Skip to main content

Joomla! CMS EUVDEUVD-2026-31892

| CVE-2026-35221 MEDIUM
SQL Injection (CWE-89)
2026-05-26 Joomla GHSA-9j3h-xqx2-rj7v
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 11:08 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.9 (MEDIUM)
CVE Published
May 26, 2026 - 16:46 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.

AnalysisAI

Blind SQL injection in the com_finder (Smart Search) component of Joomla! CMS allows authenticated high-privilege users to extract confidential data from the underlying database across versions 5.4.0-5.4.5 and 6.0.0-6.1.0. The vulnerability stems from improperly constructed SQL filter clauses in search queries that permit attacker-controlled input to alter query logic. No public exploit has been identified at time of analysis, CISA has not added this to the KEV catalog, and EPSS probability sits at 0.03%, signaling minimal observed exploitation pressure.

Technical ContextAI

The vulnerability resides in com_finder, Joomla!'s built-in Smart Search component, which provides full-text indexing and search query capabilities for CMS content. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): filter clause parameters passed to the search query are insufficiently sanitized or parameterized, allowing SQL metacharacters to escape their intended context and alter backend database queries. The advisory title explicitly identifies this as a blind SQLi variant, meaning the database response does not surface errors or data directly - attackers must instead infer database contents through boolean-condition or time-delay side channels requiring multiple iterative requests. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H) confirms the component is network-accessible with no special attack preconditions beyond high-privilege authentication. Affected products are identified by CPE cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:*.

RemediationAI

The primary remediation is to upgrade Joomla! CMS to a version that addresses this vulnerability; consult the official Joomla Security Centre advisory at https://developer.joomla.org/security-centre/1038-20260506-core-authenticated-blind-sqli-in-com-finder.html for the specific patched release. Note that the exact fixed version number is not confirmed in the available data - patch availability is confirmed per vendor advisory, but the precise release should be verified directly with the Joomla project before deployment. As a compensating control where immediate patching is not feasible, administrators can disable the Smart Search (com_finder) component entirely via the Joomla Extension Manager, removing the vulnerable attack surface at the trade-off of losing on-site search functionality. Additionally, enforcing multi-factor authentication on all high-privilege Joomla administrator accounts and IP-restricting access to the admin panel (/administrator) reduces the likelihood that valid high-privilege credentials can be obtained or abused to stage the attack.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

EUVD-2026-31892 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy