Description
Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.
Published: 2026-04-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Breach
Action: Immediate Patch
AI Analysis

Impact

An SQL injection flaw exists in Joomla! when it builds ORDER BY clauses for the com_content articles webservice endpoint. This defect allows an attacker to inject arbitrary SQL statements, potentially enabling unauthorized read, modification, or deletion of database contents, and even denial of service. The weakness is a classic input validation failure (CWE‑89).

Affected Systems

The vulnerability targets installations of Joomla! CMS that include the com_content articles webservice endpoint and have not applied the vendor’s latest security patch. No specific version numbers are listed, so all releases older than the fix are potentially exposed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves accessing the articles webservice endpoint, possibly through authenticated or unauthenticated traffic; an attacker who reaches this endpoint can manipulate the ORDER BY clause to inject malicious SQL.

Generated by OpenCVE AI on April 9, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Joomla! CMS security update that addresses the SQL injection in the com_content articles webservice endpoint.
  • If a patch is not yet available, restrict access to the Com_Content Articles Webservice endpoint to authenticated users only.
  • Monitor Joomla! security advisories for updates related to CVE-2026-21630.

Generated by OpenCVE AI on April 9, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.
Title Joomla! Core - [20260302] - SQL injection in com_content articles webservice endpoint
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-04-01T19:33:26.760Z

Reserved: 2026-01-01T04:42:27.960Z

Link: CVE-2026-21630

cve-icon Vulnrichment

Updated: 2026-04-01T12:40:27.261Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T10:16:15.943

Modified: 2026-04-09T19:59:31.593

Link: CVE-2026-21630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:46Z

Weaknesses