PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-60024 joomdonation.com CVE debrief

The Joomla extension Events Booking prior version 5.8.0 did by default allow unauthenticated users to upload media assets. This CVE record was published on 2026-07-17T16:17:16.113Z and has not been modified since then. The vulnerability affects Joomla Events Booking extension, allowing unauthenticated users to upload media assets by default, potentially leading to malicious asset uploads.

Vendor
joomdonation.com
Product
Events Booking extension for Joomla
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Joomla Events Booking extension prior to version 5.8.0, operators, platform administrators, vulnerability management teams, and security teams should review and update their installations to prevent potential media asset uploads by unauthenticated users. They should also monitor for suspicious media asset uploads and review compensating controls for exposed systems.

Technical summary

The Events Booking extension for Joomla, prior to version 5.8.0, allowed unauthenticated users to upload media assets by default. This vulnerability could potentially be exploited to upload malicious assets, impacting the security of Joomla installations. Users of the extension should review and update their installations to prevent potential security risks.

Defensive priority

Medium

Recommended defensive actions

  • Review and update Joomla Events Booking extension to version 5.8.0 or later
  • Restrict media asset uploads to authenticated users
  • Monitor for suspicious media asset uploads
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.

Evidence notes

The CVE record and NVD entry provide limited information about the vulnerability. Further investigation and verification are necessary to fully understand the impact and scope of this vulnerability. The source details are limited, and defenders should verify the affected scope, severity, and vendor guidance. The CVE record was published on 2026-07-17T16:17:16.113Z and has not been modified since then.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T16:17:16.113Z and has not been modified since then.