CVE-2026-56292 CRITICAL

CVE-2026-56292: Joomla Extension - acymailing.com - SQL Injection in AcyMailing extension < 10.11.1

Vendor Acymailing.com
Product acymailing.com AcyMailing extension for Joomla
Weakness CWE-89 · SQLi
Published July 9, 2026
Last update July 9, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H

What the vulnerability does

01Description

A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting this flaw can lead to unauthorized database access and data leakage.

Explanation of Vulnerability in Simple Terms

02Summary

AcyMailing extension for Joomla contains a SQL injection vulnerability in versions 1.0-10.11.0 and earlier. An attacker with network access can inject malicious SQL commands through unfiltered input, potentially reading or modifying the site's database. No authentication is required to exploit this flaw. Site administrators should update to a patched version as soon as it becomes available.

What an attacker can do

03Attacker Capabilities

Read or modify the site's database by injecting SQL commands through unfiltered input.

Potential impact on your site

04Site Impact

Attackers can steal subscriber data, email lists, configuration settings, or modify/delete database records without logging in.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 9, 2026 CVE published
July 9, 2026 Record updated