Search criteria

227 vulnerabilities

CVE-2026-49049 (GCVE-0-2026-49049)

Vulnerability from cvelistv5 – Published: 2026-06-29 14:34 – Updated: 2026-06-30 05:56
VLAI?
Title
Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler
Summary
The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Credits
Phil Taylor
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-49049",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T15:27:43.202923Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T15:28:05.850Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Helix3 extension for Joomla",
          "vendor": "joomshaper.com",
          "versions": [
            {
              "status": "affected",
              "version": "1.0-3.1.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Phil Taylor"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters."
            }
          ],
          "value": "The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T05:56:57.672Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.joomshaper.com/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-49049",
    "datePublished": "2026-06-29T14:34:07.407Z",
    "dateReserved": "2026-05-27T09:16:31.897Z",
    "dateUpdated": "2026-06-30T05:56:57.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-56290 (GCVE-0-2026-56290)

Vulnerability from cvelistv5 – Published: 2026-06-29 14:31 – Updated: 2026-07-01 03:55
VLAI?
Title
Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0
Summary
The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Credits
Phil Taylor
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-56290",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-30T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T03:55:55.662Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://mysites.guru/blog/pagebuilderck-unauthenticated-file-upload-rce/"
          },
          {
            "tags": [
              "patch"
            ],
            "url": "https://forum.joomlack.fr/index.php/page-builder-ck/21627-nouvelle-version-de-pbck-et-joomla-3"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "JoomlaCK.fr Page Builder CK extension for Joomla",
          "vendor": "joomlack.fr",
          "versions": [
            {
              "status": "affected",
              "version": "1.0-3.6.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Phil Taylor"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE."
            }
          ],
          "value": "The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242: Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "ATTACKED",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T05:54:20.747Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.joomlack.fr/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension \u003c 3.6.0",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-56290",
    "datePublished": "2026-06-29T14:31:37.952Z",
    "dateReserved": "2026-06-20T11:57:32.752Z",
    "dateUpdated": "2026-07-01T03:55:55.662Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49048 (GCVE-0-2026-49048)

Vulnerability from cvelistv5 – Published: 2026-06-28 18:37 – Updated: 2026-06-29 14:33
VLAI?
Title
Joomla Extension - joomcoder.com - Unauthenticated SQL Injection in JoomCCK extension for Joomla < 6.4.1
Summary
The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation.
CWE
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
Credits
Kamil Soltanov
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-49048",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T13:01:04.463736Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T13:01:09.924Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "JoomCCK extension for Joomla",
          "vendor": "joomcoder.com",
          "versions": [
            {
              "status": "affected",
              "version": "1.0-6.4.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kamil Soltanov"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation."
            }
          ],
          "value": "The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-66",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-66 SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-29T14:33:03.738Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.joomcoder.com/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - joomcoder.com - Unauthenticated SQL Injection in JoomCCK extension for Joomla \u003c 6.4.1",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-49048",
    "datePublished": "2026-06-28T18:37:13.380Z",
    "dateReserved": "2026-05-27T09:16:31.896Z",
    "dateUpdated": "2026-06-29T14:33:03.738Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48945 (GCVE-0-2026-48945)

Vulnerability from cvelistv5 – Published: 2026-06-25 15:26 – Updated: 2026-06-28 18:39
VLAI?
Title
Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < 2.26
Summary
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
CWE
  • CWE-434 - Unrestricted Upload via archive extraction
Assigner
References
Impacted products
Credits
Matan Bahar Niv Kochan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48945",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T18:45:48.959013Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T18:45:53.728Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "K2 extension for Joomla",
          "vendor": "getk2.org",
          "versions": [
            {
              "status": "affected",
              "version": "1.0-2.26"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Matan Bahar"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Niv Kochan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/\u003cid\u003e/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names \u2014 non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access."
            }
          ],
          "value": "The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/\u003cid\u003e/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names \u2014 non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload via archive extraction",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T18:39:05.415Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.getk2.org/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla \u003c 2.26",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48945",
    "datePublished": "2026-06-25T15:26:48.917Z",
    "dateReserved": "2026-05-26T16:47:13.550Z",
    "dateUpdated": "2026-06-28T18:39:05.415Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48940 (GCVE-0-2026-48940)

Vulnerability from cvelistv5 – Published: 2026-06-25 15:26 – Updated: 2026-06-28 18:38
VLAI?
Title
Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26
Summary
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Credits
Matan Bahar Niv Kochan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 3.4,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "HIGH",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48940",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T18:47:21.595982Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T18:47:31.383Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "K2 extension for Joomla",
          "vendor": "getk2.org",
          "versions": [
            {
              "status": "affected",
              "version": "1.0-2.26"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Matan Bahar"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Niv Kochan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A Joomla user with K2 \"create item\" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `\u003cscript\u003e` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page."
            }
          ],
          "value": "A Joomla user with K2 \"create item\" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `\u003cscript\u003e` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T18:38:46.748Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.getk2.org/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla \u003c 2.26",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48940",
    "datePublished": "2026-06-25T15:26:27.174Z",
    "dateReserved": "2026-05-26T16:47:13.550Z",
    "dateUpdated": "2026-06-28T18:38:46.748Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48941 (GCVE-0-2026-48941)

Vulnerability from cvelistv5 – Published: 2026-06-25 15:25 – Updated: 2026-06-28 18:38
VLAI?
Title
Joomla Extension - getk2.org - Unauthenticated folder delete in K2 extension for Joomla < 2.26
Summary
The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`
CWE
Assigner
References
Impacted products
Credits
Matan Bahar Niv Kochan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48941",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T18:51:08.132365Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T18:51:16.322Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "K2 extension for Joomla",
          "vendor": "getk2.org",
          "versions": [
            {
              "status": "affected",
              "version": "1.0-2.26"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Matan Bahar"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Niv Kochan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`"
            }
          ],
          "value": "The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorisation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T18:38:20.470Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.getk2.org/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - getk2.org - Unauthenticated folder delete in K2 extension for Joomla \u003c 2.26",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48941",
    "datePublished": "2026-06-25T15:25:58.533Z",
    "dateReserved": "2026-05-26T16:47:13.550Z",
    "dateUpdated": "2026-06-28T18:38:20.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48946 (GCVE-0-2026-48946)

Vulnerability from cvelistv5 – Published: 2026-06-25 15:25 – Updated: 2026-06-28 18:37
VLAI?
Title
Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla < 2.26
Summary
The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
Credits
Matan Bahar Niv Kochan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48946",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T03:55:55.052Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "K2 extension for Joomla",
          "vendor": "getk2.org",
          "versions": [
            {
              "status": "affected",
              "version": "1.0-2.26"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Matan Bahar"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Niv Kochan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache\u0027s standard mod_php matches `\\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server\u0027s context."
            }
          ],
          "value": "The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache\u0027s standard mod_php matches `\\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server\u0027s context."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T18:37:50.059Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.getk2.org/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - getk2.org - Privileged RCE vulnerability in K2 extension for Joomla \u003c 2.26",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48946",
    "datePublished": "2026-06-25T15:25:28.947Z",
    "dateReserved": "2026-05-26T16:47:13.550Z",
    "dateUpdated": "2026-06-28T18:37:50.059Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48944 (GCVE-0-2026-48944)

Vulnerability from cvelistv5 – Published: 2026-06-25 15:24 – Updated: 2026-06-28 18:37
VLAI?
Title
Joomla Extension - getk2.org - Exposure of sensitive files via attachment copy in K2 extension for Joomla < 2.26
Summary
The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user — including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory
Assigner
References
Impacted products
Credits
Matan Bahar Niv Kochan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48944",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T18:42:56.836321Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T18:43:28.883Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "K2 extension for Joomla",
          "vendor": "getk2.org",
          "versions": [
            {
              "status": "affected",
              "version": "1.0-2.26"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Matan Bahar"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Niv Kochan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user \u2014 including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint."
            }
          ],
          "value": "The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user \u2014 including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T18:37:04.294Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.getk2.org/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - getk2.org - Exposure of sensitive files via attachment copy in K2 extension for Joomla \u003c 2.26",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48944",
    "datePublished": "2026-06-25T15:24:45.138Z",
    "dateReserved": "2026-05-26T16:47:13.550Z",
    "dateUpdated": "2026-06-28T18:37:04.294Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48942 (GCVE-0-2026-48942)

