Description
Joomla! Component RPC Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_pofos&view=pofo&id=[SQL] to extract sensitive database information.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The RPC Responsive Portfolio component version 1.6.1 for Joomla! contains a classic SQL injection flaw. Attackers can supply malicious SQL code in the id parameter of a GET request to the component’s entry point. Because the input is not sanitized, the database engine executes the injected query, allowing unrestricted data extraction or manipulation. The flaw does not require any authentication, meaning anyone who can reach the vulnerable URL can exploit it.

Affected Systems

The vulnerability is found in the Extro RPC "RPC Responsive Portfolio" component for Joomla!, specifically the 1.6.1 release. No other versions or vendors are listed in the CVE data.

Risk and Exploitability

With a CVSS score of 8.8 the flaw is considered high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, but the publicly documented exploitation vector via a simple HTTP GET request means remote attackers can reach it from the open internet. The lack of authentication or role checks further increases the risk, potentially exposing sensitive database contents to attackers.

Generated by OpenCVE AI on June 19, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RPC Responsive Portfolio component to the latest version that addresses the injection flaw.
  • If an upgrade is not immediately possible, remove or disable the component from the Joomla! installation to block the exposed GET endpoint.
  • Implement a web application firewall rule that blocks suspicious SQL syntax in the id query parameter to provide a temporary mitigation while a fix is applied.

Generated by OpenCVE AI on June 19, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component RPC Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_pofos&view=pofo&id=[SQL] to extract sensitive database information.
Title Joomla! Component RPC Responsive Portfolio 1.6.1 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T15:37:32.976Z

Reserved: 2026-06-19T14:56:35.526Z

Link: CVE-2017-20258

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:15:02Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')