CVE-2026-49048 | The Joomla extension JoomCCK exposes a front-end controller …

Description

The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation.

Metadata

CVE ID: CVE-2026-49048
State: PUBLISHED
Assigner: Joomla
Reserved: 2026-05-27 09:16 UTC
Published: 2026-06-28 18:37 UTC
Last updated: 2026-06-28 18:37 UTC
Primary CWE: CWE-89
CWE-89 Improper Neutralization of Special Elements used in a…
Vendor / Product: joomcoder.com / JoomCCK extension for Joomla
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
joomcoder.com	JoomCCK extension for Joomla	—	1.0-6.4.0

Weakness (CWE)

CWE	Source	Description
CWE-89	cna	CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

References (1)

https://www.joomcoder.com/