CVE-2026-60025
Received Received - Intake

Frontend File Upload CSRF Vulnerability in Events Booking

Vulnerability report for CVE-2026-60025, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Joomla! Project

Description

The Joomla extension Events Booking prior version 5.8.0 had an frontend file upload endpoint that lacked CSRF protection.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
joomdonation events_booking to 5.8.0 (exc)
joomla events_booking to 5.8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability is in the Joomla extension Events Booking before version 5.8.0. It has a frontend file upload feature that does not have CSRF protection, meaning an attacker could trick a user into uploading malicious files without their knowledge.

Detection Guidance

This vulnerability involves a frontend file upload endpoint in Events Booking for Joomla lacking CSRF protection. To detect it, check for unauthorized file uploads in the Joomla media directory or suspicious activity in event registration logs. Inspect network traffic for POST requests to /index.php?option=com_eventbooking&task=upload.

Impact Analysis

This vulnerability could allow attackers to upload malicious files to your Joomla site through the Events Booking extension. This might lead to remote code execution, defacement, or further compromise of your website or server.

Compliance Impact

The vulnerability allows unauthorized file uploads due to missing CSRF protection, which could lead to data breaches or unauthorized access to sensitive information. This may impact compliance with GDPR by risking personal data exposure and HIPAA by potentially compromising protected health information if such data is involved.

Mitigation Strategies

Update the Events Booking extension to version 5.8.0 or later to address the CSRF vulnerability in the file upload endpoint.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60025. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart