CVE-2026-35221 Overview
CVE-2026-35221 is an authenticated blind SQL injection vulnerability in the com_finder component of Joomla. Improperly constructed filter clauses in the search query allow an attacker with elevated privileges to inject arbitrary SQL into backend database operations. The flaw is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Successful exploitation enables unauthorized data access from the underlying Joomla database. The issue is documented in the Joomla Security Advisory.
Critical Impact
An authenticated attacker can leverage the flaw to extract sensitive database contents through blind SQL injection against the Smart Search component.
Affected Products
- Joomla! CMS — com_finder (Smart Search) component
- Joomla! core versions covered by the May 2026 security advisory
- Sites with the Smart Search component enabled and reachable by authenticated users
Discovery Timeline
- 2026-05-26 - CVE-2026-35221 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-35221
Vulnerability Analysis
The vulnerability resides in the Joomla Smart Search component, com_finder. The component constructs SQL filter clauses for search queries without applying sufficient sanitization or parameterization to user-controlled inputs. An authenticated attacker can manipulate filter parameters so that attacker-supplied content is concatenated into the resulting SQL statement.
Because the injection is blind, results are not returned directly in HTTP responses. Attackers infer database content through boolean-based or time-based side channels. Repeated queries allow row-by-row extraction of usernames, password hashes, session tokens, and configuration data.
The attack vector is network-based and requires high privileges, limiting exploitation to users with backend or elevated frontend access. No user interaction is required once an authenticated session is established.
Root Cause
The root cause is improper construction of filter clauses in the search query path of com_finder. Input values intended for filter expressions are merged into SQL strings without strict type enforcement or prepared statement binding, violating the principles described in CWE-89.
Attack Vector
An authenticated attacker submits a crafted Smart Search request containing malicious filter values. The injected SQL alters the original query's logic, enabling conditional responses that disclose data character-by-character. Exploitation typically uses automated tooling to iterate through boolean or timing oracles against the backend database. See the Joomla Security Advisory for vendor-confirmed technical context.
Detection Methods for CVE-2026-35221
Indicators of Compromise
- Repeated authenticated requests to index.php?option=com_finder with anomalous filter parameter values containing SQL syntax such as AND, OR, SLEEP(, BENCHMARK(, or UNION.
- Unusually long response times for Smart Search endpoints, indicative of time-based blind SQL injection probing.
- High request volume to the Smart Search component originating from a single authenticated session or IP address.
- Web server logs showing URL-encoded SQL metacharacters (%27, %2D%2D, %23) in com_finder filter parameters.
Detection Strategies
- Inspect Joomla and web server access logs for com_finder requests carrying SQL keywords or sleep-based payloads in filter parameters.
- Enable database query logging and alert on syntactically anomalous SELECT statements originating from the Joomla application user.
- Deploy a Web Application Firewall (WAF) rule set covering SQL injection signatures, including blind SQLi patterns targeting filter[*] parameters.
- Correlate authenticated session activity with spikes in 500-series responses or query latency on /index.php requests.
Monitoring Recommendations
- Continuously monitor authenticated user sessions for behavioral anomalies, including bulk requests to com_finder endpoints.
- Forward Joomla, web server, and database logs to a centralized analytics platform and apply detections aligned with CWE-89.
- Track privileged account activity to identify abuse of high-privilege roles required to reach the vulnerable code path.
How to Mitigate CVE-2026-35221
Immediate Actions Required
- Apply the Joomla security update referenced in the Joomla Security Advisory to all affected installations.
- Audit accounts with backend access and remove unnecessary privileged users that could reach com_finder.
- Rotate database credentials, Joomla administrator passwords, and session secrets if exploitation is suspected.
- Review recent Joomla and database logs for prior exploitation attempts against the Smart Search component.
Patch Information
Joomla released a fixed version addressing the improper filter construction in com_finder. Administrators must upgrade to the patched Joomla release identified in the Joomla Security Advisory. No supported workaround replaces installation of the official patch.
Workarounds
- Temporarily disable the com_finder (Smart Search) component if patching cannot be performed immediately.
- Restrict access to authenticated Joomla areas using network-level controls or IP allowlisting until the update is applied.
- Deploy WAF rules that block SQL metacharacters in com_finder filter parameters as a compensating control.
# Configuration example: disable com_finder via Joomla CLI until patched
php cli/joomla.php extension:disable --name=com_finder
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
