Description
Joomla! Component J-BusinessDirectory 4.9.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the type parameter. Attackers can send GET requests to index.php with the option=com_jbusinessdirectory&task=categories.getCategories parameters and inject UNION-based SQL statements in the type parameter to extract database information including schema names and sensitive data.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a classic SQL injection flaw that permits unauthenticated attackers to send specially crafted GET requests to the Joomla! component J‑BusinessDirectory. By manipulating the `type` parameter in the request to `index.php?option=com_jbusinessdirectory&task=categories.getCategories` and inserting UNION‑based statements, an attacker can cause the backend database to return arbitrary query results. The flaw exposes database schemas and potentially sensitive stored data, thereby compromising the confidentiality of the site’s data.

Affected Systems

Affected systems are Joomla! installations that use the Cmsjunkie J‑BusinessDirectory component version 4.9.7. The vulnerability is specific to that component and is triggered through the public-facing URL for category retrieval.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread active exploitation has been reported as of the data available. Nevertheless, because authentication is not required and the exploit can be performed with a simple HTTP GET request, the attack vector is open and the probability of exploitation remains non‑negligible. An attacker with network access to the site could extract database contents, leading to serious data disclosure.

Generated by OpenCVE AI on June 19, 2026 at 20:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the J‑BusinessDirectory component to the latest released version that contains the patch for this vulnerability.
  • Sanitize and validate the `type` parameter on the server side, ensuring it only accepts known safe values or is properly escaped to prevent injection.
  • Configure a web application firewall or server‑level rules to detect and block UNION‑based or other SQL injection payloads targeting the component’s endpoints.

Generated by OpenCVE AI on June 19, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Cmsjunkie
Cmsjunkie j-businessdirectory
Vendors & Products Cmsjunkie
Cmsjunkie j-businessdirectory

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component J-BusinessDirectory 4.9.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the type parameter. Attackers can send GET requests to index.php with the option=com_jbusinessdirectory&task=categories.getCategories parameters and inject UNION-based SQL statements in the type parameter to extract database information including schema names and sensitive data.
Title Joomla! Component J-BusinessDirectory 4.9.7 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Cmsjunkie J-businessdirectory
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T17:47:13.607Z

Reserved: 2026-06-19T14:28:36.316Z

Link: CVE-2019-25752

cve-icon Vulnrichment

Updated: 2026-06-22T17:47:10.337Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')