Description
Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guest_adult parameter. Attackers can send POST requests to the cruises endpoint with crafted SQL payloads in the guest_adult parameter to extract sensitive database information or manipulate database records.
Published: 2026-06-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unvalidated SQL injection in the guest_adult parameter of the cruises endpoint, allowing attackers who are authenticated to inject and execute arbitrary SQL queries. This can enable them to read sensitive database contents or alter data, compromising confidentiality and integrity of the catalog and booking data. The weakness is classified as CWE-89.

Affected Systems

The affected product is Cmsjunkie CruisePortal version 6.0.4, used on Joomla installations that provide a cruise reservation interface.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium-to-high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that while the risk is significant, current exploit activity is not documented. Attackers must first authenticate to the system and then send forged POST requests to the cruises endpoint to exploit the flaw.

Generated by OpenCVE AI on June 19, 2026 at 21:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade CruisePortal to a fixed version.
  • If an official patch is not yet released, modify the database code to use parameterized queries for the guest_adult parameter, ensuring input is properly sanitized.
  • Restrict POST access to the cruises endpoint by requiring authenticated sessions and limiting source IPs to trusted administrators to reduce exposure.

Generated by OpenCVE AI on June 19, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Cmsjunkie
Cmsjunkie cruiseportal
Vendors & Products Cmsjunkie
Cmsjunkie cruiseportal

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guest_adult parameter. Attackers can send POST requests to the cruises endpoint with crafted SQL payloads in the guest_adult parameter to extract sensitive database information or manipulate database records.
Title Joomla J-CruisePortal 6.0.4 SQL Injection via cruises
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Cmsjunkie Cruiseportal
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T17:53:29.324Z

Reserved: 2026-06-19T14:25:36.463Z

Link: CVE-2019-25749

cve-icon Vulnrichment

Updated: 2026-06-22T17:53:25.936Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:34:59Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')