Description
Joomla! Component User Bench 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the userid parameter. Attackers can send GET requests to index.php with the option=com_userbench&view=detail&userid parameter containing SQL injection payloads to extract sensitive database information including credentials and configuration data.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joomla! Component User Bench 1.0 contains a classic SQL injection flaw that enables an unauthenticated attacker to send malicious code through the userid parameter in a GET request. This allows the execution of arbitrary SQL statements against the Joomla database, giving the attacker the ability to read, modify, or delete sensitive data including user credentials, configuration settings, and other confidential information. The weakness falls under CWE-89 and is a direct exploitation of an input validation failure that compromises confidentiality and potentially integrity.

Affected Systems

The vulnerability is present in the User Bench component developed by Gegabyte. All installations using User Bench 1.0 are affected; no higher or lower versions are listed as impacted.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity risk. Because EPSS is not available the exploitation probability is unclear, and the vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable code through standard HTTP GET traffic to index.php with a crafted userid value, meaning the attack can be performed remotely without authentication. The public availability of exploitation scripts increases the likelihood of real-world exploitation.

Generated by OpenCVE AI on June 19, 2026 at 21:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade User Bench to its latest released version, or uninstall the component to mitigate the vulnerability.
  • Configure the Joomla environment to enforce strict input filtering on all GET parameters, particularly userid, using Joomla’s built‑in input validation or third‑party security extensions.
  • Deploy Web Application Firewall rules that detect and block suspicious SQL injection patterns targeting the /index.php URI with option=com_userbench parameters, and monitor database logs for abnormal query activity.

Generated by OpenCVE AI on June 19, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Gegabyte
Gegabyte user Bench
Vendors & Products Gegabyte
Gegabyte user Bench

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component User Bench 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the userid parameter. Attackers can send GET requests to index.php with the option=com_userbench&view=detail&userid parameter containing SQL injection payloads to extract sensitive database information including credentials and configuration data.
Title Joomla! Component User Bench 1.0 SQL Injection via userid
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Gegabyte User Bench
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T19:37:13.303Z

Reserved: 2026-06-19T14:35:21.150Z

Link: CVE-2017-20254

cve-icon Vulnrichment

Updated: 2026-06-22T19:37:09.540Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:49Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')