Vulnerability from cvelistv5 – Published: 2026-06-25 15:23 – Updated: 2026-06-28 18:29
VLAI?
Title
Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26
Summary
K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Credits
Matan Bahar Niv Kochan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48942",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T15:52:10.335054Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T15:52:26.928Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "K2 extension for Joomla",
          "vendor": "getk2.org",
          "versions": [
            {
              "status": "affected",
              "version": "1.0-2.26"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Matan Bahar"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Niv Kochan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "K2 \u2264 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping."
            }
          ],
          "value": "K2 \u2264 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T18:29:05.078Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.getk2.org/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla \u003c 2.26",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48942",
    "datePublished": "2026-06-25T15:23:38.156Z",
    "dateReserved": "2026-05-26T16:47:13.550Z",
    "dateUpdated": "2026-06-28T18:29:05.078Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48943 (GCVE-0-2026-48943)

Vulnerability from cvelistv5 – Published: 2026-06-25 15:22 – Updated: 2026-06-28 18:35
VLAI?
Title
Joomla Extension - getk2.org - Authenticated user property mass-assignment in K2 extension for Joomla < 2.26
Summary
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form.
CWE
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes — i.e. mass-assignment
Assigner
References
Impacted products
Credits
Matan Bahar Niv Kochan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48943",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T18:46:02.531914Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T18:46:31.284Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "K2 extension for Joomla",
          "vendor": "getk2.org",
          "versions": [
            {
              "status": "affected",
              "version": "1.0-2.26"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Matan Bahar"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Niv Kochan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "K2 \u2264 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table \u2014 none of which are exposed by the K2 frontend profile-edit form."
            }
          ],
          "value": "K2 \u2264 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table \u2014 none of which are exposed by the K2 frontend profile-edit form."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes \u2014 i.e. mass-assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T18:35:03.388Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.getk2.org/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - getk2.org - Authenticated user property mass-assignment in K2 extension for Joomla \u003c 2.26",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48943",
    "datePublished": "2026-06-25T15:22:50.562Z",
    "dateReserved": "2026-05-26T16:47:13.550Z",
    "dateUpdated": "2026-06-28T18:35:03.388Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48908 (GCVE-0-2026-48908)

Vulnerability from cvelistv5 – Published: 2026-06-20 11:57 – Updated: 2026-06-25 05:52
VLAI?
Title
Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.2
Summary
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Credits
Phil Taylor
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48908",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T17:30:39.061979Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T18:49:36.164Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/"
          },
          {
            "tags": [
              "vendor-advisory"
            ],
            "url": "https://www.joomshaper.com/forum/question/45152"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SP Page Builder extension for Joomla",
          "vendor": "joomshaper.net",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-6.6.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Phil Taylor"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code."
            }
          ],
          "value": "A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242: Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "ATTACKED",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-25T05:52:22.604Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.joomshaper.com/page-builder"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla \u003c 6.6.2",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48908",
    "datePublished": "2026-06-20T11:57:00.501Z",
    "dateReserved": "2026-05-26T10:06:17.657Z",
    "dateUpdated": "2026-06-25T05:52:22.604Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48939 (GCVE-0-2026-48939)

Vulnerability from cvelistv5 – Published: 2026-06-20 11:56 – Updated: 2026-07-03 03:55
VLAI?
Title
Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15
Summary
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Credits
Phil Taylor
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48939",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-03T03:55:16.003Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://mysites.guru/blog/icagenda-zero-day-file-upload-rce/"
          },
          {
            "tags": [
              "patch"
            ],
            "url": "https://www.icagenda.com/docs/changelog/icagenda-3-9-15"
          },
          {
            "tags": [
              "patch"
            ],
            "url": "https://www.icagenda.com/docs/changelog/icagenda-4-0-8"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Polosss/By-Poloss..-..CVE-2026-48939"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "iCagenda extension for Joomla",
          "vendor": "icagenda.com",
          "versions": [
            {
              "status": "affected",
              "version": "3.2.1-4.0.7"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Phil Taylor"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution."
            }
          ],
          "value": "A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242: Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "ATTACKED",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-25T05:51:45.924Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.icagenda.com/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla \u003c 4.0.8/3.9.15",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48939",
    "datePublished": "2026-06-20T11:56:50.752Z",
    "dateReserved": "2026-05-26T16:47:13.549Z",
    "dateUpdated": "2026-07-03T03:55:16.003Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48909 (GCVE-0-2026-48909)

Vulnerability from cvelistv5 – Published: 2026-06-20 11:56 – Updated: 2026-06-23 05:52
VLAI?
Title
Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4
Summary
SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.
CWE
  • CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
Credits
Amin Isayev
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48909",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T17:44:42.382324Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T17:44:50.120Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SP LMS extension for Joomla",
          "vendor": "joomshaper.net",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-4.1.3"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Amin Isayev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SP LMS (com_splms) \u003c 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server."
            }
          ],
          "value": "SP LMS (com_splms) \u003c 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-586",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-586: Object Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.5,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T05:52:22.025Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.joomshaper.com/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla \u003c 4.1.4",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48909",
    "datePublished": "2026-06-20T11:56:46.771Z",
    "dateReserved": "2026-05-26T10:06:17.657Z",
    "dateUpdated": "2026-06-23T05:52:22.025Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48907 (GCVE-0-2026-48907)

Vulnerability from cvelistv5 – Published: 2026-06-05 07:31 – Updated: 2026-06-20 11:56
VLAI?
Title
Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5
Summary
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Credits
David Jardin Uwe Flottemesch
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48907",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-06-16",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48907"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-17T03:56:01.121Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory"
            ],
            "url": "https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48907"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-16T00:00:00.000Z",
            "value": "CVE-2026-48907 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla Content Editor (JCE) extension for Joomla",
          "vendor": "joomlacontenteditor.net",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-2.9.99.4"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "David Jardin"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Uwe Flottemesch"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution."
            }
          ],
          "value": "A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242: Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "ATTACKED",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-20T11:56:48.886Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.joomlacontenteditor.net/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla \u003c 2.9.99.5",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48907",
    "datePublished": "2026-06-05T07:31:30.257Z",
    "dateReserved": "2026-05-26T10:06:17.657Z",
    "dateUpdated": "2026-06-20T11:56:48.886Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48906 (GCVE-0-2026-48906)

Vulnerability from cvelistv5 – Published: 2026-05-27 09:11 – Updated: 2026-06-05 07:27
VLAI?
Title
Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla
Summary
The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
tassos.gr Novarain/Tassos Framework (plg_system_nrframework) Affected: 1.0.0-6.0.1
Create a notification for this product.
    tassos.gr Convert Forms Affected: 1.0.0-4.4.12
Affected: 5.0.0-5.1.5
Create a notification for this product.
    tassos.gr EngageBox Affected: 1.0.0-6.3.11
Affected: 7.0.0-7.1.1
Create a notification for this product.
    tassos.gr Google Structured Data Affected: 1.0.0-5.6.11
Affected: 6.0.0-6.1.9
Create a notification for this product.
    tassos.gr Advanced Custom Fields Affected: 1.0.0-2.8.12
Affected: 3.0.0-3.1.3
Create a notification for this product.
    tassos.gr Smile Pack Affected: 1.0.0-1.2.6
Affected: 2.0.0-2.1.0
Create a notification for this product.
    tassos.gr Tassos Code Snippets Affected: 1.0.0
Create a notification for this product.
    tassos.gr MailChimp Auto-Subscribe Affected: 1.0.0-5.0.5
Affected: 5.1.0-5.2.0
Create a notification for this product.
Credits
Leandro Vallim
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48906",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T12:10:04.491382Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T12:11:19.309Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Novarain/Tassos Framework (plg_system_nrframework)",
          "vendor": "tassos.gr",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-6.0.1"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Convert Forms",
          "vendor": "tassos.gr",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-4.4.12"
            },
            {
              "status": "affected",
              "version": "5.0.0-5.1.5"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EngageBox",
          "vendor": "tassos.gr",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-6.3.11"
            },
            {
              "status": "affected",
              "version": "7.0.0-7.1.1"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Google Structured Data",
          "vendor": "tassos.gr",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-5.6.11"
            },
            {
              "status": "affected",
              "version": "6.0.0-6.1.9"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Advanced Custom Fields",
          "vendor": "tassos.gr",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-2.8.12"
            },
            {
              "status": "affected",
              "version": "3.0.0-3.1.3"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Smile Pack",
          "vendor": "tassos.gr",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-1.2.6"
            },
            {
              "status": "affected",
              "version": "2.0.0-2.1.0"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Tassos Code Snippets",
          "vendor": "tassos.gr",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MailChimp Auto-Subscribe",
          "vendor": "tassos.gr",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-5.0.5"
            },
            {
              "status": "affected",
              "version": "5.1.0-5.2.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Leandro Vallim"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites."
            }
          ],
          "value": "The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/AU:Y",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T07:27:40.844Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://tassos.gr"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework \u003c 6.1.0 for Joomla",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48906",
    "datePublished": "2026-05-27T09:11:40.231Z",
    "dateReserved": "2026-05-26T10:06:17.656Z",
    "dateUpdated": "2026-06-05T07:27:40.844Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35221 (GCVE-0-2026-35221)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:46 – Updated: 2026-05-27 09:15
VLAI?
Title
Joomla! Core - [20260506] - Authenticated blind SQLi in com_finder
Summary
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
CWE
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 6.0.0-6.1.0
Affected: 5.4.0-5.4.5
Create a notification for this product.
Credits
Adrian Junge aka vurlo
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35221",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T17:48:47.050683Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T18:09:03.190Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            },
            {
              "status": "affected",
              "version": "5.4.0-5.4.5"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Adrian Junge aka vurlo"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder."
            }
          ],
          "value": "Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-66",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-66 SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:15:29.303Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1038-20260506-core-authenticated-blind-sqli-in-com-finder.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260506] - Authenticated blind SQLi in com_finder",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-35221",
    "datePublished": "2026-05-26T16:46:10.415Z",
    "dateReserved": "2026-04-01T19:23:13.196Z",
    "dateUpdated": "2026-05-27T09:15:29.303Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48903 (GCVE-0-2026-48903)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:46 – Updated: 2026-05-27 09:15
VLAI?
Title
Joomla! Framework - [20260519] - Inadequate content filtering within the checkAttribute filter code.
Summary
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! Framework Filter package Affected: 1.0.0-3.0.5
Affected: 4.0.0-4.0.1
Create a notification for this product.
Credits
JSST
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48903",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T17:48:55.382555Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T18:09:17.206Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! Framework Filter package",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-3.0.5"
            },
            {
              "status": "affected",
              "version": "4.0.0-4.0.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "JSST"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components."
            }
          ],
          "value": "Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-18",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-18 XSS Targeting Non-Script Elements"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:15:23.009Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1051-20260519-framework-inadequate-content-filtering-within-the-checkattribute-filter-code.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Framework - [20260519] - Inadequate content filtering within the checkAttribute filter code.",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48903",
    "datePublished": "2026-05-26T16:46:05.152Z",
    "dateReserved": "2026-05-26T10:06:17.656Z",
    "dateUpdated": "2026-05-27T09:15:23.009Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48896 (GCVE-0-2026-48896)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:45 – Updated: 2026-05-27 09:15
