CVE-2026-35221
Description
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joomla! CMS com_finder component has a blind SQL injection via improperly built filter clauses, affecting versions 5.4.0-5.4.5 and 6.0.0-6.1.0.
Vulnerability
A SQL injection vulnerability exists in the com_finder search component of Joomla! CMS, due to improperly constructed filter clauses [1]. Affected versions are Joomla! CMS 5.4.0 through 5.4.5 and 6.0.0 through 6.1.0 [1]. An attacker can inject malicious SQL code through the search filter mechanism.
Exploitation
To exploit this vulnerability, an attacker must be an authenticated user [1]. The attacker sends a crafted search request to the com_finder component with specially designed filter parameters that bypass input sanitization, allowing injection of arbitrary SQL commands into the query [1]. The exploitation is blind SQL injection, meaning the attacker does not receive direct error output from the database but can infer results based on the application's response timing or behavior [1].
Impact
Successful exploitation allows an authenticated attacker to extract sensitive information from the Joomla! database, such as user credentials or other confidential data [1]. The attack can compromise data confidentiality; the impact is considered high by the vendor [1].
Mitigation
The vulnerability is fixed in Joomla! CMS versions 5.4.6 and 6.1.1 released on May 26, 2026 [1]. Users should upgrade to the latest patched versions immediately. No other workarounds were disclosed [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.