CVE-2026-49048
CRITICALJoomla Extension - joomcoder.com - Unauthenticated SQL Injection in JoomCCK extension for Joomla < 6.4.1
Title source: cnaExploitation Summary
EIP tracks 1 public exploit for CVE-2026-49048. PoCs published by KARA-git.
AI-analyzed exploit summary This repository contains a functional PoC for CVE-2026-49048, demonstrating an unauthenticated SQL injection vulnerability in JoomCCK 6.4.0 via the `task=tags.save` endpoint. The PoC uses the actual Joomla framework classes to replicate the vulnerable code path and executes SQL queries against a live MariaDB instance to confirm exploitation.
Description
The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation.
Exploits (1)
This repository contains a functional PoC for CVE-2026-49048, demonstrating an unauthenticated SQL injection vulnerability in JoomCCK 6.4.0 via the `task=tags.save` endpoint. The PoC uses the actual Joomla framework classes to replicate the vulnerable code path and executes SQL queries against a live MariaDB instance to confirm exploitation.
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H