Description
Joomla JoomRecipe 1.0.4 component contains a blind SQL injection vulnerability in the search_author parameter on the search results page. Attackers can inject SQL code through POST requests to the search endpoint to extract database information using boolean-based blind SQL injection techniques.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla JoomRecipe version 1.0.4 contains a blind SQL injection flaw in the search_author parameter on its search results page. Through POST requests to the search endpoint, an attacker can inject SQL code that exploits boolean-based blind techniques to retrieve database contents such as user credentials and configuration data. The vulnerability originates from untrusted input being incorporated directly into a SQL statement without proper sanitization, identified as CWE‑89.

Affected Systems

The affected vendor is Joomboost and the vulnerable product is the Joomla JoomRecipe component. Only version 1.0.4 is known to contain the flaw; newer releases presumably remove the issue. Any Joomla site that installs JoomRecipe 1.0.4 is therefore at risk.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is classified as High severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is remote via web requests to the search endpoint, as attackers can craft POST requests to the search_author parameter. No authentication or privileged context is explicitly required in the description, suggesting that an unauthenticated attacker could potentially exploit the flaw. The high CVSS rating indicates that the threat remains significant for affected systems.

Generated by OpenCVE AI on June 19, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Joomla JoomRecipe component to version 1.0.5 or later, where the blind SQL injection issue is remedied.
  • If a timely upgrade is not feasible, remove or disable the JoomRecipe component to eliminate the vulnerable search_author functionality.
  • Apply input validation or parameter sanitization safeguards to ensure that user-supplied values are not directly concatenated into SQL queries, mitigating similar injection risks in other parts of the application.

Generated by OpenCVE AI on June 19, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomboost
Joomboost joomla Joomrecipe
Vendors & Products Joomboost
Joomboost joomla Joomrecipe

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla JoomRecipe 1.0.4 component contains a blind SQL injection vulnerability in the search_author parameter on the search results page. Attackers can inject SQL code through POST requests to the search endpoint to extract database information using boolean-based blind SQL injection techniques.
Title Joomla JoomRecipe 1.0.4 Component Blind SQL Injection via search_author
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Joomboost Joomla Joomrecipe
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T17:51:56.555Z

Reserved: 2026-06-19T15:09:17.979Z

Link: CVE-2017-20277

cve-icon Vulnrichment

Updated: 2026-06-23T17:51:43.008Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:13Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')