Skip to main content

Quix Page Builder Pro EUVDEUVD-2026-44896

| CVE-2026-58078 HIGH
SQL Injection (CWE-89)
2026-07-16 Joomla GHSA-4v43-gx32-wcrj
8.7
CVSS 4.0 · Vendor: Joomla
Share

Severity by source

Vendor (Joomla) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Unauthenticated network SQLi (PR:N, AV:N, AC:L) with full DB read/write impact (C/I/A:H); UI:R mirrors the source UI:P interaction requirement.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:03 vuln.today
CVE Published
Jul 16, 2026 - 08:14 cve.org
HIGH 8.7

DescriptionCVE.org

The Joomla extension Quix Page Builder Pro is vulnerable to an unauthenticated SQL injection.

AnalysisAI

SQL injection in the Quix Page Builder Pro extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a crafted request, enabling database read and write against affected sites. The CVSS 4.0 base score is 8.7 (High), reflecting network vector, low complexity, no privileges, and high impact to confidentiality, integrity, and availability of the vulnerable database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Joomla site with Quix Page Builder Pro
Delivery
Craft request with malicious SQL payload
Exploit
Trigger injection in unsanitized query parameter
Execution
Database executes attacker SQL
Impact
Exfiltrate credentials or modify stored data

Vulnerability AssessmentAI

Exploitation Exploitation requires a Joomla site running the Quix Page Builder Pro extension with an internet-reachable request path into the vulnerable component, and no authentication or privileges (PR:N) - the attacker does not need an account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately strong but not conclusive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote unauthenticated attacker sends a crafted request to a Quix Page Builder Pro endpoint on a public Joomla site, injecting SQL that is concatenated into a database query; because the injection point returns or acts on attacker-controlled input, they extract Joomla user credential hashes or session data and can tamper with stored content. Given UI:P in the vector, the attack may hinge on a visitor or operator triggering the affected request path. …
Remediation No vendor-released patch identified at time of analysis, and no fixed version number was provided in the input, so administrators should treat the current release as vulnerable and monitor the vendor page at https://www.themexpert.com/quix-pagebuilder for a patched Quix Page Builder Pro release, then upgrade as soon as one is published; the disclosure at https://mysites.guru/blog/quix-sql-injection-disclosure/ may contain additional detail on affected versions. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Joomla instances using Quix Page Builder Pro, restrict network access to these systems, and deploy WAF rules blocking SQL injection patterns targeting the vulnerable component. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44896 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy