Description
Joomla! Component KissGallery 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the component URL path. Attackers can supply malicious SQL code in the kissgallery endpoint to execute arbitrary database queries and extract sensitive information.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a SQL injection flaw in Joomla! Component KissGallery 1.0.0. Unauthenticated users can supply malicious SQL code in the component's URL path, enabling them to execute arbitrary database queries. This can lead to data exfiltration, credential theft, or unintended database modifications, as the weakness is identified as CWE‑89.

Affected Systems

The affected product is Joomla! Component KissGallery 1.0.0 sold by Terrywcarter. No other product versions are listed, so earlier releases are assumed not affected, but the component version 1.0.0 must be considered vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high impact. EPSS is not available, and it is not listed in the CISA KEV catalog, but the score alone marks it as a severe risk. Because the flaw can be exploited via a standard HTTP request to the component URL, the attack vector is remote and does not require authentication. An attacker could therefore immediately gain database access if the system is exposed to the internet. The high severity combined with the unauthenticated nature of the flaw suggests a significant risk of exploitation.

Generated by OpenCVE AI on June 19, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of KissGallery that eliminates the SQL injection flaw, or if unavailable, move to a newer Joomla component that provides equivalent functionality.
  • If upgrading is not immediately possible, disable the KissGallery component on the site or restrict access to the kissgallery endpoint so that only authenticated and authorized users can reach it.
  • Deploy or update a web application firewall to block common SQL injection payload patterns targeting the kissgallery URL path, reducing the likelihood of successful exploitation.

Generated by OpenCVE AI on June 19, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component KissGallery 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the component URL path. Attackers can supply malicious SQL code in the kissgallery endpoint to execute arbitrary database queries and extract sensitive information.
Title Joomla! Component KissGallery 1.0.0 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T16:14:34.172Z

Reserved: 2026-06-19T15:06:16.316Z

Link: CVE-2017-20269

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T19:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')