GHSA-g868-j3qm-4j28High

georgringer/news has SQL Injection in extension "News system" (news)

Published
May 19, 2026
Last Modified
June 8, 2026

🔗 CVE IDs covered (1)

📋 Description

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

🎯 Affected products5

  • composer/georgringer/news:>= 12.0.0, < 12.3.2
  • composer/georgringer/news:>= 13.0.0, < 13.0.2
  • composer/georgringer/news:>= 14.0.0, < 14.0.3
  • composer/georgringer/news:< 10.0.4
  • composer/georgringer/news:>= 11.0.0, < 11.4.4

🔗 References (4)