Joomla sites running affected DPCalendar releases should be updated promptly to address CVE-2026-57831, an unauthenticated blind SQL injection vulnerability that can expose database information. This advisory explains the confirmed affected versions, the correct upgrade targets, and the defensive checks site owners should complete after patching.
CVE-2026-57831 is a confirmed DPCalendar security issue that deserves immediate attention from Joomla administrators. The vulnerability does not require a visitor to sign in or interact with the site, so the appropriate response is to identify affected installations, take a verified backup, install the correct fixed release, and assess whether sensitive data needs further protection.
What CVE-2026-57831 Means for Joomla Extension Vulnerabilities
CVE-2026-57831 identifies an unauthenticated blind SQL injection vulnerability in the DPCalendar extension for Joomla, also known as com_dpcalendar. It was assigned through the Joomla CNA.
SQL injection is a class of flaw in which untrusted input can alter a database query. In this case, the published record describes anonymous read access to the site database. That matters because a Joomla database can contain user account information, configuration data, extension data, and other material whose exposure could create follow-on risk.
The vulnerability is remote: the published CVSS 4.0 vector records network attack access, low attack complexity, no required privileges, and no user interaction. The official CVSS 4.0 score is 8.7 (HIGH):
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
In practical terms, a high severity score and unauthenticated network access justify fast remediation. They do not, however, establish that a vulnerability has been exploited on a particular site.
Affected DPCalendar Versions and Fixed Releases
The authoritative CVE record states that DPCalendar versions 8.18.0 through 10.11.1 are affected. Version 10.11.1 is therefore within the affected range and must not be treated as a safe release for this issue.
| Extension | CVE | Authentication required | Affected versions | Recommended version | CVSS | KEV status |
|---|---|---|---|---|---|---|
| DPCalendar / com_dpcalendar | CVE-2026-57831 | None | 8.18.0 through 10.11.1 | 10.11.2 or later on Joomla 4.4.4–6.x; 8.19.4 or later on Joomla 3 | CVSS 4.0: 8.7 HIGH | Not listed in the reviewed CISA KEV catalog evidence |
| AcyMailing | CVE-2026-56292 | Not specified in the reviewed record | 6.0.0 and later, but before 10.11.1 | 10.11.1 | CVSS 4.0: 9.2 CRITICAL; CVSS 3.1: 7.5 HIGH | Not listed in the reviewed CISA KEV catalog evidence |
For DPCalendar, update to 10.11.2 or later when the site runs Joomla 4.4.4 through Joomla 6.x. Sites still operating on Joomla 3 should update to 8.19.4 or later. The DPCalendar product page and the published disclosure provide the available product and remediation context.
Do not delay the update because exploitation has not been confirmed. The reviewed evidence contains no authoritative confirmation that CVE-2026-57831 is being exploited in the wild, no confirmation of ransomware use, and no matching CISA Known Exploited Vulnerabilities (KEV) catalog entry. Those are useful status facts, but they are not a reason to leave an unauthenticated database-access issue exposed.
How to Check and Patch DPCalendar Safely
Agencies and administrators should repeat this process for every Joomla site they maintain. Inventory work matters: an extension can be installed on a low-traffic, archived, staging, or client site even when it is not actively used by the current team.
- Confirm whether DPCalendar is installed. Review the installed extensions in the Joomla administrator area and identify DPCalendar or
com_dpcalendar. Record its installed version and the Joomla version used by that site. - Compare the installed release with the affected range. Treat every DPCalendar version from 8.18.0 through 10.11.1 as affected. Include 10.11.1 in the remediation queue.
- Create and validate a full backup. Back up both the site files and database before changing extensions. A backup is most useful when the restoration procedure and storage location have also been checked.
- Install the correct fixed release. Move Joomla 4.4.4–6.x sites to DPCalendar 10.11.2 or later. Move Joomla 3 sites to DPCalendar 8.19.4 or later. Use the extension's established update process and the product information supplied by the developer.
- Verify the installed version after the update. Return to the extension listing and confirm that the deployed release meets or exceeds the applicable fixed version. Retain a record of the change for the site's maintenance log.
- Clear relevant caches. Clear Joomla caches and any reverse-proxy or CDN caches used by the site so that normal requests are served against the updated application state.
- Perform a focused functional check. Confirm that the site's normal calendar functions work as expected after the change. If an update causes an operational problem, use the tested backup and escalation procedure rather than reverting indefinitely to a vulnerable release.
