CVE-2026-49048
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk39th percentile — higher than 39% of all known CVEs
Summary
The JoomCCK extension for Joomla exposes a front-end controller task that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterization.
Risk Assessment
An attacker can inject malicious SQL code, potentially leading to unauthorized database access, data leakage, or data modification.
Recommendation
Immediately update the JoomCCK extension to the latest version that includes a fix for the SQL injection vulnerability.
Original NVD description (English source)
The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation.

