Skip to main content

Joomla! CMS CVE-2026-48900

| EUVDEUVD-2026-31879 MEDIUM
Improper Access Control (CWE-284)
2026-05-26 Joomla GHSA-cwvc-2p7m-grcm
6.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 11:12 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.4 (MEDIUM)
CVE Published
May 26, 2026 - 16:43 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.

AnalysisAI

Improper access control in Joomla! CMS com_scheduler component permits low-privileged authenticated backend users to modify the task types of existing scheduler tasks, an operation that should be restricted to higher-privileged administrators. Affected versions span Joomla! 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0. While no public exploit code exists and CISA KEV has not confirmed active exploitation, the high subsequent-system impact scores (SC:H/SI:H/SA:H) in the CVSS 4.0 vector indicate that tampering with scheduler task types can produce significant integrity and availability consequences beyond the immediately vulnerable component.

Technical ContextAI

The vulnerability resides in the com_scheduler component of the Joomla! CMS (CPE: cpe:2.3:a:joomla!_project:joomla!_cms:*:*:*:*:*:*:*:*), a built-in plugin that manages automated background tasks. The root cause is classified as CWE-284 (Improper Access Control), meaning the application fails to correctly enforce authorization boundaries when a backend user submits a request to change the task type of an already-existing scheduler job. Rather than verifying that the requesting user holds the appropriate ACL permission for that operation, the component processes the modification request regardless of privilege level. Because scheduler tasks in Joomla can invoke system-level plugins, file operations, or third-party integrations, unrestricted modification of task types exposes adjacent systems and services to unintended behavior - reflected in the CVSS 4.0 subsequent-system scores of SC:H/SI:H/SA:H.

RemediationAI

Apply the patched Joomla! CMS release identified in the official security advisory at https://developer.joomla.org/security-centre/1048-20260516-core-incorrect-access-control-in-com-scheduler.html - the exact fixed version numbers are not independently confirmed in the available intelligence data and should be verified there before upgrading. As a compensating control prior to patching, administrators can restrict backend login access to only fully trusted users via Joomla's ACL manager, reducing the pool of accounts capable of reaching the com_scheduler interface. Additionally, auditing existing scheduler tasks for unexpected task-type changes can serve as a detective control. Note that restricting backend access may affect legitimate editorial or content-management workflows and should be coordinated with site operators.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

Share

CVE-2026-48900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy