Description
Joomla! Component My Projects 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the VerAyari parameter. Attackers can craft requests to the component endpoint with SQL injection payloads to extract sensitive database information including credentials and system data.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw (CWE‑89) in the Joomla! component My Projects 2.0. It permits users to inject malicious SQL statements through the VerAyari parameter, enabling the execution of arbitrary queries against the database. Successful exploitation can result in the disclosure of user credentials, administrative data, or other system information stored in the database, thereby compromising confidentiality and potentially enabling further compromise of the Joomla! installation.

Affected Systems

The affected product is the Joomla! component My Projects 2.0 from Gegabyte. The component is distributed through the Joomla! extension directory. The description does not list specific version ranges other than the 2.0 release, so all installations of this component should be reviewed.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity attack that can be performed without authentication and from a remote web request. The EPSS score is not available, but the high CVSS combined with the lack of protective controls suggests a significant risk. The vulnerability is not listed in the CISA KEV catalog, which does not mean it is safe, only that it has not been documented as a widely exploited flaw. Attackers can reach the vulnerable parameter through a standard HTTP request to the component endpoint. Once reached, the injection can be used to extract the database contents or modify data, depending on the privileges of the database account used by the component.

Generated by OpenCVE AI on June 19, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest version of the My Projects component or remove the component entirely if it is no longer required
  • Limit access to the component’s URLs by configuring Joomla! ACL to restrict viewing and editing to privileged users only
  • Apply a web application firewall or OWASP ModSecurity rules set to detect and block SQL injection attempts targeting the VerAyari parameter

Generated by OpenCVE AI on June 19, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Gegabyte
Gegabyte my Projects
Vendors & Products Gegabyte
Gegabyte my Projects

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component My Projects 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the VerAyari parameter. Attackers can craft requests to the component endpoint with SQL injection payloads to extract sensitive database information including credentials and system data.
Title Joomla! Component My Projects 2.0 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Gegabyte My Projects
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T18:01:13.834Z

Reserved: 2026-06-19T14:34:53.209Z

Link: CVE-2017-20253

cve-icon Vulnrichment

Updated: 2026-06-23T18:00:47.430Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:50Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')