CVE-2026-56292
Received Received - Intake

SQL Injection in AcyMailing Joomla Component

Vulnerability report for CVE-2026-56292, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Joomla! Project

Description

A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting this flaw can lead to unauthorized database access and data leakage.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
acyba acymailing From 6.0.0 (inc) to 10.11.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in AcyMailing allows unauthorized access to sensitive data such as user accounts and password hashes. This unauthorized data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Exploiting this flaw could result in data leakage, potentially compromising the confidentiality and integrity of personal data, thereby impacting compliance with these common standards and regulations.

Mitigating this vulnerability by updating to AcyMailing version 10.11.1 or later is critical to maintaining compliance and protecting sensitive information.

Executive Summary

CVE-2026-56292 is a SQL injection (SQLi) vulnerability found in the AcyMailing component for Joomla versions earlier than 10.11.1.

This flaw allows an unauthenticated attacker to inject malicious SQL queries into the database through the vulnerable AcyMailing extension.

Exploiting this vulnerability can lead to unauthorized access to the database and leakage of sensitive information such as user accounts, password hashes, and article content.

Impact Analysis

If exploited, this vulnerability can allow attackers to access sensitive data stored in the database without any authentication.

  • Exposure of user account information.
  • Leakage of password hashes, which could be used for further attacks.
  • Access to protected content such as articles.

This can lead to data breaches, loss of user trust, and potential further exploitation of the system.

Detection Guidance

The vulnerability is an unauthenticated SQL injection in AcyMailing versions prior to 10.11.1. Detection can involve monitoring for unusual database queries or web requests that attempt SQL injection patterns targeting AcyMailing endpoints.

While specific commands are not provided in the resources, typical detection methods include using web application firewalls (WAFs) like Admin Tools Professional or RSFirewall! which can block or log such SQL injection attempts.

Network or system administrators can also review web server logs for suspicious requests containing SQL injection payloads aimed at AcyMailing components.

Mitigation Strategies

The only reliable fix for this vulnerability is to update AcyMailing to version 10.11.1 or later.

In the meantime, deploying web application firewalls (WAFs) such as Admin Tools Professional or RSFirewall! can help block exploitation attempts.

Users of both Joomla and WordPress versions of AcyMailing are strongly urged to update immediately to prevent potential unauthorized database access and data leakage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart