Description
Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with the option=com_streetguess&view=maps parameters and inject SQL code in the catid parameter to extract sensitive database information including version and database names.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with the option=com_streetguess&view=maps parameters and inject SQL code in the catid parameter to extract sensitive database information, including version and database names. This results in a breach of confidentiality, as attackers can read data from the underlying database without authentication.

Affected Systems

The StreetGuessr Game component, version 1.1.8, developed by Nordmograph and used within the Joomla content management system, is vulnerable. Only installations that deploy this specific component version are affected.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as High severity, with no authentication required. No EPSS score is available and the vulnerability is not listed in CISA KEV. The flaw enables attackers to supply malicious input in the catid parameter of crafted URL requests to index.php, allowing extraction of data from the database.

Generated by OpenCVE AI on June 19, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch or upgrade StreetGuessr Game to a version where the SQL injection in the catid parameter is fixed by the vendor.
  • If an immediate upgrade is not possible, disable or remove the StreetGuessr component from the Joomla installation so the vulnerable code cannot be executed.
  • Implement web application firewall rules or input validation that blocks suspicious SQL keywords in the catid parameter if the component remains in use, to mitigate the risk of exploitation until a patch can be applied.

Generated by OpenCVE AI on June 19, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Nordmograph
Nordmograph streetguessr Game
Vendors & Products Nordmograph
Nordmograph streetguessr Game

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with the option=com_streetguess&view=maps parameters and inject SQL code in the catid parameter to extract sensitive database information including version and database names.
Title Joomla StreetGuessr Game 1.1.8 SQL Injection via catid
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Nordmograph Streetguessr Game
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T17:54:10.350Z

Reserved: 2026-06-19T15:06:52.661Z

Link: CVE-2017-20271

cve-icon Vulnrichment

Updated: 2026-06-23T17:53:49.986Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:21Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')