Joomla sites using AcyMailing 6.0.0 through 10.11.0 should update the extension to version 10.11.1 or later to remediate CVE-2026-56292, an unauthenticated SQL injection vulnerability. This advisory explains the confirmed Joomla scope, the official CVSS 4.0 rating, practical update steps, and the separate WordPress-only AcyMailing issue that agencies may also need to track.
AcyMailing administrators should treat CVE-2026-56292 as a prompt patching priority: the confirmed Joomla vulnerability can be reached remotely without a user account, and AcyMailing 10.11.1 is the first version outside the documented affected range.
CVE-2026-56292: A Joomla AcyMailing SQL Injection
CVE-2026-56292 is an unauthenticated SQL injection vulnerability in the AcyMailing extension for Joomla, identified as com_acym. The official CVE and NVD records scope this issue to Joomla: AcyMailing versions 6.0.0 through 10.11.0 are affected, while version 10.11.1 is the first non-affected release in the documented range.
SQL injection is a weakness in how an application handles data sent to a database. In this case, the confirmed impact is confidentiality-focused: a remote, unauthenticated party could potentially read sensitive information from the Joomla site's database. That information may include user-account data and password hashes. This describes what the flaw makes possible; it does not establish that any particular Joomla installation has been accessed or that data has been taken.
The CVE record for CVE-2026-56292 was assigned by the Joomla CNA. The public disclosure credits Phil Taylor of mySites.guru as the finder; administrators can also review the original disclosure for background. For the affected-version boundary and official scoring, the CVE and NVD records should be the primary reference points.
Joomla Extension Vulnerabilities at a Glance
The following table separates the confirmed Joomla SQL injection from a different AcyMailing vulnerability in the WordPress plugin. Keeping product scope separate matters: CVE-2026-56292 is currently documented for Joomla only, while CVE-2026-3614 is a WordPress-only issue and is not known to affect Joomla.
| Product and platform | CVE | Authentication | Affected versions | Recommended version or action | CVSS | CISA KEV status |
|---|---|---|---|---|---|---|
| AcyMailing extension for Joomla (com_acym) | CVE-2026-56292 | None required | 6.0.0 through 10.11.0 | Update to 10.11.1 or later | CVSS 4.0: 9.2, Critical CVSS 3.1: 7.5, High |
Not currently listed |
| AcyMailing plugin for WordPress | CVE-2026-3614 | Authenticated | 9.11.0 through 10.8.1 | Use a vendor-fixed version newer than 10.8.1 | CVSS 3.1: 8.8, High | Not currently listed |
The official severity rating for the Joomla issue is CVSS 4.0 9.2 (Critical). The NVD record also provides a CVSS 3.1 score of 7.5 (High). These scores use different CVSS versions and should not be treated as conflicting assessments. An earlier third-party provisional CVSS 4.0 score of 8.7 (High) has been superseded for practical advisory purposes by the official 9.2 CVSS 4.0 score in the CVE/NVD records.
Severity is not the same as observed exploitation. Neither CVE-2026-56292 nor CVE-2026-3614 is currently listed in CISA's Known Exploited Vulnerabilities catalog, and the available evidence does not authoritatively confirm exploitation in the wild. Absence from that catalog is not a guarantee that a flaw is not being exploited; it means CISA has not listed it as a known exploited vulnerability. The unauthenticated network exposure and potential database disclosure remain sufficient reasons to update without delay.
How to Update AcyMailing on Joomla Safely
For Joomla site owners, the remediation target is direct: update AcyMailing to 10.11.1 or later on every affected site. Do not assume that a recent Joomla core update also updates third-party extensions. AcyMailing must be checked as its own installed extension.
- Identify every affected site. Review client inventories, hosting accounts, staging environments, and less frequently maintained campaign or archive sites. Record each site's AcyMailing version and whether the extension is enabled.
- Take a tested backup. Create a full backup of both the Joomla files and database before changing the extension. Confirm that the backup is available for restoration rather than merely assuming a scheduled backup succeeded.
- Obtain the current AcyMailing release. Use the extension's established update mechanism or the official AcyMailing website. Avoid unofficial package sources.
- Install version 10.11.1 or a later version. Complete the update during a suitable maintenance window where possible, especially on sites with active subscriptions, mail queues, or integrations.
- Clear applicable caches and verify the installed version. Confirm in Joomla's extension management or AcyMailing administration that the installed version is 10.11.1 or later.
- Perform focused functional checks. Verify that the public site loads, administrative access works, and the site's normal mailing functions operate as expected. Keep testing proportionate to the site's configuration and avoid unnecessary changes during a security update.
