AcyMailing – unauthenticated SQL injection (database readable)
Secure version: AcyMailing 10.11.1 or newer · via AcyMailing
At a glance
com_acym)What is this about?
AcyMailing (com_acym) manages newsletters and email campaigns in Joomla. A publicly – i.e. without any login – reachable front-end endpoint inserted supplied parameters unfiltered into an SQL query, so the query could be manipulated (SQL injection).
Through this, an attacker can read any database table – for example the users table with login names and (hashed) passwords, but also articles and internal configuration data. It is a read-only access, yet it exposes sensitive data and paves the way for further attacks (such as cracking the password hashes).
Vulnerable are versions 6.0.0 up to and including 10.11.0. The fix has been available since 9 July 2026 as 10.11.1. The flaw is tracked as CVE-2026-56292.
Am I affected? – How to check
- Open the back end
Log in to the Joomla administrator.
- Check the version
Under Extensions›Manage›Manage, filter for
AcyMailingand read off the version. - Assess the version
If the version is between 6.0.0 and 10.11.0, action is needed. Secure is 10.11.1 or newer.
- Judge the risk
A read attack leaves few visible traces. After a longer unpatched period, assume password hashes may have been exfiltrated.
How to fix it
- Open the Update center
Go to System›Update›Extensions and click Check for updates.
- Update AcyMailing
Select the entry and update to 10.11.1 or newer.
- Verify the version
Then confirm that the new version has been applied.
Official source: via AcyMailing. Make sure you have at least AcyMailing 10.11.1 or newer.
Has the site already been attacked?
Need help with the clean-up? Find qualified specialists in the Joomla Service Providers Directory.
Sources & further reading
- Original advisory – mySites.guruAdvisory with technical details
- AcyMailing / Acyba (vendor)Get the update via the Joomla updater or your AcyMailing account
- CVE-2026-56292 (CVE.org)Official CVE record
- Joomla Vulnerable Extensions List (VEL)Community-run list of vulnerable extensions
The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.
Supporters of this site
htprotect.org is a free, vendor-independent information service. It is supported by:

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.
fc-hosting.deSpecialised in cleaning, maintaining and securing Joomla and WordPress websites.
website-bereinigung.deSupport this project
You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.
Prefer to give privately, without a listing? A little something for the tip jar is just as welcome.
Manufactures and installs construction-site signs, hoardings and façade solutions – including design and 3D visualisation.
bauschildundservice.deProfessional IT support from Czechia – Windows management, domain administration and web hosting.
defendersoft.czTravel portal from Germany – package holidays, hotels and flights online, with personal travel-agency advice.
onlineweg.deCreative agency from Brandenburg – web design, print media, photography and 360° panoramas from a single source.
criadero.deIT service provider from Wächtersbach – Joomla websites, PC service, hardware and software.
jahnedv.de