Skip to main content

Helix3 (Joomla) CVE-2026-49049

| EUVDEUVD-2026-40122 HIGH
Improper Access Control (CWE-284)
2026-06-29 Joomla GHSA-xr7r-292v-jxg8
7.5
CVSS 3.1 · Vendor: Joomla
Share

Severity by source

Vendor (Joomla) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
8.2 HIGH

Unauthenticated network endpoint with no UI gives AV:N/AC:L/PR:N/UI:N; arbitrary file write/param change yields I:H, and arbitrary file deletion adds limited availability impact (A:L), no confidentiality.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 29, 2026 - 17:21 vuln.today
CVSS changed
Jun 29, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
Jun 29, 2026 - 14:34 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.

AnalysisAI

Improper access control in the Helix3 template framework extension for Joomla (versions 1.0 through 3.1.1) exposes an AJAX handler task that lets remote unauthenticated attackers delete arbitrary files, write arbitrary JSON files, and modify template parameters. Because the handler performs no authentication or authorization check, an attacker can corrupt site configuration or destroy files without credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Joomla site with Helix3
Delivery
Send unauthenticated request to AJAX task handler
Exploit
Bypass missing access control
Execution
Delete files or write JSON / alter template params
Impact
Site corruption or defacement

Vulnerability AssessmentAI

Exploitation The target must be a Joomla site running the Helix3 extension version 1.0 through 3.1.1 with the vulnerable AJAX handler task reachable over HTTP/HTTPS. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, score 7.5) and the description agree: this is network-reachable, low-complexity, and requires no privileges or user interaction, with high integrity impact and no stated confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP request to the exposed Helix3 AJAX task endpoint on a public Joomla site, with no login required, invoking the file-write or file-delete operation. They overwrite template parameter JSON to alter site behavior or delete critical files to deface or disrupt the site. …
Remediation No vendor-released patch version is identified in the available data; affected versions are listed as 1.0 through 3.1.1, which implies a fixed release likely exists above 3.1.1, but no exact patched version is confirmed here, so upgrade to the latest Helix3 build published by JoomShaper and confirm the fix version directly with the vendor at https://www.joomshaper.com/ before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Joomla instances for Helix3 extension versions 1.0-3.1.1; disable the extension if business-critical functions do not depend on it, or restrict access to the AJAX handler via firewall or WAF rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49049 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy