What the vulnerability does
01Description
Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL payloads in the hdwplayersearch parameter to extract sensitive database information from the hdwplayer_videos table.
Explanation of Vulnerability in Simple Terms
02Summary
A SQL injection vulnerability in Hdwplayer com_hdwplayer allows unauthenticated attackers to query the database directly. The vulnerability exists in version 4.2 and requires only network access to exploit. An attacker can extract sensitive data including user credentials, configuration details, and other database contents.
What an attacker can do
03Attacker Capabilities
Extract sensitive data from the site database, including user credentials and configuration information.
Potential impact on your site
04Site Impact
Attackers can read all database contents without logging in, exposing user accounts, passwords, and private site data.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 13, 2026
CVE published
May 14, 2026
Record updated