Important information for all Joomla website owners! On July 9, 2026, a critical vulnerability was discovered in the popular AcyMailing (com_acym) email newsletter component. The vulnerability allows an unauthenticated attacker to execute arbitrary SQL queries against the site database, leading to the exposure of confidential data.

The vulnerability has been assigned CVE-2026-56292. With a CVSS 4.0 score of 9.2 (Critical), this represents a severe threat. Attackers are already actively scanning the internet for vulnerable sites.

Acyba developers released a fix in version 10.11.1 on July 9, 2026. This update is critically urgent — delaying the patch will lead to the exposure of all your site data, including user passwords.

Understanding the Threat: What Was Fixed?

The vulnerability is a SQL injection (CWE-89) in the AcyMailing component. Unlike many other security flaws, this attack does not require authentication. This means the attacker doesn't need to know your administrator password.

How the hack works:

  1. Lack of checks: In versions up to 10.11.0, a public front-end endpoint accepted request parameters and placed them directly into the column list of a SELECT query without sanitizing or quoting them. Joomla's standard text filter, applied to the parameters, strips HTML but does nothing to neutralize SQL syntax.

  2. Query execution: The attacker sends a specially crafted HTTP request to the vulnerable endpoint, which turns the query into one reading from any table in the Joomla database.

  3. Data retrieval: The query results are returned in the server response. No account is needed, no CSRF token is required.

  4. Outcome: The hacker gains access to Joomla user accounts (including password hashes), article records, extension configurations, and other stored data.

Who Is at Risk?

All sites running the AcyMailing component versions below 10.11.1 are at risk, including all versions from 6.0.0 through 10.11.0.

Please note:
The vulnerability affects not only Joomla but also WordPress! AcyMailing for WordPress is built on the same codebase and contains the same vulnerability. Updating to version 10.11.1 is necessary for both platforms.

How to Fix It: Step-by-Step Instructions

To address this vulnerability, follow the steps below.

Step 1: Update AcyMailing Immediately

  1. Go to your Joomla administrator panel and navigate to Extensions → Manage → Update.

  2. Click "Purge Cache" and then "Find Updates".

  3. Locate the update for AcyMailing (com_acym) in the list.

  4. Update to version 10.11.1 or higher.

If the update does not appear:
Download the latest version manually from the official Acyba developer website and install it via Extensions → Manage → Install.

Step 2: Check for Signs of Compromise

Since the vulnerability allows reading data from the database, a thorough inspection is necessary, especially if you suspect the site may have been compromised.

  1. Change all passwords: Database password, FTP/SSH, hosting control panel, as well as passwords for all users with administrator privileges.

  2. Check user accounts: In the Users → Manage section, sort the list by registration date. Find and delete any suspicious administrator accounts that you did not create.

  3. Check access logs: Review server logs for suspicious requests to the AcyMailing component, especially those with unusual parameters.

Step 3: Additional Security Measures

In addition to updating the component, we strongly recommend:

  • Update the Joomla core to the latest version.

  • Install and configure Admin Tools Pro: Generate a strict .htaccess file, activate SQL injection and CSRF protection.

  • Regularly create backups of your site to enable quick recovery in case of an incident.

Important!
If your site has been hacked and you are unsure what to do, or have any doubts, contact us immediately for assistance!

Terms used:

AcyMailing, HTML, SQL