Two confirmed Joomla extension vulnerabilities require prompt action: CVE-2026-57833 affects AcyMailing and CVE-2026-58077 affects EDocman. Administrators should identify affected installations, update AcyMailing to 10.11.1 or later and EDocman to 3.9.0 or later, then assess whether publicly exposed sites may have disclosed database data.
Joomla site owners using AcyMailing or EDocman should review their extension inventories immediately. The confirmed issues are unauthenticated SQL injection vulnerabilities that can permit database reads on affected internet-accessible sites, but the products and remediation versions must be stated accurately: these CVEs concern AcyMailing and EDocman, not a product called 4Analytics.
Joomla extension vulnerabilities: the verified scope
Security notices can be reposted with inaccurate product names, patch versions, or severity labels. In this case, the authoritative CVE and National Vulnerability Database (NVD) records identify two separate Joomla extensions:
- CVE-2026-57833 affects the AcyMailing extension for Joomla from acymailing.com.
- CVE-2026-58077 affects the EDocman extension for Joomla from joomdonation.com.
There is no authoritative evidence in the available records that either CVE is assigned to a product named 4Analytics, or that version 5.0.2 is a fix for either issue. Administrators should therefore base remediation decisions on the extension actually installed on each Joomla site.
| Extension | CVE | Authentication | Affected versions | Recommended version | Official CVSS | CISA KEV status |
|---|---|---|---|---|---|---|
| AcyMailing for Joomla | CVE-2026-57833 | Not required | 6.0.0 and later, but before 10.11.1 | 10.11.1 or later | CVSS 4.0: 9.2 Critical CVSS 3.1: 7.5 High |
Not listed in the evidence reviewed |
| EDocman for Joomla | CVE-2026-58077 | Not required | 1.0 through 3.8 | 3.9.0 or later | CVSS 4.0: 8.7 High | Not listed in the evidence reviewed |
The recommended EDocman version requires a qualification. The CVE and NVD records identify the vulnerability and its affected range, but do not yet list a fixed release. The mySites.guru EDocman advisory states that EDocman 3.9.0 fixes the reported SQL injection issue. Treat that as advisory and vendor remediation guidance rather than as an NVD-listed fixed version.
CVE-2026-57833: AcyMailing SQL injection
CVE-2026-57833 is a SQL injection vulnerability, classified as CWE-89, in the AcyMailing extension for Joomla. The affected range is AcyMailing versions 6.0.0 and later but before 10.11.1.
The official CVSS 4.0 score is 9.2, Critical. NVD also records a CVSS 3.1 score of 7.5, High. These are scores from different CVSS versions, not competing assessments. For current severity reporting, use the CVSS 4.0 rating of 9.2 Critical.
The published scoring information indicates that the issue is reachable over the network and does not require authentication or user interaction. For an affected, publicly reachable Joomla site, the practical risk is unauthorised access to information held in the site database. Depending on how the site is configured, that database can contain user account data, password hashes, newsletter-related information, configuration records, and other sensitive application content.
Required action: update AcyMailing to 10.11.1 or later. The NVD version data identifies vulnerable versions as ending before 10.11.1, making 10.11.1 the first confirmed non-vulnerable boundary in the available evidence. Consult the AcyMailing website for current package availability and extension-specific update information.
CVE-2026-58077: EDocman unauthenticated blind SQL injection
CVE-2026-58077 is an unauthenticated blind SQL injection vulnerability, also classified as CWE-89, in EDocman for Joomla. The CVE record lists EDocman versions 1.0 through 3.8 as affected.
The official CVSS 4.0 score is 8.7, High. This is a serious vulnerability and should be handled promptly, but it should not be described as Critical. The CVSS vector indicates a network-reachable issue that requires neither prior authentication nor user interaction. The available CVE and advisory information indicates that the flaw can enable reads from the database.
For remediation, update EDocman to 3.9.0 or later. This fixed version is supported by the mySites.guru disclosure, which reports that versions 3.8 and earlier are affected and identifies EDocman 3.9.0 as the correcting release. Confirm the current update package through the EDocman vendor page before deployment.
The NVD status for CVE-2026-58077 is Deferred. That means NVD analysis is not complete, and descriptive or enrichment details may change as analysis progresses. It does not remove the need to patch: the CVE identification, affected versions, unauthenticated nature, official CVSS 4.0 score, and advisory remediation information are sufficient to prioritise the update.
