Description
Joomla! Component FocalPoint Pro/Free 1.2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_focalpoint, view=location, and a crafted id parameter containing SQL commands to extract sensitive database information.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The identified flaw is a classic SQL injection vulnerability in the FocalPoint Pro / Free component for Joomla!; by injecting malicious code into the id request parameter, an attacker can execute arbitrary SQL queries against the underlying database. This permits the extraction of sensitive data. The weakness is classified as SQL injection (CWE‑89), enabling confidentiality violations and potential integrity damage.

Affected Systems

The vulnerable component is FocalPoint Pro / Free version 1.2.3 developed by Focalpointx. Any Joomla! site deploying that version of the component is impacted; the entry point is the index.php script accessed with option=com_focalpoint, view=location and an id parameter.

Risk and Exploitability

With a CVSS score of 8.8 the vulnerability is considered high severity. The EPSS score is not available, so the exact exploitation probability is unknown, but the lack of a KEV listing indicates no widespread exploitation at present. The likely attack vector is unauthenticated HTTP GET requests to the component, meaning any user reaching the site can attempt the injection.

Generated by OpenCVE AI on June 19, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched build of FocalPoint Pro / Free that removes the injection point.
  • If an upgrade is not immediately possible, limit access to the component to authenticated users or whitelisted IP addresses and sanitize the id parameter to enforce numeric-only values.
  • Deploy a Web Application Firewall rule or use input validation libraries to block SQL injection patterns on the id field.
  • Monitor database query logs for abnormal activity and review application logs for signs of exploitation.

Generated by OpenCVE AI on June 19, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component FocalPoint Pro/Free 1.2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_focalpoint, view=location, and a crafted id parameter containing SQL commands to extract sensitive database information.
Title Joomla! FocalPoint Pro Free 1.2.3 SQL Injection via location
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T15:54:22.693Z

Reserved: 2026-06-19T15:03:56.969Z

Link: CVE-2017-20263

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')