CVE-2026-24959

Awaiting Analysis Awaiting Analysis - Queue

Blind SQL Injection in JoomSky JS Help Desk

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: Patchstack

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-20

Last Modified

2026-02-20

Generated

2026-05-27

AI Q&A

2026-02-20

EPSS Evaluated

2026-05-25

NVD

CVE-2026-24959

EUVD

EUVD-2026-8358

Affected Vendors & Products

Vendor	Product	Version / Range
joomsky	js_help_desk	to 3.0.1 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

CVE-2026-24959 is a high-priority SQL Injection vulnerability found in the WordPress JS Help Desk Plugin versions up to and including 3.0.1.

This vulnerability allows a malicious actor to perform Blind SQL Injection, meaning they can interact with the plugin’s database without direct visibility of the data returned.

Exploiting this flaw requires only subscriber-level privileges, making it easier for attackers to leverage.

How can this vulnerability impact me? :

This SQL Injection vulnerability can allow attackers to directly interact with and manipulate the plugin’s database.

Potential data theft from the database.
Unauthorized data manipulation or corruption.

Because of its high severity (CVSS score of 8.5), this flaw is considered highly dangerous and likely to be exploited in the wild.

What immediate steps should I take to mitigate this vulnerability?

To mitigate the CVE-2026-24959 SQL Injection vulnerability in the JS Help Desk Plugin, immediately update the plugin to version 3.0.2 or later.

Until the update can be applied, users of Patchstack can enable a mitigation rule that blocks attacks targeting this vulnerability.

Additionally, enabling automatic updates for vulnerable plugins via Patchstack can help ensure rapid protection.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

How can this vulnerability be detected on my network or system? Can you suggest some commands?

The provided resources do not include specific commands or methods to detect this SQL Injection vulnerability on your network or system.

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-24959

Blind SQL Injection in JoomSky JS Help Desk

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart