Description
Joomla JHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rooms parameter. Attackers can send POST requests to the search-hotels endpoint with crafted SQL payloads in the rooms parameter to extract sensitive database information including version details.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL injection flaw that allows attackers to inject malicious SQL code into the rooms parameter of the search‑hotels endpoint. Because the input is not properly sanitized before being included in an SQL query, an unauthenticated attacker can send a crafted POST request to execute arbitrary SQL statements. The result is the extraction of sensitive database information, such as database version details, which constitutes a breach of confidentiality and gives the attacker a foothold for further database‑level attacks.

Affected Systems

The target is the Joomla JHotelReservation extension, version 6.0.7, distributed by Cmsjunkie and deployed as a booking and reservation component within Joomla sites.

Risk and Exploitability

The CVSS score of 8.8 classifies the vulnerability as high severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no known public exploitation yet. Attacks can be launched remotely by issuing unauthenticated HTTP POST requests to the search‑hotels endpoint, showing that the flaw is exploitable by anyone who can reach the website. Successful exploitation would enable unauthorized execution of SQL code and data theft, without additional conditions for escalation, but the compromised data could serve as a stepping stone for more advanced attacks.

Generated by OpenCVE AI on June 19, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JHotelReservation to a patched release from the vendor as soon as possible.
  • Regularly check the vendor’s website or the Joomla extensions directory for updates and apply them promptly.
  • Restrict the search‑hotels endpoint so that only authenticated users or trusted IP addresses can submit POST requests, thereby blocking unauthenticated traffic.
  • Implement web‑application firewall rules that detect and block typical SQL injection payloads targeting the rooms parameter.

Generated by OpenCVE AI on June 19, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla JHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rooms parameter. Attackers can send POST requests to the search-hotels endpoint with crafted SQL payloads in the rooms parameter to extract sensitive database information including version details.
Title Joomla JHotelReservation 6.0.7 SQL Injection via search-hotels
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T17:01:39.835Z

Reserved: 2026-06-19T14:23:56.855Z

Link: CVE-2019-25748

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')