Joomla! Component VMap 1.9.6 SQL Injection via loadmarker
Description
Joomla! Component VMap 1.9.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the latlngbound parameter. Attackers can send GET requests to index.php with the option=com_vmap&task=loadmarker parameters containing SQL injection payloads to manipulate database queries and extract sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The latlngbound parameter is not sanitized before being used in a SQL query, allowing unauthenticated SQL injection."
Attack vector
An unauthenticated attacker sends a crafted GET request to `index.php` with `option=com_vmap&task=loadmarker` and injects SQL payloads into the `latlngbound` parameter. The exploit-db write-up shows the payload `-40.716362432588596,40.71920853699145,-73.983044552948,-73.972959447052%20%4f%72%64%65%72%20%62%79%20%31%32%2d%2d%20%2d` (URL-decoded: ` Order by 12-- -`) appended to the parameter value, which triggers a database error revealing an XPATH syntax error [ref_id=1]. No authentication is required, and the attack is performed over HTTP against the Joomla! VMap component version 1.9.6.
What the fix does
The advisory does not include a patch or vendor fix. The exploit-db entry [ref_id=1] only documents the vulnerability and proof-of-concept; no remediation guidance is provided. Users of Joomla! VMap 1.9.6 should disable or remove the component until a patched version is released.
Preconditions
- configThe Joomla! VMap component version 1.9.6 must be installed and enabled.
- authNo authentication is required; the attacker can be unauthenticated.
- networkThe attacker must be able to send HTTP GET requests to the Joomla! instance.
- inputThe attacker injects SQL payloads into the latlngbound parameter.
Reproduction
Send a GET request to `http://localhost/[PATH]/index.php?option=com_vmap&task=loadmarker&latlngbound=-40.716362432588596,40.71920853699145,-73.983044552948,-73.972959447052%20%4f%72%64%65%72%20%62%79%20%31%32%2d%2d%20%2d&mapid=1`. The server responds with an HTTP 500 error and an XPATH syntax error message, confirming SQL injection [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/46229mitreexploit
- www.vulncheck.com/advisories/joomla-component-vmap-sql-injection-via-loadmarkermitrethird-party-advisory
- wdmtech.commitreproduct
- extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/vmap/mitreproduct
News mentions
0No linked articles in our index yet.