Description
Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_osdownloads&view=item&id=[SQL] to extract sensitive database information including credentials and configuration data.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla OSDownloads 1.7.4 contains an SQL injection flaw that permits unauthenticated attackers to inject arbitrary SQL through the id parameter in the item view. By sending specially crafted GET requests to index.php with the query string option=com_osdownloads&view=item&id=[SQL], an attacker can read sensitive database contents, including user credentials and configuration data, potentially compromising site integrity or enabling further attacks if write access is present.

Affected Systems

The vulnerability affects the OSDownloads component created by Joomlashack, specifically version 1.7.4 that runs under Joomla CMS. Any site that has installed this exact version and exposes the item view without input validation is susceptible.

Risk and Exploitability

The CVSS score of 8.8 signals high severity. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. The flaw is reachable via external HTTP GET traffic, requiring no authentication, which means the attack vector is network‑based and readily exploitable. An adversary could extract confidential information and potentially alter database entries, depending on the database user privileges.

Generated by OpenCVE AI on June 19, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OSDownloads update that fixes the SQL injection flaw.
  • If a patch is unavailable, sanitize the id parameter or restrict it so that only valid numeric values are accepted before it reaches the query logic.
  • Deploy a web application firewall rule that blocks requests containing SQL keywords or anomalous patterns in the id parameter.

Generated by OpenCVE AI on June 19, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomlashack
Joomlashack osdownloads
Vendors & Products Joomlashack
Joomlashack osdownloads

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_osdownloads&view=item&id=[SQL] to extract sensitive database information including credentials and configuration data.
Title Joomla OSDownloads 1.7.4 SQL Injection via item view
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Joomlashack Osdownloads
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T17:58:49.265Z

Reserved: 2026-06-19T14:56:47.201Z

Link: CVE-2017-20259

cve-icon Vulnrichment

Updated: 2026-06-23T17:58:34.791Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:41Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')