Description
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improperly constructed filter clauses in the com_finder search component allow an authenticated user to inject SQL statements. The resulting blind SQL injection (CWE-89) can be used to extract sensitive data from the database, leading to a breach of confidentiality. Because the attack is blind, the attacker must infer information from side‑channel responses such as response times or error messages. The vulnerability does not directly allow arbitrary code execution, but it does expose potentially critical data.

Affected Systems

All Joomla! CMS installations that include the com_finder component are potentially affected. Specific affected versions are not listed in the advisory, so any site running the component with pre‑patch code is at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. No EPSS score is published, but the need for valid user credentials (authenticated) suggests moderate to low exploit probability. The vulnerability is not listed in CISA’s KEV catalog. An attacker could exploit it by logging into the CMS with any user that has search access, sending injected queries through the search interface, and inferring data from timing or error responses.

Generated by OpenCVE AI on May 26, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Joomla! CMS to the latest release that contains the fix for com_finder SQL injection.
  • If the finder component is not required, disable or uninstall it, or configure ACL to restrict search access to a minimal set of users.
  • Enforce strong, unique passwords for all CMS accounts and limit the number of administrators to reduce the potential attack surface.

Generated by OpenCVE AI on May 26, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Joomla joomla\!
CPEs cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Vendors & Products Joomla joomla\!
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla!
Vendors & Products Joomla
Joomla joomla!

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
Title Joomla! Core - [20260506] - Authenticated blind SQLi in com_finder
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Joomla Joomla! Joomla\!
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-05-27T09:15:29.303Z

Reserved: 2026-04-01T19:23:13.196Z

Link: CVE-2026-35221

cve-icon Vulnrichment

Updated: 2026-05-26T18:08:58.176Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:35.823

Modified: 2026-05-27T13:05:29.147

Link: CVE-2026-35221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:09:11Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')