Description
A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting this flaw can lead to unauthorized database access and data leakage.
Published: 2026-07-09
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw in the AcyMailing extension for Joomla, affecting all releases before version 10.11.1. By sending specially crafted queries, an attacker can insert arbitrary SQL statements that are executed against the site’s database. This can result in reading, modifying, or deleting sensitive data, and is classified as CWE-89. The high CVSS score of 9.2 indicates a severe impact if the flaw is successfully exploited.

Affected Systems

All installations of the AcyMailing extension for Joomla supplied by acymailing.com running a version earlier than 10.11.1 are susceptible. No other products or vendor versions are explicitly listed as affected in the CVE data.

Risk and Exploitability

The CVSS score of 9.2 reflects a critical threat level, and while the EPSS score is not available, the absence of a CISA KEV listing does not lower the risk profile. The likely attack vector is remote, through the web interface of the affected Joomla site, where unfiltered input is accepted by the AcyMailing component. Without mitigation, an attacker could gain full read access to the database and potentially modify or delete records.

Generated by OpenCVE AI on July 9, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AcyMailing extension to version 10.11.1 or later.
  • If an upgrade cannot be performed immediately, disable the AcyMailing extension or restrict web access to the affected pages until the upgrade is applied.
  • Implement proper input validation and use parameterized database queries in the extension to prevent injection attacks.

Generated by OpenCVE AI on July 9, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting this flaw can lead to unauthorized database access and data leakage.
Title Joomla Extension - acymailing.com - SQL Injection in AcyMailing extension < 10.11.1
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-07-09T14:38:50.044Z

Reserved: 2026-06-20T11:57:32.752Z

Link: CVE-2026-56292

cve-icon Vulnrichment

Updated: 2026-07-09T14:38:46.492Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T22:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')