Description
Joomla! Component Calendar Planner 1.0.1 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the category_id parameter. Attackers can send GET requests to the events view with malicious SQL code in the category_id parameter to extract sensitive database information.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerable component Calendar Planner 1.0.1 within Joomla! allows unauthenticated attackers to inject arbitrary SQL via the category_id field presented in GET requests to the events view. Because the input is not sanitized, an attacker can modify the query to read or manipulate any table in the Joomla! database, leading to sensitive data exposure. The vulnerability is classified as CWE‑89 and has a CVSS score of 8.8, reflecting high severity and a non‑negligible potential impact on confidentiality.

Affected Systems

Affected systems include any Joomla! installation that has the Calendar Planner 1.0.1 component installed. The issue is limited to that specific version; later releases (if available) are presumed patched. No other products are listed as affected.

Risk and Exploitability

The risk level is high, as the flaw can be triggered with a simple HTTP GET request from any remote host, requiring no authentication. While the EPSS score is not publicly available, the CVSS indicates that a successful exploit would allow data exfiltration without compromise of other system components. The vulnerability is not currently listed in CISA’s KEV catalog, but its high score and public exploit evidence suggest that it should be treated as a likely target by threat actors.

Generated by OpenCVE AI on June 19, 2026 at 19:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Calendar Planner component to the latest patched version or uninstall it if an upgrade is not available.
  • If no patch exists yet, restrict access to the events view so that only authorized users can request category_id parameters, for example by adjusting component permissions or Joomla!'s user group settings.
  • Configure the Joomla! database user with the least privileges necessary for the component to operate, reducing potential damage if SQL injection succeeds.

Generated by OpenCVE AI on June 19, 2026 at 19:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component Calendar Planner 1.0.1 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the category_id parameter. Attackers can send GET requests to the events view with malicious SQL code in the category_id parameter to extract sensitive database information.
Title Joomla! Component Calendar Planner 1.0.1 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T16:07:50.559Z

Reserved: 2026-06-19T15:05:29.438Z

Link: CVE-2017-20267

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T19:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')