CVE-2026-35221 Joomla! Project CVE debrief

Who should care

Organizations running Joomla installations with the com_finder component enabled, particularly those with multiple authenticated users or exposed administrative interfaces. Security teams responsible for content management system security and database protection should prioritize assessment and patching.

Technical summary

The com_finder component in Joomla fails to properly construct filter clauses in search queries, resulting in a blind SQL injection vulnerability. Exploitation requires authenticated access with high privileges. Successful exploitation could result in unauthorized disclosure of sensitive information from the database. The vulnerability does not appear to affect system integrity or availability based on the CVSS vector.

Defensive priority

medium

Recommended defensive actions

• Apply security updates from Joomla when available per the vendor security advisory
• Review and restrict access to com_finder administrative functions to trusted users only
• Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts against com_finder endpoints
• Monitor database query logs for anomalous patterns indicative of SQL injection exploitation
• Conduct security assessment of custom extensions interacting with com_finder search functionality

Evidence notes

The vulnerability is documented in the Joomla Security Centre advisory and tracked in NVD with status 'Undergoing Analysis'. The CVSS 4.0 vector indicates network attack vector, low attack complexity, high privileges required, and high confidentiality impact with no integrity or availability impact.

Official resources