Skip to main content

SP LMS CVE-2026-48909

| EUVD-2026-38108 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-20 Joomla GHSA-gf8c-xmwj-whrh
RCE Deserialization Sp Lms Extension For Joomla
9.5
CVSS 4.0 · Vendor: Joomla
Share

Severity by source

Vendor (Joomla) PRIMARY
9.5 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Cookie is parsed pre-auth over HTTP so AV:N/PR:N/UI:N; viable gadget chain is a real but low-effort barrier mapped to AC:L in 3.1, with full RCE giving C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 05:50 vuln.today
CVE Published
Jun 20, 2026 - 11:56 cve.org
CRITICAL 9.5

DescriptionCVE.org

SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.

AnalysisAI

Unauthenticated remote code execution in JoomShaper's SP LMS (com_splms) Joomla extension versions 1.0.0 through 4.1.3 allows network attackers to run arbitrary code on the server by sending a crafted cookie that the component deserializes without validation. The flaw is a textbook PHP object injection (CWE-502) with a CVSS 4.0 base score of 9.5, but at time of analysis there is no public exploit identified and the issue is not on the CISA KEV list. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Joomla site running com_splms
Delivery
Craft serialized PHP POP-chain payload
Exploit
Send HTTP request with malicious cookie
Execution
Trigger unsafe deserialization in SP LMS
Persist
Execute code as web server user
Impact
Deploy webshell and exfiltrate data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must run JoomShaper SP LMS (com_splms) at version 4.1.3 or earlier on a network-reachable Joomla site, and the attacker must be able to reach any HTTP endpoint that triggers the vulnerable cookie-parsing path - no Joomla account, admin role, or user interaction is required, matching the CVSS PR:N/UI:N metrics. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a high-priority issue: CVSS 4.0 vector is AV:N/AC:L/AT:P/PR:N/UI:N with high confidentiality, integrity and availability impact on both the vulnerable and subsequent systems, meaning network-reachable, no authentication, and no user interaction once the attack-template precondition is met. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reaches a Joomla site running SP LMS over the internet, sets a crafted cookie containing a serialized PHP gadget chain built from classes loaded by the Joomla stack, and issues a single HTTP request to any com_splms route. The extension deserializes the cookie before authentication, the gadget chain fires during object destruction, and the attacker gains code execution as the web server user, pivoting to webshell installation or database theft. …
Remediation Vendor-released patch: SP LMS 4.1.4 - upgrade com_splms to 4.1.4 or later via the Joomla extension manager as the primary fix, sourcing the package from https://www.joomshaper.com/ and cross-checking the advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-48909 and https://vuldb.com/vuln/372540. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Joomla installations and identify those running com_splms versions 1.0.0-4.1.3; isolate affected systems from internet-facing traffic or restrict access via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48909 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy