Description
Joomla! Component Bargain Product VM3 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the product_id parameter. Attackers can supply crafted SQL statements in GET requests to the brainy and alice views to extract sensitive database information.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw in the product_id parameter of the Bargain Product VM3 component for Joomla! Version 1.0. It allows unauthenticated attackers to inject arbitrary SQL code through GET requests to the brainy and alice views. The attacker can read, modify, or delete user data or other sensitive database information if the database account has sufficient privileges. No execution of arbitrary code outside the database context is described, so the impact is primarily data exposure.

Affected Systems

The flaw affects Joomla! sites that have the Weborange Bargain Product VM3 component installed, version 1.0. Administrators should verify whether this exact version is present on their content management system.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity, and the EPSS score is currently not available, but given the ease of exploitation via a simple GET request and lack of authentication checks, the risk is high. The flaw is not listed in the CISA KEV catalog, but that does not reduce its threat; attackers could still target affected sites easily. The attack vector is most likely a direct, unauthenticated web request to the vulnerable parameter.

Generated by OpenCVE AI on June 19, 2026 at 20:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Bargain Product VM3 if one is released by the vendor.
  • Replace or disable the component if no patch is available, or switch to a more secure alternative with proper input validation.
  • Add server‑side validation to the product_id parameter to allow only numeric values, further limiting injection possibilities.
  • Deploy a web application firewall with SQL injection rule sets to detect and block malicious requests targeting the component.

Generated by OpenCVE AI on June 19, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Weborange
Weborange bargain Product Vm3
Vendors & Products Weborange
Weborange bargain Product Vm3

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component Bargain Product VM3 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the product_id parameter. Attackers can supply crafted SQL statements in GET requests to the brainy and alice views to extract sensitive database information.
Title Joomla! Component Bargain Product VM3 1.0 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Weborange Bargain Product Vm3
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T14:32:21.970Z

Reserved: 2026-06-19T14:57:43.894Z

Link: CVE-2017-20261

cve-icon Vulnrichment

Updated: 2026-06-22T14:32:17.820Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:37Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')