What the vulnerability does
01Description
Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and filter_search parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL payloads to extract sensitive database information and server data.
Explanation of Vulnerability in Simple Terms
02Summary
eXtroForms versions 2.1.5 and later contain a SQL injection vulnerability in form processing. An authenticated attacker can inject malicious SQL commands through form input fields, potentially reading or modifying database contents. The vulnerability requires a valid user account to exploit.
What an attacker can do
03Attacker Capabilities
Read or modify database contents by injecting SQL commands through form fields.
Potential impact on your site
04Site Impact
Database contents could be exposed or altered by authenticated users with form access.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with form submission privileges.
Key dates
06Disclosure timeline
May 25, 2026
CVE published
May 26, 2026
Record updated