Description
Joomla! Component vAccount 2.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vid parameter. Attackers can send GET requests to the vaccount-dashboard/expense endpoint with crafted SQL payloads in the vid parameter to extract sensitive database information including version and database names.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vAccount component 2.0.2 for Joomla! contains an SQL injection flaw that is triggered by the "vid" query parameter in the vaccount-dashboard/expense endpoint. An attacker can craft a GET request with malicious SQL code and, because the component does not require authentication, the database server will execute the payload. This allows the attacker to retrieve sensitive information such as the database name and other data stored in the same database. The vulnerability is an instance of SQL Injection (CWE‑89).

Affected Systems

The affected product is the vAccount component developed by Wdmtech, specifically the 2.0.2 release. Any Joomla! installation that has not upgraded beyond that version is vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score is not available, so the exact probability cannot be quantified. The flaw is exploitable remotely via an unauthenticated HTTP GET request, making it accessible to attackers who can reach the exposed endpoint. The vulnerability is not listed in CISA KEV, but its remote nature and potential for data exfiltration impose a serious risk.

Generated by OpenCVE AI on June 19, 2026 at 20:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the vAccount component to the latest patched release.
  • If an upgrade is not immediately possible, restrict access to the /vaccount-dashboard/expense endpoint by requiring user authentication or applying an IP‑based allowlist.
  • Modify the component or the Joomla! configuration to validate the vid query parameter, accepting only numeric values and rejecting any input that contains SQL control characters.

Generated by OpenCVE AI on June 19, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component vAccount 2.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vid parameter. Attackers can send GET requests to the vaccount-dashboard/expense endpoint with crafted SQL payloads in the vid parameter to extract sensitive database information including version and database names.
Title Joomla! Component vAccount 2.0.2 SQL Injection via vaccount-dashboard
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T17:28:34.661Z

Reserved: 2026-06-19T14:30:25.863Z

Link: CVE-2019-25756

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:00:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')