Severity is not the same as confirmed exploitation
CVSS measures the technical characteristics and potential impact of a vulnerability. It is useful for prioritising remediation, but it does not establish that attackers have used a flaw against real-world targets. CISA's Known Exploited Vulnerabilities (KEV) catalog, by contrast, is intended to identify vulnerabilities with evidence of exploitation in the wild.
As reflected in the reviewed evidence, neither CVE-2026-57833 nor CVE-2026-58077 appears in the CISA KEV catalog. There is also no authoritative confirmation in the available evidence that either issue is being actively exploited in the wild.
This distinction should guide communications, not delay action. AcyMailing's 9.2 Critical CVSS 4.0 score and EDocman's 8.7 High score, combined with unauthenticated network exposure and potential database reads, justify urgent patching on internet-facing sites. Administrators should avoid claiming known exploitation unless a future authoritative source confirms it.
Prioritised update and verification checklist
Agencies and site owners managing several Joomla installations should handle this as an inventory-and-remediation task rather than updating only the most visible production site. Use the following sequence.
- Identify affected sites. Review the extension list and deployment records for every Joomla site, including staging, archived, client-managed, and less frequently maintained installations. Record each installed AcyMailing or EDocman version.
- Prioritise exposed systems. Address internet-facing sites first, especially sites that use public newsletter forms, document downloads, member accounts, or databases containing personal or operational data.
- Take a complete backup. Capture both the Joomla filesystem and database before changing an extension. Confirm that the backup can be accessed and that the responsible team knows the rollback procedure.
- Test where practical. For complex or high-traffic sites, apply the update to a representative staging environment first. Check extension workflows, Joomla administration functions, scheduled processes, integrations, and critical front-end pages.
- Apply the correct update. Move AcyMailing to 10.11.1 or later. Move EDocman to 3.9.0 or later, following vendor guidance. Do not substitute an unrelated product version or assume that a higher-looking version number from another extension resolves either CVE.
- Verify the installed version. After updating, confirm the version shown in Joomla's extension management interface and retain an internal record of the date, site, prior version, target version, and person who performed the change.
- Clear caches. Clear Joomla caches and any applicable reverse-proxy, content-delivery, or server-side caches after the update. Then retest normal public and administrator workflows.
- Document exceptions. If an immediate update cannot proceed because of a compatibility issue, record the reason, owner, mitigation, and a near-term remediation date. A properly configured web application firewall may help filter SQL injection attempts temporarily, but it is not a replacement for installing the fix.
Post-update review for potentially exposed databases
Updating stops continued exposure through the known vulnerable version, but it cannot determine whether data was accessed before the patch. If an affected AcyMailing or EDocman version was publicly accessible, treat the database as potentially exposed and begin a proportionate review.
Credentials and secrets
Prioritise credentials that may have been stored in, derived from, or managed through the Joomla database. Rotate Joomla administrator passwords, user passwords where appropriate for the site's risk model, API keys, integration tokens, mailing-service credentials, and other secrets held in configuration or extension data. Ensure administrators use unique passwords and that accounts no longer needed are disabled.
Password hashes are not plaintext passwords, but their possible exposure still warrants a response. The appropriate action depends on the site's authentication design, the sensitivity of accounts, and organisational policy. For high-risk environments, forced password resets and user notification may be part of the incident-response process.
Logs and hosting coordination
Review available web-server, application, database, security-monitoring, and hosting-provider logs covering the period during which the vulnerable extension was deployed. Look for anomalies relevant to the site and its normal traffic patterns, then preserve relevant logs before retention processes remove them. Avoid assuming that an absence of log evidence proves an absence of access; logging coverage varies widely.
Where the site is hosted or managed by another provider, notify the responsible operations or security contact of the affected extension, version range, patch date, and any suspicious observations. Follow the organisation's established incident-response procedures if compromise is suspected. This creates a clear record and helps ensure that infrastructure-level logs or controls are considered alongside Joomla administration.
Operational guidance for Joomla agencies
For agencies, the immediate technical update is only one part of the response. Use the incident to improve extension governance across the client portfolio. Maintain a current software bill of materials for each site, including extension name, vendor, installed version, update channel, business owner, and support status. That inventory makes it possible to identify affected clients quickly when a confirmed advisory is published.
Where possible, separate production and staging environments, schedule regular backup restoration tests, and define who approves emergency changes outside normal maintenance windows. For clients whose sites contain customer, subscriber, or document-related information, include a documented process for credential rotation and hosting escalation after a database-exposure concern.
These measures do not change the specific remediation for the two CVEs, but they reduce the time between an advisory and a verified patch across a multi-site Joomla estate.
Add comment