CVE-2026-35222 MEDIUM

CVE-2026-35222: Joomla! Core - [20260507] - Authenticated blind SQLi in com_tags

Vendor Joomla! Project
Product Joomla! CMS
Weakness CWE-89 · SQLi
Published May 26, 2026
Last update June 5, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.

Explanation of Vulnerability in Simple Terms

02Summary

Joomla! CMS versions 6.0.0 through 6.1.0 contain a SQL injection vulnerability in a core component. An attacker with high-level administrative privileges can inject malicious SQL commands through an unspecified input field. This allows reading or modifying database contents. Sites should update to a patched version as soon as available.

What an attacker can do

03Attacker Capabilities

Read or modify database contents by injecting SQL commands.

Potential impact on your site

04Site Impact

A compromised admin account could expose or alter sensitive site data, user records, or configuration.

Conditions required to exploit

05Prerequisites

Attacker must have high-level administrative access to the Joomla site.

Key dates

06Disclosure timeline

May 26, 2026 CVE published
June 5, 2026 Record updated

Related vulnerabilities

08Related CVE