CVE-2025-49467

Summary

A SQL injection vulnerability in JEvents component before 3.6.88 and 3.6.82.1 for Joomla was discovered. The extension is vulnerable to SQL injection via publicly accessible actions to list events by date ranges.

Affected Software

VendorProductVersion RangeStatus
jevents.net / GWE Systems LtdJEvents component for Joomla1.0.0-3.6.82affected
jevents.net / GWE Systems LtdJEvents component for Joomla3.6.82.1unaffected
jevents.net / GWE Systems LtdJEvents component for Joomla3.6.83-3.6.87affected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References