two distinct release trains: the 4.x/5.x line (4.0.0 through 5.4.5) and the 6.x line (6.0.0 through 6.1.0), meaning the vulnerability persists across both legacy and current major releases. No public exploit code has been identified at time of analysis, and the EPSS score of 0.00% indicates negligible automated exploitation probability, though the high-privilege requirement significantly limits the realistic attacker pool.

Technical ContextAI

The affected component, com_tags, is the native content-tagging subsystem bundled with Joomla! CMS (CPE: cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:*). The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), specifically arising from insufficient sanitization or allowlist validation of user-controlled sort/order parameters passed to database queries. ORDER BY clauses are a classic blind SQLi vector because they cannot use parameterized query placeholders in most SQL dialects - the column or direction value must be interpolated directly into the query string, requiring explicit allowlist enforcement. Failure to validate against an allowlist of permitted column names enables attackers to inject conditional SQL expressions (e.g., time-based or boolean-based payloads) to infer database contents character by character. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N) confirms the injection is exploitable over the network with low complexity but yields only confidentiality impact - consistent with a read-only blind extraction technique that cannot modify data.

RemediationAI

Apply the vendor-released patch documented in the Joomla! Security Centre advisory at https://developer.joomla.org/security-centre/1039-20260507-core-authenticated-blind-sqli-in-com-tags.html. The exact patched release versions for the 4.x/5.x and 6.x lines are not independently confirmed in the available input data - consult the advisory directly for authoritative fix version numbers before upgrading. As a compensating control for sites that cannot immediately upgrade, restrict access to the Joomla! administrator backend to trusted IP ranges using web server access controls (e.g., Apache mod_authz_host or nginx allow/deny directives), which eliminates remote exploitation surface since PR:H is required. Note that this workaround only limits remote attacker reach - a locally present or VPN-connected malicious administrator would still be able to exploit the vulnerability. Disabling the com_tags component entirely (if tags functionality is not required) also eliminates the vulnerable code path, though this will remove tagging functionality from the frontend. Review administrator accounts and enforce the principle of least privilege to reduce the pool of accounts capable of triggering this vulnerability.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

EUVD-2026-31887 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy