SECURITY ADVISORY: Remository SQL Injection Vulnerability
Published: October 7, 2025
Severity: Critical (CVSS 9.8)
Affected Versions: All Remository versions prior to 4.2.20has been
Fixed In: Version 4.5.0
CVE: Pending assignment
Summary
A critical SQL injection vulnerability was discovered on 7 October 2025 in Remository's classify view that could allow unauthenticated attackers to execute arbitrary SQL queries against your database.
Impact - SQL Injection in the classify view parameter - Potential unauthorized database access - Possible data extraction or modification - Affects all Remository installations prior to this patch
Affected Code
The vulnerability exists in:
- components/com_remository/src/Controllers/Advsearch.php (classify view handling)
- components/com_remository/src/Managers/ClassificationManager.php (database query)
Solution
Immediate action - upgrade to version 4.5.0. Available at https://remository.com/downloads/01_-Remository/Remository-4_5_0/
Or apply manual patch - from https://remository.com/downloads/07_-Public-Files/Patch-for-Remository-4_2_19-or-earlier/