CVE-2026-35222
Description
Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated blind SQL injection in Joomla's com_tags component due to improperly validated order clauses.
Vulnerability
CVE-2026-35222 is a blind SQL injection vulnerability in the com_tags component of Joomla! CMS. The bug stems from improperly validated order clauses, allowing an attacker to inject malicious SQL. Affected versions are Joomla! CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 [1].
Exploitation
An attacker must be authenticated to the Joomla! site and have the ability to manipulate order clause parameters in requests to the com_tags component. The vulnerability is blind (the results are not directly returned), requiring out-of-band or timing-based techniques to extract information [1]. The exact sequence of steps involves crafting a malicious order parameter that incorporates SQL injection payloads, which the application then directly concatenates into a database query without sanitization.
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary SQL queries against the underlying database. This can lead to disclosure of sensitive data (such as user credentials, session tokens, or configuration secrets) and potentially further compromise of the Joomla! site [1].
Mitigation
Joomla! released fixed versions 5.4.6 and 6.1.1 on 2026-05-26. Users should upgrade immediately. No workarounds are provided. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.