VLAI?
Title
Joomla! Core - [20260511] - MFA Authentication Bypass
Summary
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
CWE
  • CWE-287 - Improper Authentication
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 4.0.0-5.4.5
Affected: 6.0.0-6.1.0
Create a notification for this product.
Credits
Doyensec in collaboration with Claude and Anthropic Research Christos Papakonstantinou, Cantina
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48896",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T18:56:43.158826Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T18:57:20.522Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0-5.4.5"
            },
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Doyensec in collaboration with Claude and Anthropic Research"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Christos Papakonstantinou, Cantina"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient state checks lead to a vector that allows to bypass 2FA checks."
            }
          ],
          "value": "Insufficient state checks lead to a vector that allows to bypass 2FA checks."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115: Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:15:12.329Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1043-20260511-core-mfa-authentication-bypass.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260511] - MFA Authentication Bypass",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48896",
    "datePublished": "2026-05-26T16:45:55.573Z",
    "dateReserved": "2026-05-26T10:06:17.656Z",
    "dateUpdated": "2026-05-27T09:15:12.329Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35220 (GCVE-0-2026-35220)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:45 – Updated: 2026-05-27 09:14
VLAI?
Title
Joomla! Core - [20260505] - CSRF in user activation endpoint
Summary
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 6.0.0-6.1.0
Create a notification for this product.
Credits
Sun HuangnSec
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35220",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T17:49:20.616038Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T18:09:30.708Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Sun HuangnSec"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users."
            }
          ],
          "value": "Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62 Cross Site Request Forgery"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:14:34.686Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1037-20260505-core-csrf-in-user-activation-endpoint"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260505] - CSRF in user activation endpoint",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-35220",
    "datePublished": "2026-05-26T16:45:19.690Z",
    "dateReserved": "2026-04-01T19:23:13.196Z",
    "dateUpdated": "2026-05-27T09:14:34.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40383 (GCVE-0-2026-40383)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:45 – Updated: 2026-05-27 09:14
VLAI?
Title
Joomla! Core - [20260509] - LFI in HTMLView layout parameter
Summary
An improper validation of user-supplied input leads to a local file inclusion vulnerability.
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 3.2.1-5.4.5
Affected: 6.0.0-6.1.0
Create a notification for this product.
Credits
Doyensec in collaboration with Claude and Anthropic Research
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40383",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T18:58:29.241684Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T18:59:09.609Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "3.2.1-5.4.5"
            },
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Doyensec in collaboration with Claude and Anthropic Research"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An improper validation of user-supplied input leads to a local file inclusion vulnerability."
            }
          ],
          "value": "An improper validation of user-supplied input leads to a local file inclusion vulnerability."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-252",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-252 PHP Local File Inclusion"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:14:28.517Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1041-20260509-core-lfi-in-htmlview-layout-parameter.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260509] - LFI in HTMLView layout parameter",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-40383",
    "datePublished": "2026-05-26T16:45:14.402Z",
    "dateReserved": "2026-04-12T05:13:31.714Z",
    "dateUpdated": "2026-05-27T09:14:28.517Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35222 (GCVE-0-2026-35222)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:45 – Updated: 2026-06-05 07:30
VLAI?
Title
Joomla! Core - [20260507] - Authenticated blind SQLi in com_tags
Summary
Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.
CWE
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 6.0.0-6.1.0
Affected: 4.0.0-5.4.5
Create a notification for this product.
Credits
Adrian Junge aka vurlo Federico Brasili, https://www.linkedin.com/in/federico-brasili-00b4b7332/
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35222",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T19:14:06.766795Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-02T14:37:50.763Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            },
            {
              "status": "affected",
              "version": "4.0.0-5.4.5"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Adrian Junge aka vurlo"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Federico Brasili, https://www.linkedin.com/in/federico-brasili-00b4b7332/"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improperly validated order clauses lead to a SQL injection vulnerability in com_tags."
            }
          ],
          "value": "Improperly validated order clauses lead to a SQL injection vulnerability in com_tags."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-66",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-66 SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T07:30:10.304Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1039-20260507-core-authenticated-blind-sqli-in-com-tags.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260507] - Authenticated blind SQLi in com_tags",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-35222",
    "datePublished": "2026-05-26T16:45:13.390Z",
    "dateReserved": "2026-04-01T19:23:13.196Z",
    "dateUpdated": "2026-06-05T07:30:10.304Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40384 (GCVE-0-2026-40384)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:45 – Updated: 2026-05-27 09:14
VLAI?
Title
Joomla! Core - [20260510] - Path traversal in com_media webservice endpoint
Summary
An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 4.0.0-5.4.5
Affected: 6.0.0-6.1.0
Create a notification for this product.
Credits
Doyensec in collaboration with Claude and Anthropic Research
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40384",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T19:17:10.492296Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T19:17:18.855Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0-5.4.5"
            },
