CVE-2025-49467
Description
A SQL injection vulnerability in JEvents component before 3.6.88 and 3.6.82.1 for Joomla was discovered. The extension is vulnerable to SQL injection via publicly accessible actions to list events by date ranges.
CWE
- CWE-89 — CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Affected
- jevents.net / GWE Systems Ltd / JEvents component for Joomla — v=1.0.0-3.6.82 [affected]; v=3.6.82.1 [unaffected]; v=3.6.83-3.6.87 [affected]
CVSS
- 4.0 score=9.3 severity=CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/U:Amber
References
- https://jevents.net/ product
Source
cvelistV5-main/cves/2025/49xxx/CVE-2025-49467.json