If an update causes a compatibility problem, use the verified backup and a planned rollback process to restore service. A rollback returns the vulnerable code, however, so it should be a short-term operational measure only. Resolve the compatibility issue, consult the extension developer's current guidance, and return to a fixed version as soon as possible.
Review Exposure After Patching
Installing the fix closes the documented vulnerability going forward, but it cannot establish what may or may not have happened while a site ran a vulnerable release. The depth of any review should reflect the site's exposure period, the sensitivity of stored data, available logs, and the organisation's incident-response process.
Start with evidence preservation and log review
Before logs rotate, preserve relevant web-server, Joomla, hosting-control-panel, and application logs according to the organisation's retention practices. Review the period during which the vulnerable version was installed for unusual requests involving AcyMailing, unexpected error patterns, abnormal data-transfer activity, or other anomalies. Do not treat the absence of a single log indicator as proof that there was no access; logging coverage differs by host and configuration.
Review privileged access and secrets proportionately
Because the vulnerability could expose database contents, sites that ran an affected release for an extended period should consider rotating Joomla administrator passwords and other sensitive credentials that may have been stored in or linked to the environment. Review administrator accounts for unexpected additions or changes, and check recent authentication activity where records are available. If the Joomla database contains subscriber information or other personal data, involve the appropriate security, privacy, or client stakeholders in deciding whether a formal incident assessment is needed.
Database password hashes are designed not to reveal the original password directly, but their possible exposure still warrants a measured response. Password rotation, unique passwords, and multi-factor authentication where available reduce the impact of credential reuse. Also review service credentials connected to the site, based on what the environment actually uses, rather than conducting indiscriminate disruptive changes.
WAFs and Other Compensating Controls
A web application firewall can sometimes reduce exposure to suspicious traffic patterns, but it is not a replacement for updating AcyMailing. Firewall rules can be incomplete, misconfigured, bypassed, or applied too late, while the vulnerable extension remains installed. Treat a WAF as a temporary, layered control during the update window and not as a reason to postpone the version change.
Other sensible supporting measures include limiting unnecessary public functionality, keeping Joomla core and all extensions current, using least-privilege database permissions where the hosting design permits it, retaining useful logs, and maintaining an accurate software inventory. These practices improve response speed for future Joomla extension vulnerabilities, but none removes CVE-2026-56292 from a site still running an affected AcyMailing release.
Separate WordPress Context: CVE-2026-3614
Agencies and freelancers who manage both Joomla and WordPress should track CVE-2026-3614 separately. It is a privilege-escalation issue in the AcyMailing WordPress plugin, affecting versions 9.11.0 through 10.8.1. It is not the Joomla SQL injection, and the current CVE/NVD information does not indicate that it applies to Joomla.
This WordPress issue requires authentication. The documented weakness is a missing capability check in an AJAX handler, which can allow authenticated users with Subscriber-level access or higher to reach administrative-only controllers and ultimately authenticate as arbitrary WordPress users, including administrators. WordPress administrators should update to a vendor-fixed version newer than 10.8.1, restrict unnecessary low-privilege accounts until the update is complete, and review administrator accounts and recent login activity.
The WordPress issue has a CVSS 3.1 score of 8.8 (High). Its NVD record is marked Deferred, meaning NVD has not completed independent analysis and its entry largely mirrors the CVE record and referenced material. The published WordPress vulnerability reference provides additional context. Do not use a Joomla update to address this WordPress plugin issue, and do not assume that the Joomla CVE confirms equivalent WordPress SQL injection exposure.
Prioritised Checklist for Site Owners and Agencies
- Immediately: Find every Joomla installation using AcyMailing and update versions 6.0.0 through 10.11.0 to 10.11.1 or later.
- Before each update: Take and verify a complete files-and-database backup.
- After each update: Clear relevant caches, confirm the installed AcyMailing version, and run appropriate site and mailing-function checks.
- For long-exposed sites: Preserve and review available logs, assess administrator accounts and authentication activity, and consider rotating administrator passwords and other relevant secrets.
- For mixed-platform portfolios: Separately identify WordPress sites using AcyMailing 9.11.0 through 10.8.1 and update those plugins to a vendor-fixed version newer than 10.8.1.
- For future advisories: Maintain a current inventory of client sites, installed extensions, versions, owners, and maintenance contacts so security updates can be applied consistently.
The practical conclusion is straightforward: Joomla administrators do not need confirmed exploitation or a CISA KEV entry before acting. The verified affected range, unauthenticated nature, potential confidentiality impact, and available fixed version make updating AcyMailing to 10.11.1 or later the appropriate immediate response.
Add comment