Description
Joomla SP Movie Database 1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the searchword parameter. Attackers can send GET requests to the searchresults view with crafted SQL payloads in the searchword parameter to extract sensitive database information.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joomla SP Movie Database 1.3 component is vulnerable to an unsanitized SQL injection that occurs when a user supplies a crafted string in the searchword parameter of the searchresults controller. An attacker can embed arbitrary SQL commands in a GET request, causing the application to execute those statements against the Joomla database. The result is that sensitive data such as user credentials, site configuration, and other protected information can be read or manipulated. The flaw does not directly provide system-level execution but the extracted data can be leveraged for further attacks, elevating the potential impact beyond simple data disclosure.

Affected Systems

Any Joomla installation that includes the SP Movie Database extension version 1.3. The vulnerability is limited to that specific version; later releases of the component are presumed to have fixed the issue but must be verified. Administrators should audit whether the component is present and its version on their sites.

Risk and Exploitability

The CVSS score of 8.8 classifies this as a high severity flaw. Because the attack requires no authentication and is accessed via a standard HTTP GET request, it is broadly exploitable. No EPSS score is available, but the lack of a KEV listing does not reduce the attack surface. An attacker can construct a single request to extract data, making the threat realistic for targetable Joomla sites that host the vulnerable extension.

Generated by OpenCVE AI on June 19, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of Joomla SP Movie Database that includes the SQL injection fix.
  • If upgrading is not immediately possible, remove or disable the searchresults view or block the searchword parameter to terminate the injection path.
  • Implement web application firewall rules or input validation filters that detect and block suspicious SQL injection patterns targeting the searchword parameter.

Generated by OpenCVE AI on June 19, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla SP Movie Database 1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the searchword parameter. Attackers can send GET requests to the searchresults view with crafted SQL payloads in the searchword parameter to extract sensitive database information.
Title Joomla SP Movie Database 1.3 SQL Injection via searchword
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T16:04:28.631Z

Reserved: 2026-06-19T15:05:05.309Z

Link: CVE-2017-20266

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')