CVE-2025-2126

CVE-2025-2126 is a critical SQL injection vulnerability in JoomlaUX JUX Real Estate version 3.4.0 running on Joomla. The flaw resides in the processing of the GET parameter 'title' within the component's GET Parameter Handler at the endpoint /extensions/realestate/index.php/properties/list/list-with-sidebar/realties. Manipulation of this parameter enables SQL injection, as classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-09.

The vulnerability can be exploited remotely by attackers with low privileges (PR:L), requiring no user interaction and low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL queries through the manipulated 'title' parameter.

VulDB advisories, referenced at vuldb.com/?ctiid.299039, vuldb.com/?id.299039, and vuldb.com/?submit.509884, detail the issue and note that the exploit has been publicly disclosed and may be actively used. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are mentioned in available sources. Security practitioners should monitor for updates, restrict access to the affected endpoint, and consider input validation or upgrading to alternative components.