CVE-2025-49467 CRITICAL

CVE-2025-49467: Joomla Extension - jevents.net - SQL injection vulnerability in JEvents component before 3.6.88 and 3.6.82.1 for Joomla

Vendor Jevents.net / Gwe Systems Ltd
Product JEvents component for Joomla
Weakness CWE-89 · SQLi
Published June 12, 2025
Last update June 12, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/U:Amber

What the vulnerability does

01Description

A SQL injection vulnerability in JEvents component before 3.6.88 and 3.6.82.1 for Joomla was discovered. The extension is vulnerable to SQL injection via publicly accessible actions to list events by date ranges.

Explanation of Vulnerability in Simple Terms

02Summary

JEvents component for Joomla contains a SQL injection vulnerability in versions 3.6.82 and earlier. An attacker can craft malicious input to execute arbitrary SQL queries against the site's database without authentication. This allows reading, modifying, or deleting sensitive data including user credentials and site configuration.

What an attacker can do

03Attacker Capabilities

Execute arbitrary SQL queries to read, modify, or delete database records without logging in.

Potential impact on your site

04Site Impact

Attackers can steal user passwords, modify event data, or take the site offline by corrupting the database.

Conditions required to exploit

05Prerequisites

Network access to the Joomla site; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 12, 2025 CVE published
June 12, 2025 Record updated