CVE-2025-25226: [20250401] - Joomla Framework - SQL injection vulnerability in quoteNameStr method of Database package

Description

Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.

Classification

CVE ID: CVE-2025-25226

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected Products

Vendor: Joomla! Project

Product: Joomla! Framework

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.66% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-25226
https://developer.joomla.org/security-centre/963-20250401-framework-sql-injection-vulnerability-in-quotenamestr-method-of-database-package.html

Timeline

2025-04-08 17:40:18 UTC
CVE

[20250401] - Joomla Framework - SQL injection vulnerability in quoteNameStr method of Database package
2025-04-17 11:30:44 UTC
Tenable Plugins

Joomla! 4.x < 4.4.13 Multiple Vulnerabilities
2025-04-17 11:30:44 UTC
Tenable Plugins

Joomla! 5.x < 5.2.6 Multiple Vulnerabilities