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Doyensec in collaboration with Claude and Anthropic Research"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability."
            }
          ],
          "value": "An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:14:15.239Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1042-20260510-core-path-traversal-in-com-media-webservice-endpoint.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260510] - Path traversal in com_media webservice endpoint",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-40384",
    "datePublished": "2026-05-26T16:45:02.051Z",
    "dateReserved": "2026-04-12T05:13:31.714Z",
    "dateUpdated": "2026-05-27T09:14:15.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48905 (GCVE-0-2026-48905)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:45 – Updated: 2026-05-27 09:14
VLAI?
Title
Joomla! Framework - [20260520] - Inadequate content filtering within the cleanAttributes filter code.
Summary
Lack of input filtering leads to an XSS vector in the HTML filter code.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! Framework Filter package Affected: 1.0.0-3.0.5
Affected: 4.0.0-4.0.1
Create a notification for this product.
Credits
Jesper den Boer
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48905",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T17:50:04.513114Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T18:09:45.430Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! Framework Filter package",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0-3.0.5"
            },
            {
              "status": "affected",
              "version": "4.0.0-4.0.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jesper den Boer"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Lack of input filtering leads to an XSS vector in the HTML filter code."
            }
          ],
          "value": "Lack of input filtering leads to an XSS vector in the HTML filter code."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-18",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-18 XSS Targeting Non-Script Elements"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:14:13.346Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1052-20260520-framework-inadequate-content-filtering-within-the-cleanattributes-filter-code.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Framework - [20260520] - Inadequate content filtering within the cleanAttributes filter code.",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48905",
    "datePublished": "2026-05-26T16:45:00.666Z",
    "dateReserved": "2026-05-26T10:06:17.656Z",
    "dateUpdated": "2026-05-27T09:14:13.346Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48897 (GCVE-0-2026-48897)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:44 – Updated: 2026-05-27 09:14
VLAI?
Title
Joomla! Core - [20260512] - MFA Authentication Bypass
Summary
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
CWE
  • CWE-287 - Improper Authentication
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 4.0.0-5.4.5
Affected: 6.0.0-6.1.0
Create a notification for this product.
Credits
Morris Baumgarten-Egemole
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48897",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T19:19:17.612461Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T19:19:26.183Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0-5.4.5"
            },
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Morris Baumgarten-Egemole"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient state checks lead to a vector that allows to bypass 2FA checks."
            }
          ],
          "value": "Insufficient state checks lead to a vector that allows to bypass 2FA checks."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115: Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:14:05.696Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1044-20260512-core-mfa-authentication-bypass.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260512] - MFA Authentication Bypass",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48897",
    "datePublished": "2026-05-26T16:44:53.779Z",
    "dateReserved": "2026-05-26T10:06:17.656Z",
    "dateUpdated": "2026-05-27T09:14:05.696Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25901 (GCVE-0-2026-25901)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:44 – Updated: 2026-05-27 09:28
VLAI?
Title
Joomla! Core - [20260502] - XSS in com_associations
Summary
Lack of output escaping leads to a XSS vector in the multilingual associations component.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 4.0.0-5.4.5
Affected: 6.0.0-6.1.0
Create a notification for this product.
Credits
vnth4nhnt from CyStack Aisle Research, Pavel Kohout
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25901",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T17:49:52.442848Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T18:10:00.364Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0-5.4.5"
            },
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "vnth4nhnt from CyStack"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Aisle Research, Pavel Kohout"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component."
            }
          ],
          "value": "Lack of output escaping leads to a XSS vector in the multilingual associations component."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-18",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-18 XSS Targeting Non-Script Elements"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:28:14.477Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1034-20260502-core-xss-in-com-associations.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260502] - XSS in com_associations",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-25901",
    "datePublished": "2026-05-26T16:44:25.314Z",
    "dateReserved": "2026-02-07T04:53:10.344Z",
    "dateUpdated": "2026-05-27T09:28:14.477Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48899 (GCVE-0-2026-48899)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:44 – Updated: 2026-05-27 09:13
VLAI?
Title
Joomla! Core - [20260515] - Incorrect Access Control in sample data plugins
Summary
An improper access check allows privilege escalation through the com_users batch task.
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 4.0.0-5.4.5
Affected: 6.0.0-6.1.0
Create a notification for this product.
Credits
廖双
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48899",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T03:55:50.038Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0-5.4.5"
            },
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "\u5ed6\u53cc"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An improper access check allows privilege escalation through the com_users batch task."
            }
          ],
          "value": "An improper access check allows privilege escalation through the com_users batch task."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:13:16.497Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1047-20260515-core-incorrect-access-control-in-sample-data-plugins.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260515] - Incorrect Access Control in sample data plugins",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48899",
