Description
Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_osdownloads&view=item&id=[SQL] to extract sensitive database information including credentials and configuration data.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla OSDownloads 1.7.4 contains an SQL injection flaw that permits unauthenticated attackers to inject arbitrary SQL through the id parameter in the item view. By sending specially crafted GET requests to index.php with the query string option=com_osdownloads&view=item&id=[SQL], an attacker can read sensitive database contents, including user credentials and configuration data, potentially compromising site integrity or enabling further attacks if write access is present.

Affected Systems

The vulnerability affects the OSDownloads component created by Joomlashack, specifically version 1.7.4 that runs under Joomla CMS. Any site that has installed this exact version and exposes the item view without input validation is susceptible.

Risk and Exploitability

The CVSS score of 8.8 signals high severity. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. The flaw is reachable via external HTTP GET traffic, requiring no authentication, which means the attack vector is network‑based and readily exploitable. An adversary could extract confidential information and potentially alter database entries, depending on the database user privileges.

Generated by OpenCVE AI on June 19, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OSDownloads update that fixes the SQL injection flaw.
  • If a patch is unavailable, sanitize the id parameter or restrict it so that only valid numeric values are accepted before it reaches the query logic.
  • Deploy a web application firewall rule that blocks requests containing SQL keywords or anomalous patterns in the id parameter.

Generated by OpenCVE AI on June 19, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_osdownloads&view=item&id=[SQL] to extract sensitive database information including credentials and configuration data.
Title Joomla OSDownloads 1.7.4 SQL Injection via item view
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T15:40:54.844Z

Reserved: 2026-06-19T14:56:47.201Z

Link: CVE-2017-20259

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:00:11Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')