Description
Joomla! Component EkRishta 2.10 contains an error-based SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the username parameter. Attackers can submit POST requests to the login endpoint with SQL injection payloads in the username field to extract database information including user credentials and system details.
Published: 2026-05-23
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla! Component EkRishta 2.10 contains an error‑based SQL injection flaw that permits an attacker to inject malicious code into the username parameter of the login POST endpoint. The vulnerability allows an unauthenticated user to execute arbitrary SQL statements, which can be used to read database contents, including user credentials and system configuration. The weakness is a classic input validation issue identified as CWE‑89, with potential impacts on confidentiality and integrity of the site data.

Affected Systems

All installations of the EkRishta extension version 2.10 for Joomla, distributed by Harmistechnology, are affected. No other versions or related components are listed as vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed widespread exploitation yet. The likely attack vector is unauthenticated via the public login endpoint; an attacker can send a crafted POST request with a SQL payload in the username field to extract database information. Exploitation requires no special privileges beyond access to the login page, making it relatively straightforward for remote attackers.

Generated by OpenCVE AI on May 23, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s approved patch or upgrade EkRishta to the latest version once it is released.
  • Restrict access to the login endpoint by applying web‑application firewall rules that block suspicious POST requests or by limiting the IP range that may reach the assignment.
  • Implement server‑side input validation that sanitizes or uses parameterized queries for all input fields, especially username, to eliminate the possibility of SQL injection.

Generated by OpenCVE AI on May 23, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Joomla! Component EkRishta 2.10 contains an error-based SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the username parameter. Attackers can submit POST requests to the login endpoint with SQL injection payloads in the username field to extract database information including user credentials and system details.
Title Joomla! Component EkRishta 2.10 SQL Injection via username
First Time appeared Harmistechnology
Harmistechnology ek Rishta
Weaknesses CWE-89
CPEs cpe:2.3:a:harmistechnology:ek_rishta:2.10:*:*:*:*:joomla\!:*:*
Vendors & Products Harmistechnology
Harmistechnology ek Rishta
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Harmistechnology Ek Rishta
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T18:30:51.894Z

Reserved: 2026-05-23T15:35:35.751Z

Link: CVE-2018-25351

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T19:30:25Z

Weaknesses