Home / Vulnerability Intelligence / CVE-2026-22336

CVE-2026-22336 - Vulnerability Analysis

CriticalCVSS: 9.3

Last Updated: April 27, 2026

Directorist Booking - SQL Injection

Published: April 27, 2026Updated: April 27, 2026Remote Exploitable

Overview

Directorist Booking < 3.0.2 contains a sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input.

Severity & Score

Severity: Critical

CVSS Score: 9.3

EPSS Score: 3.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary SQL commands, potentially leading to data disclosure, modification, or deletion.

Mitigation

Update to version 3.0.2 or later.

References

https://patchstack.com/database/wordpress/plugin/directorist-booking/vulnerability/wordpress-directorist-booking-plugin-2-4-1-sql-injection-vulnerability?_s_id=cve

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 27, 2026

🔴 CVE-2026-22336 - Critical (9.3) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Directorist Booking allows SQL Injection.This issue affects Directorist Booking: from n/a before 3.0.2. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22336/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-22336
Severity: Critical
CVSS Score: 9.3
Type: sql_injection
Status: rejected
EPSS: 3.0%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

EPSS Score

3.0%Probability of exploitation in the next 30 days