If a site cannot be updated immediately because of compatibility constraints, document the exception, restrict exposure where feasible, and schedule a supported migration path. Temporary controls can reduce risk, but they do not remove the underlying vulnerability; the fixed DPCalendar release is the remediation.
Post-Patch Review When Sensitive Data May Be at Risk
The CVE record describes anonymous read access to the site database. For a site that ran an affected DPCalendar version for an extended period, particularly one that holds personal, membership, customer, event, or administrative information, treat stored data as potentially exposed until the available evidence has been reviewed.
- Review web-server, application, and relevant database access logs for unusual requests or unexpected errors around the period of exposure.
- Review Joomla administrator accounts and extension configuration for changes that are not explained by authorised maintenance.
- Consider rotating passwords, API keys, and other credentials that could be affected if the investigation indicates a credible exposure concern.
- Follow the organisation's incident-response and notification process when compromise is suspected, preserving relevant logs and backups before they are overwritten.
- Keep the database account used by Joomla limited to the permissions the site needs. This is a sensible containment measure, not a replacement for applying the extension update.
A web application firewall can help filter some SQL injection attempts and should be reviewed as part of defence in depth. It is not a substitute for patching: WAF rules may not cover every request pattern, while the vulnerable code remains present until the extension is updated.
Severity Scores, Exploitation Status, and NVD Analysis
Security advisories often combine two distinct questions: how serious a flaw could be, and whether it has been observed being exploited. CVSS addresses the first question by scoring technical impact and attack conditions. CISA KEV listings address the second by identifying vulnerabilities known to have been exploited. A high CVSS score does not itself prove exploitation, and the absence of a KEV listing does not make a remotely reachable vulnerability safe to postpone.
For CVE-2026-57831, the reviewed CISA KEV evidence has no matching entry. There is also no authoritative confirmation in the reviewed CVE or NVD material of active exploitation or ransomware use. This article therefore does not make either claim.
The NVD record for CVE-2026-57831 currently has a Deferred analysis status. The vulnerability details and score discussed here rely on the CVE record and the available vendor/publisher advisory material; administrators should continue to monitor those records for updates as NVD analysis progresses.
Keep CVSS versions separate when reviewing other advisories. For example, AcyMailing CVE-2026-56292 has an official CVSS 4.0 score of 9.2 (CRITICAL) and an official CVSS 3.1 score of 7.5 (HIGH). These are scores from different CVSS specifications, not competing scores for the same version of the system.
Use This Patch Cycle to Review Other Joomla Extensions
DPCalendar should be the first priority where it is installed, but this incident is also a practical reason to review the extension inventory across every managed Joomla site. Remove extensions that are no longer needed, identify owners for the extensions that remain, and check that each one has a defined update process.
As a separate current example, CVE-2026-56292 affects AcyMailing for Joomla from version 6.0.0 up to, but not including, 10.11.1. Sites using that extension should update to version 10.11.1. Its CVSS 4.0 score is 9.2 (CRITICAL), while its CVSS 3.1 score is 7.5 (HIGH).
Older Joomla core SQL injection issues are useful historical context, not evidence of current flaws in supported releases. Joomla's security advisories document that CVE-2015-7857 affected core versions 3.2.0 through 3.4.4 and was fixed in 3.4.5, while CVE-2017-8917 affected Joomla 3.7.x before 3.7.1 and was fixed in 3.7.1. Maintaining supported Joomla core and extension releases is the durable lesson from those earlier cases.
Prioritized Administrator Checklist
- Identify every site with DPCalendar or
com_dpcalendarinstalled. - Prioritise any instance running version 8.18.0 through 10.11.1.
- Create and validate a full files-and-database backup.
- Update to DPCalendar 10.11.2 or later on Joomla 4.4.4–6.x, or 8.19.4 or later on Joomla 3.
- Verify the installed version, clear Joomla and edge caches, and test normal calendar operation.
- For long-exposed or data-sensitive sites, review logs and begin incident-response steps if evidence suggests compromise.
- Check AcyMailing installations and update affected releases to 10.11.1.
- Review WAF coverage, database permissions, credential-rotation procedures, and the wider extension update inventory.
Fast, documented patching is the appropriate response to CVE-2026-57831. The key facts are clear: the flaw is unauthenticated, remotely reachable, affects DPCalendar through 10.11.1, and has fixed versions available for the relevant Joomla branches.
Add comment