CVE-2026-57831

Digital Peak · DP Calendar extension for Joomla

The DP Calendar extension for Joomla contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary database queries.

Executive summary

An unauthenticated SQL injection vulnerability in the DP Calendar Joomla extension poses a severe risk of unauthorized database access and data exfiltration.

Vulnerability

The extension fails to properly sanitize input, leading to an SQL injection vulnerability (CWE-89). This flaw is critical as it allows an unauthenticated attacker to interact directly with the backend database via the web interface.

Business impact

This vulnerability enables attackers to bypass authentication, read sensitive information from the database, or modify records. Given the high CVSS score of 8.7 and the lack of authentication requirements, this represents a significant threat to the confidentiality and integrity of the Joomla site.

Remediation

Immediate Action: Update the DP Calendar extension to the latest available version provided by Digital Peak immediately.

Proactive Monitoring: Monitor database query logs for evidence of anomalous SQL syntax or unauthorized enumeration attempts.

Compensating Controls: Utilize a WAF to filter malicious SQL injection payloads from incoming HTTP traffic until the extension can be updated.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Site administrators using the DP Calendar extension must verify their version and apply updates immediately. Given that the exploit is unauthenticated, the risk of automated exploitation is high, and patching should be treated as an urgent priority.