Description
Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL payloads in the hdwplayersearch parameter to extract sensitive database information from the hdwplayer_videos table.
Published: 2026-05-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an SQL injection flaw in the search.php file of Joomla com_hdwplayer 4.2, triggered by the hdwplayersearch POST parameter. An attacker can supply arbitrary SQL code that is executed against the database, allowing extraction of sensitive data from the hdwplayer_videos table. No capability to modify or delete data is documented in the description.

Affected Systems

The affected component is Hdwplayer's com_hdwplayer 4.2 within a Joomla installation. Only this specific release is listed as vulnerable; no other versions are noted.

Risk and Exploitability

The CVSS score of 8.8 places the flaw in the high severity range, reflecting significant potential data loss. The EPSS score is not available, so exploitation probability cannot be quantified. The vulnerability is not listed in CISA's KEV catalog. Because the flaw is triggered by unauthenticated POST requests to search.php, the attack surface is publicly accessible. An attacker can manually construct a payload or use automated tools to extract database information.

Generated by OpenCVE AI on May 13, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any official patch or update released by the vendor that removes the vulnerable code; if no update exists, consider uninstalling the component until a fix is available.
  • Restrict access to the search.php endpoint by limiting allowed IP ranges or implementing web‑application firewall rules to block suspicious POST traffic.
  • Implement proper input validation for the hdwplayersearch parameter, ensuring only expected characters are allowed and that database queries use parameterized statements or appropriate escaping before execution.

Generated by OpenCVE AI on May 13, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL payloads in the hdwplayersearch parameter to extract sensitive database information from the hdwplayer_videos table.
Title Joomla com_hdwplayer 4.2 SQL Injection via search.php
First Time appeared Hdwplayer
Hdwplayer hdw Player
Weaknesses CWE-89
CPEs cpe:2.3:a:hdwplayer:hdw_player:4.2:*:*:*:*:*:*:*
Vendors & Products Hdwplayer
Hdwplayer hdw Player
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hdwplayer Hdw Player
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T18:28:34.445Z

Reserved: 2026-05-13T13:46:40.245Z

Link: CVE-2020-37218

cve-icon Vulnrichment

Updated: 2026-05-14T18:28:29.061Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T16:16:33.153

Modified: 2026-05-13T17:07:21.030

Link: CVE-2020-37218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses