CVE-2020-37218 HIGH

CVE-2020-37218: Joomla com_hdwplayer 4.2 SQL Injection via search.php

Vendor Hdwplayer
Product com_hdwplayer
Weakness CWE-89 · SQLi
Published May 13, 2026
Last update May 14, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL payloads in the hdwplayersearch parameter to extract sensitive database information from the hdwplayer_videos table.

Explanation of Vulnerability in Simple Terms

02Summary

A SQL injection vulnerability in Hdwplayer com_hdwplayer allows unauthenticated attackers to query the database directly. The vulnerability exists in version 4.2 and requires only network access to exploit. An attacker can extract sensitive data including user credentials, configuration details, and other database contents.

What an attacker can do

03Attacker Capabilities

Extract sensitive data from the site database, including user credentials and configuration information.

Potential impact on your site

04Site Impact

Attackers can read all database contents without logging in, exposing user accounts, passwords, and private site data.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 13, 2026 CVE published
May 14, 2026 Record updated

Related vulnerabilities

08Related CVE