Description
Joomla! Component Zap Calendar Lite 4.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'eid' parameter. Attackers can send GET requests to the RSVP plugin endpoint with crafted SQL payloads to extract sensitive database information including database names and table structures.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joomla! component Zap Calendar Lite version 4.3.4 is vulnerable to an unauthenticated SQL injection that can be triggered through the 'eid' GET parameter of the RSVP plugin. An attacker can send crafted SQL payloads to this endpoint and execute arbitrary SQL statements, allowing the extraction of sensitive database information such as database names, table structures, and potentially other confidential data. The vulnerability is a classic example of CWE‑89 and could also enable further compromise if the database is used by other applications or services.

Affected Systems

The affected product is the Zap Calendar Lite component provided by Zcontent for Joomla CMS. Only version 4.3.4 contains the flaw; no other product versions are listed in the CNA data.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. Exploitation requires only that an attacker can send an HTTP GET request to the component’s RSVP endpoint, so the attack vector is network‑based and unauthenticated. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Given the ease of exploitation and the potential for significant data exposure, the risk to affected installations remains high until the component is updated or otherwise mitigated.

Generated by OpenCVE AI on June 19, 2026 at 19:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zap Calendar Lite to the latest patched version or remove the component if it is not required
  • Implement web application firewall rules to block SQL injection payloads targeting the 'eid' parameter on the RSVP endpoint
  • Back up the database before applying a patch and verify that the database schema is correct after the update

Generated by OpenCVE AI on June 19, 2026 at 19:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component Zap Calendar Lite 4.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'eid' parameter. Attackers can send GET requests to the RSVP plugin endpoint with crafted SQL payloads to extract sensitive database information including database names and table structures.
Title Joomla! Component Zap Calendar Lite 4.3.4 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T16:11:12.299Z

Reserved: 2026-06-19T15:05:53.587Z

Link: CVE-2017-20268

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T19:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')