HTProtect.org
Independent information site on Joomla security vulnerabilities
HTProtect HTProtect JOOMLA SECURITY
htprotect.org Vulnerabilities & update guides
Security vulnerability

AcyMailing – unauthenticated SQL injection (database readable)

Act now
Update AcyMailing to 10.11.1 or newer immediately – and rotate all passwords after any unpatched window.

Secure version: AcyMailing 10.11.1 or newer · via AcyMailing

At a glance

Affected extension
AcyMailing – newsletter component (com_acym)
Vendor
Type of flaw
Unauthenticated SQL injection via a public front-end endpoint; allows anonymous reading of any database table (user accounts, password hashes, content)
Affected versions
Versions 6.0.0 up to and including 10.11.0
Secure version
AcyMailing 10.11.1 or newer   Download
Severity
Critical
Joomla compatibility
Joomla 3 / 4 / 5
Status / published
Published/patched: 9 July 2026

What is this about?

AcyMailing (com_acym) manages newsletters and email campaigns in Joomla. A publicly – i.e. without any login – reachable front-end endpoint inserted supplied parameters unfiltered into an SQL query, so the query could be manipulated (SQL injection).

Through this, an attacker can read any database table – for example the users table with login names and (hashed) passwords, but also articles and internal configuration data. It is a read-only access, yet it exposes sensitive data and paves the way for further attacks (such as cracking the password hashes).

Vulnerable are versions 6.0.0 up to and including 10.11.0. The fix has been available since 9 July 2026 as 10.11.1. The flaw is tracked as CVE-2026-56292.

Am I affected? – How to check

  1. Open the back end

    Log in to the Joomla administrator.

  2. Check the version

    Under ExtensionsManageManage, filter for AcyMailing and read off the version.

  3. Assess the version

    If the version is between 6.0.0 and 10.11.0, action is needed. Secure is 10.11.1 or newer.

  4. Judge the risk

    A read attack leaves few visible traces. After a longer unpatched period, assume password hashes may have been exfiltrated.

How to fix it

Before any update: back up
Back up your files and database before updating – so you can roll back if anything goes wrong (e.g. via Akeeba Backup or your host).
  1. Open the Update center

    Go to SystemUpdateExtensions and click Check for updates.

  2. Update AcyMailing

    Select the entry and update to 10.11.1 or newer.

  3. Verify the version

    Then confirm that the new version has been applied.

Manual installation (alternative)
If no update appears, download the package from your AcyMailing account and install it via ExtensionsManageInstall.

Official source: via AcyMailing. Make sure you have at least AcyMailing 10.11.1 or newer.

Has the site already been attacked?

No update brings back data that was already read
The update stops further access but does not undo a read that already happened. If the site was unpatched for a while, rotate all passwords as a precaution (Joomla users, especially administrators), end active sessions and – if possible – regenerate the Joomla secret keys. Also review your Users list for unknown accounts.

Need help with the clean-up? Find qualified specialists in the Joomla Service Providers Directory.

Sources & further reading

The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.

Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community
FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de
Initiator & operator
Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Prefer to give privately, without a listing? A little something for the tip jar is just as welcome.

Support HTProtect now
Bauschild & Service

Manufactures and installs construction-site signs, hoardings and façade solutions – including design and 3D visualisation.

bauschildundservice.de
IT Specialista

Professional IT support from Czechia – Windows management, domain administration and web hosting.

defendersoft.cz
onlineweg.de

Travel portal from Germany – package holidays, hotels and flights online, with personal travel-agency advice.

onlineweg.de
Criadero

Creative agency from Brandenburg – web design, print media, photography and 360° panoramas from a single source.

criadero.de
Jahn EDV-Dienst GmbH

IT service provider from Wächtersbach – Joomla websites, PC service, hardware and software.

jahnedv.de