Description
Redaxo CMS Addon MyEvents 2.2.1 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the myevents_id parameter. Attackers can send GET requests to the event_add.php page with malicious myevents_id values to extract or modify sensitive database information.
Published: 2026-05-17
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Redaxo CMS Addon MyEvents 2.2.1 contains a SQL injection flaw that lets attackers craft GET requests to the event_add.php page with malicious myevents_id values. By sending injected SQL code, an attacker can retrieve, modify or delete sensitive records from the database, potentially leaking confidential data or corrupting information.

Affected Systems

The vulnerable addon, released by wende60 for the Redaxo CMS platform, is affected in version 2.2.1. Any installation of Redaxo CMS that has MyEvents 2.2.1 deployed is at risk; the CWE classification for this weakness is CWE-89.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity impact, and the absence of an EPSS measurement or KEV listing means exploitation likelihood is not quantified at present. The flaw requires that the attacker already has authenticated access to the CMS, which limits the attack surface but still permits serious data compromise if credentials are obtained or already present.

Generated by OpenCVE AI on May 17, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MyEvents to a version where the SQL injection issue is fixed or remove the addon entirely if upgrades are unavailable.
  • Ensure that access to event_add.php is tightly controlled by authentication and role‑based access control so that only trusted users can invoke the endpoint.
  • Add server‑side input validation for the myevents_id parameter, using prepared statements or parameterized queries to eliminate the injection vector.

Generated by OpenCVE AI on May 17, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wende60
Wende60 redaxo Cms Addon Myevents
Vendors & Products Wende60
Wende60 redaxo Cms Addon Myevents

Sun, 17 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description Redaxo CMS Addon MyEvents 2.2.1 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the myevents_id parameter. Attackers can send GET requests to the event_add.php page with malicious myevents_id values to extract or modify sensitive database information.
Title Redaxo CMS Addon MyEvents 2.2.1 SQL Injection via event_add.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wende60 Redaxo Cms Addon Myevents
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-17T12:11:26.501Z

Reserved: 2026-05-17T11:33:25.084Z

Link: CVE-2018-25319

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T13:16:43.123

Modified: 2026-05-17T13:16:43.123

Link: CVE-2018-25319

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:00:18Z

Weaknesses