Description
Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Attackers can send GET requests to index.php with option=com_nge&view=config and inject malicious SQL code in the plname parameter to extract sensitive database information.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows attackers to inject malicious SQL into the plname parameter of the NextGen Editor component. An unauthenticated user can send a crafted GET request to the component’s configuration view, leading to arbitrary SQL execution. The impact is full compromise of the database, enabling data exfiltration, modification, or deletion, and thus compromising confidentiality, integrity, and availability. The weakness is a classic SQL injection flaw, identified as CWE-89.

Affected Systems

The affected system is the NextGen Editor extension version 2.1.0 for Joomla. The component can be found at extensions.joomla.org and is commonly used in Joomla installations.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. No EPSS score is available, so the current exploitation probability is unknown, but the vulnerability can be exploited without authentication by simply sending a GET request, which implies a low entry barrier. The issue is not listed in CISA’s KEV catalog, suggesting that no publicly known exploit has been catalogued yet. Nevertheless, attackers can easily construct the GET payload and achieve full database compromise. The likely attack vector is an unauthenticated HTTP request to the component’s configuration endpoint.

Generated by OpenCVE AI on June 19, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch released for NextGen Editor version 2.1.0 or later.
  • Disable or uninstall the NextGen Editor extension if it is not essential to site functionality.
  • Restrict access to the NextGen Editor configuration endpoint to authenticated administrators only by configuring .htaccess or Joomla's access control settings.

Generated by OpenCVE AI on June 19, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Nextgeneditor
Nextgeneditor nextgen Editor
Vendors & Products Nextgeneditor
Nextgeneditor nextgen Editor

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Attackers can send GET requests to index.php with option=com_nge&view=config and inject malicious SQL code in the plname parameter to extract sensitive database information.
Title Joomla NextGen Editor 2.1.0 SQL Injection via plname Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Nextgeneditor Nextgen Editor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T17:14:56.231Z

Reserved: 2026-06-19T14:34:28.196Z

Link: CVE-2017-20252

cve-icon Vulnrichment

Updated: 2026-06-22T16:28:33.353Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:51Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')