Live Exposure Defense: From CVE to Confirmed Exposure in 12 Hours – See more

New CVE Detected

CVE-2026-57831 – Unauthenticated SQL Injection – DPCalendar Extension for Joomla (versions 8.18.0…

Be the first to know when new zero-days emerge:

Summary

CVE-2026-57831 is a high-severity unauthenticated SQL injection vulnerability in the DPCalendar extension for Joomla, developed by digital-peak.com. The flaw allows any unauthenticated remote attacker to read the entire site database by sending a single crafted HTTP request to the extension’s publicly exposed events feed endpoint, with no privileges or user interaction required. The vulnerability carries a CVSS 4.0 score of 8.7 (High).

Technical details

  • Root cause: The filter_created_by parameter in the public events feed endpoint (index.php?option=com_dpcalendar&view=events&format=raw) is passed directly into a database query without integer casting or input sanitization, enabling blind SQL injection. The fix involves casting this parameter to an integer before the query executes, neutralizing any injected SQL syntax.
  • Trigger conditions: A single anonymous HTTP request to the public-facing events feed endpoint is sufficient to trigger the injection. No authentication, session, or special network position is required.
  • Attack vector: Network-accessible; the vulnerable endpoint is part of DPCalendar’s front-end calendar feed, exposed on any internet-facing Joomla site running the extension.
  • Impact: Successful exploitation yields full read access to the site database, exposing all user accounts, password hashes, Joomla configuration secrets, and stored credentials. In environments where the database server is configured with elevated privileges, the read access can extend beyond the Joomla database to all databases on the server. The confidentiality impact is rated High (VC:H) in the CVSS 4.0 vector.

Affected software

  • DPCalendar versions 8.18.0 through 10.11.1 (for Joomla 4, 5, and 6)
  • DPCalendar versions 8.x through 8.19.3 (for Joomla 3)
  • All product editions — Free, Standard, Professional, and Premium — contain identical vulnerable code and are equally affected.

Severity

CVSS 4.0 base score: 8.7 (High)
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Mitigation and recommended actions

  • Immediate action: Upgrade DPCalendar to version 10.11.2 (for Joomla 4/5/6) or 8.19.4 (for Joomla 3). The vendor shipped the patched releases within 24 hours of responsible disclosure; both releases are available from the digital-peak.com download portal.
  • If immediate patching is not feasible: Restrict access to the public events feed endpoint (index.php?option=com_dpcalendar&view=events&format=raw) via server-level access controls or a web application firewall rule until the patch can be applied.

IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

References

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

How IONIX’s External Exposure Management Platform Detects and Validates
Zero-Days to Shrink MTTR

1

Map your entire attack surface (continously)

IONIX uses multi-factor discovery methods, including DNS analysis, certificate mapping, metadata inspection, and more, to automatically map every internet-facing asset across your environment. This includes cloud instances, third-party platforms, shadow IT, and even forgotten infrastructure that traditional tools miss.

2

Monitor for new CVEs

Dozens of threat intel feeds using agentic technology are continuously analyzed to detect the appearance of proof-of-concept code, exploit kits, and indicators of active targeting. IONIX goes further by applying AI to proactively evaluate whether emerging vulnerabilities are likely to be exploited, even before PoCs go public.

3

Identify Potential External Exposures

Not all CVEs matter. IONIX filters vulnerabilities by asking attacker-centric questions: Can it be reached from the internet? Does it require authentication? Is it being exploited in the wild? This dramatically reduces noise and focuses teams on threats that can actually be weaponized.

4

Create Safe, Scalable Exploit Validations

IONIX transforms real-world PoCs into safe, non-intrusive test payloads that can be run in production environments without disruption. These simulations are precisely targeted to the systems that are vulnerable, ensuring rapid validation without unnecessary load.

5

Execute Exploit Validations

By combining context about software stack, versioning, exposure status, and reachability, IONIX ensures that only the right payloads are executed against the right assets, maximizing efficiency and minimizing risk.

6

Drive Fast and Actionable Remediation

Results are routed through integrations with ticketing, SOAR, and SIEM tools. Issues are written in plain language, bundled into remediation clusters, and prioritized based on asset criticality, exploitability, and blast radius. This shortens mean time to remediation (MTTR) and empowers teams to act with confidence.

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

Subscribe to Threat Center RSS

Copy/paste the link below into your preferred RSS reader or follow these instructions to subscribe to Slack alerts.

Get Real-Time CVE Alerts to Your Email

Be the first to know when new zero-days emerge