In recent months, several vulnerabilities have been discovered in both Joomla third-party extensions and the Joomla core itself. We received on 12th July 2026 a report of a security issue affecting DPCalendar, which we document here.
Today, we are releasing the following update:
The next chapter describes some more details about the vulnerability in DPCalendar which exists since version 8.18.0 and affects Joomla 3 installations as well. If you are running DPCalendar 9.x, please update to version 10.0.0 then to version 10.6.0 and then to 10.11.2.
Blind SQL injection
By modifying a URL, an attacker can inject additional SQL code to read data from the Joomla database through a blind SQL injection vulnerability. Data can only be extracted one character per request, making it impossible to retrieve entire tables in a single request. It is NOT possible to modify any data in the database. Extracting a complete Joomla database therefore requires a large number of requests, although AI-assisted tools can significantly speed up the process. Despite these limitations, the vulnerability allows unauthenticated attackers to read sensitive data, which classifies it as High severity. For this reason, we are releasing a security update outside of our regular Thursday release schedule.
Credits
A huge shoutout to Phil Taylor from mysites.guru for spotting the bug and helping every step of the way to get the fix shipped. If you're looking for an easy way to manage Joomla sites, give mysites.guru a try. It keeps your sites updated and monitored from a single dashboard, quietly working in the background so you can focus on what matters most, your clients.
Conclusion
This is the first security vulnerability reported in DPCalendar since its initial release in 2012. While we are grateful that the issue was identified and responsibly disclosed, we deeply regret any concern or inconvenience it may have caused. Security has always been a top priority for DPCalendar by using the core security best practices, and we take reports like this very seriously. We responded as quickly as possible by investigating the issue, developing a fix, and making updates available to affected users within 24 hours, even on holiday. We remain committed to continuously improving our development and security processes to reduce the risk of similar issues in the future. Thank you for your trust and understanding.
Kind regards
Allon Moritz aka laoneo
Founder of Digital Peak
