CVE-2025-49467
CRITICALJoomla JEvents <3.6.88, <3.6.82.1 - SQL Injection
Title source: llmDescription
A SQL injection vulnerability in JEvents component before 3.6.88 and 3.6.82.1 for Joomla was discovered. The extension is vulnerable to SQL injection via publicly accessible actions to list events by date ranges.
References (1)
Core 1
Core References
Various Sources product
https://jevents.net/
Scores
CVSS v4
9.3
EPSS
0.0027
EPSS Percentile
19.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Amber
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (3)
jevents.net / GWE Systems Ltd/JEvents component for Joomla
1.0.0-3.6.82
jevents.net / GWE Systems Ltd/JEvents component for Joomla
3.6.82.1
jevents.net / GWE Systems Ltd/JEvents component for Joomla
3.6.83-3.6.87
Published
Jun 12, 2025
Tracked Since
Feb 18, 2026