    "datePublished": "2026-05-26T16:44:06.616Z",
    "dateReserved": "2026-05-26T10:06:17.656Z",
    "dateUpdated": "2026-05-27T09:13:16.497Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48900 (GCVE-0-2026-48900)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:43 – Updated: 2026-05-27 09:12
VLAI?
Title
Joomla! Core - [20260516] - Incorrect Access Control in com_scheduler
Summary
An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 4.1.0-5.4.5
Affected: 6.0.0-6.1.0
Create a notification for this product.
Credits
Federico Brasili, https://www.linkedin.com/in/federico-brasili-00b4b7332/
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48900",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T17:39:11.873493Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T17:39:19.945Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "4.1.0-5.4.5"
            },
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Federico Brasili, https://www.linkedin.com/in/federico-brasili-00b4b7332/"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An improper access check allowed low privileged users to edit the task types of existing scheduler tasks."
            }
          ],
          "value": "An improper access check allowed low privileged users to edit the task types of existing scheduler tasks."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:12:59.814Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1048-20260516-core-incorrect-access-control-in-com-scheduler.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260516] - Incorrect Access Control in com_scheduler",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48900",
    "datePublished": "2026-05-26T16:43:51.153Z",
    "dateReserved": "2026-05-26T10:06:17.656Z",
    "dateUpdated": "2026-05-27T09:12:59.814Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48902 (GCVE-0-2026-48902)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:43 – Updated: 2026-06-05 07:28
VLAI?
Title
Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links
Summary
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
CWE
  • CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 3.9.0-5.4.5
Affected: 6.0.0-6.1.0
Create a notification for this product.
Credits
@ZeroXJacks, https://github.com/ZeroXJacks
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-48902",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T13:23:36.738591Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-319",
                "description": "CWE-319 Cleartext Transmission of Sensitive Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-02T11:58:08.395Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "3.9.0-5.4.5"
            },
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "@ZeroXJacks, https://github.com/ZeroXJacks"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The password and username reset features created plain http links for https connections if the \"Force SSL\" flag wasn\u0027t explicitly set."
            }
          ],
          "value": "The password and username reset features created plain http links for https connections if the \"Force SSL\" flag wasn\u0027t explicitly set."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T07:28:36.374Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1050-20260518-core-transport-encryption-downgrade-for-password-and-username-reset-links.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-48902",
    "datePublished": "2026-05-26T16:43:32.835Z",
    "dateReserved": "2026-05-26T10:06:17.656Z",
    "dateUpdated": "2026-06-05T07:28:36.374Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35223 (GCVE-0-2026-35223)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:43 – Updated: 2026-05-27 09:12
VLAI?
Title
Joomla! Core - [20260508] - Improper access check in com_config webservice endpoints
Summary
An improper access check allows unauthorized access to com_config webservice endpoints.
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 4.0.0-5.4.5
Affected: 6.0.0-6.1.0
Create a notification for this product.
Credits
Rishi Shakya Qi Deng
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35223",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T03:55:48.920Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0-5.4.5"
            },
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Rishi Shakya"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Qi Deng"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An improper access check allows unauthorized access to com_config webservice endpoints."
            }
          ],
          "value": "An improper access check allows unauthorized access to com_config webservice endpoints."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:12:29.087Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1040-20260508-core-improper-access-check-in-com-config-webservice-endpoints.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260508] - Improper access check in com_config webservice endpoints",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-35223",
    "datePublished": "2026-05-26T16:43:21.784Z",
    "dateReserved": "2026-04-01T19:23:13.196Z",
    "dateUpdated": "2026-05-27T09:12:29.087Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25900 (GCVE-0-2026-25900)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:43 – Updated: 2026-05-27 09:12
VLAI?
Title
Joomla! Core - [20260501] - XSS in feed modules
Summary
Lack of output escaping leads to a XSS vector in the feed modules.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Joomla! Project Joomla! CMS Affected: 3.0.0-5.4.5
Affected: 6.0.0-6.1.0
Create a notification for this product.
Credits
Mohamed Elabbas Sun Huang
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25900",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T17:27:08.169302Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T17:27:18.168Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Joomla! CMS",
          "vendor": "Joomla! Project",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.0-5.4.5"
            },
            {
              "status": "affected",
              "version": "6.0.0-6.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mohamed Elabbas"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Sun Huang"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Lack of output escaping leads to a XSS vector in the feed modules."
            }
          ],
          "value": "Lack of output escaping leads to a XSS vector in the feed modules."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-18",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-18 XSS Targeting Non-Script Elements"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:12:20.038Z",
        "orgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
        "shortName": "Joomla"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://developer.joomla.org/security-centre/1033-20260501-core-xss-in-feed-modules.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Joomla! Core - [20260501] - XSS in feed modules",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6ff30186-7fb7-4ad9-be33-533e7b05e586",
    "assignerShortName": "Joomla",
    "cveId": "CVE-2026-25900",
    "datePublished": "2026-05-26T16:43:13.780Z",
    "dateReserved": "2026-02-07T04:53:10.343Z",
    "dateUpdated": "2026-05-27T09:12:20.038Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}