CVE-2025-25226 — SQL Injection in Joomla Database

CWE-89 — SQL Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.0%

top 97.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Joomla !Joomla Database Joomla! Project Joomla! Framework

Timeline

PublishedApr 8

Description

Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Packagistjoomla/database3.0.0 — 3.4.0+1

▶NVDjoomla/joomla_!1.0.0 — 2.2.0+1

▶CVEListV5joomla!_project/joomla!_framework1.0.0-2.1.1, 3.0.0-3.3.1+1

🔴Vulnerability Details

CVEList

[20250401] - Joomla Framework - SQL injection vulnerability in quoteNameStr method of Database package↗2025-04-08

▶

OSV

Joomla Framework Database Package Vulnerable to SQL Injection↗2025-04-08

▶

GHSA

Joomla Framework Database Package Vulnerable to SQL Injection↗2025-04-08

▶