Skip to main content

Joomla! CMS CVE-2026-48901

| EUVDEUVD-2026-31871 HIGH
Use of Cache Containing Sensitive Information (CWE-524)
2026-05-26 Joomla GHSA-phf8-w34q-995j
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 28, 2026 - 16:30 vuln.today
CVSS changed
May 28, 2026 - 14:22 NVD
7.5 (HIGH)
CVE Published
May 26, 2026 - 16:42 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.

AnalysisAI

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without including a security-sensitive parameter, allowing a previously cached filter instance to be returned even when a different security posture was requested. Remote unauthenticated attackers can leverage the resulting filter mismatch to retrieve sensitive data (CVSS 7.5, C:H only). No public exploit identified at time of analysis and EPSS is 0.02% (5th percentile), indicating low predicted exploitation in the near term.

Technical ContextAI

Joomla!'s InputFilter component is the central request-sanitization layer used across the CMS and third-party extensions to scrub user-supplied data. The class implements a singleton/factory pattern via getInstance(), which caches filter objects keyed by their construction parameters so subsequent callers reuse the same configured instance. CWE-524 (Information Exposure Through Caching) describes exactly this defect class: a security-relevant parameter was omitted from the cache key, so two logically distinct filter requests collide on the same cached object and the second caller receives a filter configured for the first caller's (weaker or different) security context. The CPE cpe:2.3:a:joomla!_project:joomla!_cms:*:*:* confirms the core CMS product, not an extension, is affected.

RemediationAI

Upgrade Joomla! CMS to a version beyond the affected ranges - i.e., past 5.4.5 in the 5.x branch and past 6.1.0 in the 6.x branch - per the Joomla! security advisory at https://developer.joomla.org/security-centre/1049-20260517-core-incorrect-cache-key-construction-for-inputfilter-objects.html; consult that advisory for the exact fixed release numbers as the input data does not enumerate a single canonical fix version. Where immediate upgrade is not possible, restrict network exposure of the CMS to trusted networks or place it behind an authenticating reverse proxy or WAF to limit which actors can drive the vulnerable code path, accepting that this only reduces the attacker pool and does not eliminate the cache-key flaw. Audit and minimize third-party extensions that call InputFilter::getInstance() with non-default security parameters, since those callers are most likely to surface the collision; the trade-off is functional regressions in extensions that depend on customized filter configurations.

CVE-2026-48902 CRITICAL
9.8 May 26

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated w

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

CVE-2026-30895 MEDIUM
6.9 May 26

Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec

Share

CVE-2026-48901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy