CVE-2026-49048

{"id": "CVE-2026-49048", "cveTags": [], "metrics": {}, "affected": [{"source": "security@joomla.org", "affectedData": [{"vendor": "joomcoder.com", "product": "JoomCCK extension for Joomla", "versions": [{"status": "affected", "version": "1.0-6.4.0"}], "defaultStatus": "unaffected"}]}], "published": "2026-06-28T19:16:52.100", "references": [{"url": "https://www.joomcoder.com/", "source": "security@joomla.org"}], "vulnStatus": "Received", "weaknesses": [{"type": "Primary", "source": "security@joomla.org", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation."}], "lastModified": "2026-06-28T19:16:52.100", "sourceIdentifier": "security@joomla.org"}