Description
Joomla! Component Extra Search 2.2.8 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the establename parameter. Attackers can send GET requests to index.php with the option=com_extrasearch parameter and malicious SQL in the establename field to extract sensitive database information.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Extra Search component for Joomla, specifically in version 2.2. through the establename parameter of an HTTP GET request. By exploiting this input flaw, the attacker is able to manipulate database queries to retrieve sensitive information. The weakness is a classic input validation error, classed as CWE-89, which directly compromises data confidentiality.

Affected Systems

The affected software is the Extra Search component distributed by Joomlaboat. Only version 2.2.8 is reported to be vulnerable, and no other compilation or distribution versions are indicated.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity of the vulnerability. Exploit probability data is not available, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is remote, requiring only a crafted HTTP GET request; the attacker does not need authentication or elevated privileges. This enables straightforward exploitation by anyone able to send requests to the target Joomla site, potentially exposing confidential database content.

Generated by OpenCVE AI on June 19, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Extra Search component to the latest patched version provided by Joomlaboat.
  • If an immediate upgrade is not possible, remove or disable the component until a patch can be applied.
  • Employ a web application firewall or request filtering rules to block or sanitize attempts to inject SQL via the establename parameter.

Generated by OpenCVE AI on June 19, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomlaboat
Joomlaboat extra Search
Vendors & Products Joomlaboat
Joomlaboat extra Search

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component Extra Search 2.2.8 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the establename parameter. Attackers can send GET requests to index.php with the option=com_extrasearch parameter and malicious SQL in the establename field to extract sensitive database information.
Title Joomla! Component Extra Search 2.2.8 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Joomlaboat Extra Search
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T16:58:22.418Z

Reserved: 2026-06-19T15:10:59.951Z

Link: CVE-2017-20281

cve-icon Vulnrichment

Updated: 2026-06-22T16:58:18.490Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:08Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')