Description
Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guest_adult parameter. Attackers can send POST requests to the cruises endpoint with crafted SQL payloads in the guest_adult parameter to extract sensitive database information or manipulate database records.
Published: 2026-06-19
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unvalidated SQL injection in the guest_adult parameter of the cruises endpoint, allowing attackers who are authenticated to inject and execute arbitrary SQL queries. This can enable them to read sensitive database contents or alter data, compromising confidentiality and integrity of the catalog and booking data. The weakness is classified as CWE‑89.

Affected Systems

The affected product is Cmsjunkie CruisePortal version 6.0.4, used on Joomla installations that provide a cruise reservation interface.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that while the risk is significant, current exploit activity is not documented. Attackers must first authenticate to the system and then send forged POST requests to the cruises endpoint to exploit the flaw.

Generated by OpenCVE AI on June 19, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest CruisePortal release or apply the vendor’s patch that addresses the SQL injection in the cruises module.
  • Restrict authenticated access to the cruises endpoint and enforce least‑privilege authentication policies.
  • Validate and sanitize all input to the guest_adult parameter, ensuring it accepts only expected numeric or string values and properly escapes or parameterizes SQL queries.

Generated by OpenCVE AI on June 19, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guest_adult parameter. Attackers can send POST requests to the cruises endpoint with crafted SQL payloads in the guest_adult parameter to extract sensitive database information or manipulate database records.
Title Joomla J-CruisePortal 6.0.4 SQL Injection via cruises
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T17:05:01.621Z

Reserved: 2026-06-19T14:25:36.463Z

Link: CVE-2019-25749

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T19:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')