VYPR
advisoryPublished Jun 19, 2026· Updated Jul 1, 2026· 1 source

Joomla!: 25 Component Vulnerabilities, Mostly SQLi, Disclosed in Single-Day Batch

Key findings • 25 vulnerabilities disclosed in Joomla! components on June 19, 2026, within a single hour. • Majority of disclosed vulnerabilities are SQL injection flaws across numerous third…

Key findings

  • 25 vulnerabilities disclosed in Joomla! components on June 19, 2026, within a single hour.
  • Majority of disclosed vulnerabilities are SQL injection flaws across numerous third-party components.
  • Includes critical vulnerabilities such as Remote Code Execution (CVE-2019-25758) and Local File Inclusion (CVE-2019-25760).
  • No specific patch information provided, requiring users to proactively seek updates for each affected component.
  • Coordinated disclosure suggests a high risk of active exploitation.
  • Users urged to audit installed extensions and update immediately to mitigate risks.

On June 19, 2026, a significant batch of 25 vulnerabilities was disclosed across various Joomla! components, with the majority being SQL injection flaws. These vulnerabilities, disclosed within a single hour window, pose a considerable risk to Joomla! websites that utilize these unpatched extensions. The sheer volume and nature of these vulnerabilities, primarily SQL injection, highlight a critical need for users to update their installed components promptly.

The disclosed vulnerabilities span a range of Joomla! components, with SQL injection being the most prevalent vulnerability type. Components affected include JoomProject, JoomCRM, Easy Shop, vBizz, vWishlist, vAccount, vReview, vRestaurant, VMap, J-BusinessDirectory, J-ClassifiedsManager, J-MultipleHotelReservation, JHotelReservation, jCart for OpenCart, Extra Search, Myportfolio, Payage, JoomRecipe, SIMGenealogy, LMS King Professional, Event Registration Pro Calendar, Ultimate Property Listing, and StreetGuessr Game.

Several components are susceptible to SQL injection attacks due to improper handling of user input in parameters such as deal_id, payid, vproductid, vid, cmId, keysearch, latlngbound, type, categorySearch, adType, citySearch, hotel_id, rooms, product_id, establename, pid, aid, category, search_author, cp_id, id, sf_selectuser_id, and catid. Attackers can exploit these flaws to execute arbitrary SQL queries, potentially leading to data theft, modification, or deletion.

Beyond SQL injection, other vulnerabilities include an information disclosure in JoomProject (CVE-2019-25762), a local file inclusion in Easy Shop (CVE-2019-25760), and a remote code execution via unrestricted file upload in vBizz (CVE-2019-25758). The remote code execution vulnerability is particularly severe, allowing attackers to upload and execute malicious PHP files on the server.

The disclosure of these 25 vulnerabilities on a single day indicates a coordinated effort by security researchers or a significant audit of Joomla! extensions. While the provided information does not specify which versions are affected beyond the component version numbers listed in the CVE titles, it is crucial for users to identify and update any instances of these vulnerable components. The lack of specific patch information in the CVE details necessitates direct checking with the respective component developers or Joomla! extension directories.

Given the widespread nature of these SQL injection vulnerabilities and the presence of critical flaws like remote code execution, Joomla! users are strongly advised to audit their installed extensions. Promptly updating to the latest available versions or replacing vulnerable components is essential to mitigate the risk of exploitation. The coordinated disclosure suggests that attackers may already be aware of these weaknesses and could be actively seeking to exploit them.

The batch of vulnerabilities includes:

Users should prioritize updating components that have known patches available. For components without immediate patches, consider disabling or removing them until a security update is released. Staying informed about security advisories from Joomla! and individual component developers is crucial for maintaining a secure website.

The coordinated disclosure of these 25 vulnerabilities on June 19, 2026, underscores the importance of diligent security practices within the Joomla! ecosystem. The prevalence of SQL injection flaws across numerous third-party components suggests a systemic issue with input validation and secure coding practices in some extensions. This batch serves as a stark reminder for website administrators to regularly audit their installed extensions and apply updates promptly to safeguard their sites against potential data breaches and system compromises. The sheer number of affected components highlights the interconnected risk within the Joomla! platform, where a vulnerability in one extension can have significant repercussions.

The related news coverage from Vypr Intelligence, while focusing on WordPress plugins, mentions a similar batch of 25 CVEs disclosed over three days, highlighting file deletion, SSRF, and XSS as dominant themes. This broader context suggests a trend of large-scale vulnerability disclosures affecting CMS ecosystems. While the specific vulnerabilities differ, the pattern of numerous components being affected simultaneously is a recurring theme in the cybersecurity landscape. This Joomla! batch, dominated by SQL injection, fits this pattern of significant, coordinated disclosure events.

The lack of specific vendor advisories or patch details for each individual CVE in the provided input means that users must proactively seek out updates for each affected component. This can be a time-consuming process, emphasizing the need for a robust vulnerability management strategy for any Joomla! website administrator. The immediate action required is to identify which of these components are in use and to ascertain the availability of security patches.

In conclusion, this batch of 25 vulnerabilities represents a critical security event for Joomla! users. The concentration of SQL injection flaws, coupled with other severe vulnerabilities like RCE and LFI, demands immediate attention. Website administrators are urged to review their installed extensions, apply available patches, and remain vigilant for further security updates to protect their Joomla! installations. The coordinated nature of this disclosure suggests a heightened risk of active exploitation.

Synthesized by Vypr AI