Joomla, Blind SQL Injection, CVE-2026-35221 (Medium)

Listen to this Post

This vulnerability stems from improper input validation and sanitization within the `com_finder` component of Joomla CMS. It occurs when the application builds a SQL query to process a search term. Instead of using a parameterized query, the application concatenates the user’s search string directly into the SQL statement.
An attacker, who must first be an authenticated user, can inject malicious SQL syntax into the search box. By entering a payload like `value’ OR ‘1’=’1` or value' AND (SELECT SLEEP(5))--, the query’s logic is altered. A vulnerable PHP code snippet might look like this:

$search = $_GET['search'];
$query = "SELECT FROM __finder_links WHERE LIKE '%$search%'";

The lack of escaping means the single quote in the attacker’s payload breaks out of the intended string context. This allows them to append new SQL commands. The result is a blind SQL injection (CWE-89) because the attacker cannot see direct database errors.
They must infer the result of their injection based on how the application behaves—for example, whether the page loads normally, if it is delayed, or if the search returns an altered set of results. This technique can be used to extract usernames, password hashes, or other sensitive data from the database.
The issue affects Joomla CMS versions 5.4.0 through 5.4.5, as well as 6.0.0 through 6.1.0. The official CVSS v4.0 score for this vulnerability is 6.9, with a severity rating of Medium.
Platform: Joomla Cms
Version: 5.4.0-5.4.5,6.0.0-6.1.0
Vulnerability : Blind SQLi
Severity: Medium
Date: 2026-05-26

Prediction: Patch by 2026-05-26

Analytics under What Undercode Say:

sqlmap -u "http://target-joomla-site.com/index.php?option=com_finder&view=search&q=test" --cookie="joomla_session=abc123" --risk=3 --level=5 --dbms=mysql --technique=BE --dbs

Exploit:

Exploitation requires a low-privilege, authenticated user account. An attacker can log in and navigate to the search page (com_finder). By injecting a boolean-based payload into the search query parameter (e.g., ?q=test' AND (SELECT (CASE WHEN (ASCII(SUBSTRING((SELECT password FROM __users LIMIT 1),1,1)) > 1) THEN SLEEP(5) ELSE 0 END))-- -), they can exfiltrate data by observing response delays or content changes.

Protection from this CVE

Upgrade Joomla CMS to version 5.4.6 or 6.1.1 immediately. In the absence of a patch, implement a Web Application Firewall (WAF) rule to block SQLI patterns in search parameters. Enforce strict input validation and sanitization, and convert all database queries within `com_finder` to use prepared statements.

Impact

Successful exploitation allows an attacker to read any data stored in the Joomla database, including user credentials and session tokens. It can also be used to modify or delete database records, potentially leading to privilege escalation within the CMS. In severe cases, depending on the database configuration, this could lead to remote command execution or lateral movement to other hosts.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top