Joomla AcyMailing, SQL Injection, CVE-2026-56292 (Critical) -DC-Jul2026-888

Listen to this Post

How CVE-2026-56292 Works

CVE-2026-56292 is an unauthenticated SQL injection vulnerability discovered in the AcyMailing component for Joomla (and WordPress) by mySites.guru. The flaw affects all AcyMailing versions from 6.0.0 up to and including 10.11.0, and was patched in version 10.11.1 released on 9 July 2026.
The vulnerability resides in a public front‑end endpoint that anonymous visitors can access without any authentication. This endpoint accepts user‑supplied request parameters and directly concatenates them into the column list of a database `SELECT` query. No sanitisation or quoting is applied to these parameters—the textbook definition of a SQL injection flaw.
Joomla’s standard text filter, which the extension applies to these parameters, only strips HTML tags and does nothing to neutralise SQL syntax. As a result, an attacker can craft a malicious parameter that alters the structure of the SQL query, turning it into one that reads arbitrary data from any table in the Joomla database.
Because the endpoint is public and does not require a CSRF token or any form of credentials, the attack can be performed remotely by anyone with network access to the site. The injected SQL payload is returned in the server’s response, allowing the attacker to exfiltrate data directly.
The vulnerability is classified under CWE‑89 (Improper Neutralization of Special Elements used in an SQL Command). According to the CVSS 4.0 vector provided by the Joomla CNA, the base score is 9.2 (Critical), while the NIST CVSS 3.1 score is 7.5 (High) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The flaw is automatable (though the CISA ADP notes “Automatable: no” in their SSVC assessment) and can be exploited without user interaction.

In practical terms, an unauthenticated attacker can read:

  • Joomla user accounts, including usernames and password hashes
  • and content records
  • Extension configuration and other stored sensitive data
    The vulnerability is not limited to Joomla; the WordPress version of AcyMailing shares the same codebase and is equally affected. The vendor released a single patch (10.11.1) that addresses the issue for both platforms.
    Web application firewalls (WAFs) such as Admin Tools Professional and RSFirewall! can block the attack in their default configurations, but they are only a mitigation—not a fix. The only reliable remedy is to update to AcyMailing 10.11.1 immediately.

DailyCVE Form

| Field | Value |

|–|–|

| Platform | Joomla / WordPress |

| Version | < 10.11.1 |

| Vulnerability | SQL Injection |

| Severity | Critical (CVSS 8.7) |

| date | 2026-07-09 |

| Prediction | Patch: 2026-07-09 |

What Undercode Say (Analytics)

Check installed AcyMailing version via Joomla CLI
php cli/joomla.php extension:list --name=com_acymailing --field=version
For WordPress via WP-CLI
wp plugin get acymailing --field=version
Scan multiple sites for vulnerable version using a simple bash loop
for site in $(cat sites.txt); do
echo -n "$site: "
curl -s -o /dev/null -w "%{http_code}" "$site/index.php?option=com_acymailing&task=...&param=test"
echo ""
done
Query the Joomla database directly to identify affected extensions (requires DB access)
mysql -u user -p -e "SELECT extension_id, name, version FROM joomla_extensions WHERE name LIKE '%acymailing%' AND version < '10.11.1';"
Use mySites.guru API to check connected sites (if you are a customer)
curl -H "Authorization: Bearer YOUR_API_KEY" "https://api.mysites.guru/v1/sites?vulnerable=cve-2026-56292"

Exploit (Conceptual)

Crafted GET request exploiting the vulnerable front-end endpoint
(Actual parameter names and endpoint are withheld to prevent active abuse)
curl -i "https://target.com/index.php?option=com_acymailing&task=frontTask&column=((SELECT+CONCAT(username,0x3a,password)+FROM+__users+LIMIT+1))"
The above injects a subquery that extracts the first user's username and password hash
and returns it in the response body, effectively dumping credentials.

Note: The exact request details are deliberately not published in full to avoid giving attackers a ready‑to‑use weapon. The above is a generic illustration of the injection technique.

Protection

  • Immediate Update: Upgrade AcyMailing to version 10.11.1 or later. This is the only complete fix.
  • Web Application Firewall: Deploy a WAF (e.g., Admin Tools, RSFirewall!) with SQL injection rules enabled. This can block the attack even if patching is delayed.
  • Input Validation: Ensure all user‑supplied input is properly sanitised and parameterised. For Joomla extensions, use `$db->quote()` or prepared statements.
  • Least Privilege: Restrict database user permissions to the minimum required for the application.
  • Regular Scans: Use tools like mySites.guru or Joomla’s own security scanner to detect vulnerable extensions.
  • Disable Unused Endpoints: If possible, disable or restrict access to public front‑end endpoints that are not essential.

Impact

  • Unauthorised Data Access: Attackers can read any table in the Joomla database, including user credentials, password hashes, personal information, and financial records.
  • Data Leakage: Exfiltration of sensitive content (s, configuration, email lists) can lead to privacy breaches and regulatory non‑compliance (GDPR, CCPA).
  • Privilege Escalation: With stolen password hashes, attackers may crack them offline and gain administrative access to the site.
  • Reputation Damage: A successful breach can erode customer trust and harm the organisation’s brand.
  • Lateral Movement: If the database server has elevated privileges, the attacker might pivot to other systems or install backdoors.
  • Mass Exploitation: Given the wide installation base of AcyMailing, automated tools can scan and compromise thousands of sites simultaneously.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top