Description
Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with the option=com_streetguess&view=maps parameters and inject SQL code in the catid parameter to extract sensitive database information including version and database names.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw that allows an attacker to inject arbitrary SQL code through the catid parameter in Joomla StreetGuessr Game. When an unauthenticated user sends a GET request that includes this parameter, the application fails to properly sanitize the value, enabling retrieval of sensitive database information such as version numbers and database names. The impact is primarily a breach of confidentiality, allowing attackers to read data from the underlying database without needing prior authentication.

Affected Systems

The affected product is the StreetGuessr Game component, version 1.1.8, developed by Nordmograph and used within the Joomla content management system. Only installations that have this specific version of the StreetGuessr component deployed are vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as High severity, with no authentication required and a moderate complexity requirement for exploitation. Although no EPSS score is available and the vulnerability is not listed in CISA KEV, the nature of the flaw – unauthenticated SQL injection – suggests a relatively straightforward exploitation path via crafted URL requests to index.php with option=com_streetguess&view=maps. Attackers can simple supply malicious input in the catid parameter to extract data.

Generated by OpenCVE AI on June 19, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch or upgrade StreetGuessr Game to a version where the SQL injection in the catid parameter is fixed by the vendor.
  • If an immediate upgrade is not possible, disable or remove the StreetGuessr component from the Joomla installation so the vulnerable code cannot be executed.
  • Implement web application firewall rules or input validation that blocks suspicious SQL keywords in the catid parameter if the component remains in use, to mitigate the risk of exploitation until a patch can be applied.

Generated by OpenCVE AI on June 19, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Attackers can send GET requests to index.php with the option=com_streetguess&view=maps parameters and inject SQL code in the catid parameter to extract sensitive database information including version and database names.
Title Joomla StreetGuessr Game 1.1.8 SQL Injection via catid
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T16:21:17.907Z

Reserved: 2026-06-19T15:06:52.661Z

Link: CVE-2017-20271

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T19:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')