CVE-2025-25226

Published Apr 8, 2025

Last updated 21 days ago

CVSS critical 9.8

Overview

Description
Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.
Source
security@joomla.org
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@joomla.org
CWE-89
nvd@nist.gov
CWE-89

Social media

Hype score
Not currently trending

  1. Actively exploited CVE : CVE-2025-25226

    @transilienceai

    18 Apr 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. CMS「Joomla」に関する2件の脆弱性(CVE-2025-25226・25227)が2025年4月9日に公開された。いずれも影響度は「高」とされ、SQLインジェクションやMFAバイパスの可能性がある。修正アップデートが提供されている。

    @karukaruit

    12 Apr 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CMSのJoomlaに関して、2件の脆弱性「CVE-2025-25227」「CVE-2025-25226」が明らかとなり脆弱性を修正したアップデートを提供。 前者はSQLインジェクション、後者は多要素認証をバイパスする脆弱性。 いずれも影響度の評価は高、一方重要度については中以下。

    @karukaruit

    12 Apr 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-25226 Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a prote… https://t.co/oVuQlklBbF

    @CVEnew

    8 Apr 2025

    108 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.