CVE-2026-58078
Received Received - Intake

Unauthenticated SQL Injection in Quix Page Builder Pro

Vulnerability report for CVE-2026-58078, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Joomla! Project

Description

The Joomla extension Quix Page Builder Pro is vulnerable to an unauthenticated SQL injection.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
themexpert quix_page_builder to 6.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an unauthenticated SQL injection flaw in the Joomla extension Quix Page Builder Pro affecting versions 6.2.0 and earlier. It allows attackers to read sensitive data from the Joomla database without authentication by exploiting an unsanitized article ID parameter in an endpoint.

Detection Guidance

To detect this vulnerability, inspect Joomla sites using Quix Page Builder Pro versions 6.2.0 or earlier. Check for unusual database errors in responses when accessing endpoints with article IDs. Use WAF logs to identify SQL injection attempts targeting Quix endpoints.

Impact Analysis

Attackers can exploit this to extract sensitive information such as user accounts, password hashes, API secrets, and other confidential data from the Joomla database. Exploitation requires only a single request and poses a high risk due to the potential for data breaches.

Compliance Impact

This vulnerability could lead to unauthorized access to personal data, violating GDPR and HIPAA requirements for data protection and confidentiality. Organizations using the affected extension may face compliance violations, legal penalties, and reputational damage.

Mitigation Strategies

Immediately update Quix Page Builder Pro to version 6.2.1 or later. If updating is not possible, deploy a WAF with SQL injection filtering rules to block malicious requests. Remove or restrict access to vulnerable endpoints until patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58078. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart