Skip to main content

Phoca Download CVE-2026-57828

| EUVDEUVD-2026-43167 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-07-11 Joomla GHSA-wjv4-xh6c-w4j7
9.0
CVSS 4.0 · Vendor: Joomla
Share

Severity by source

Vendor (Joomla) PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.9 CRITICAL

Network-reachable upload needing only a low-privilege registered account (PR:L, AC:L, UI:N); RCE escapes the app into the OS/web-server context, so S:C with full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Joomla).

CVSS VectorVendor: Joomla

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 10:15 vuln.today
CVE Published
Jul 11, 2026 - 09:27 cve.org
CRITICAL 9.0

DescriptionCVE.org

The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE.

AnalysisAI

Arbitrary file upload in the Phoca Download extension for Joomla lets any authenticated registered user upload executable files (e.g. PHP) that the server will run, yielding full remote code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register low-privilege Joomla account
Delivery
Access Phoca Download upload feature
Exploit
Bypass file-type validation with PHP payload
Execution
Store webshell in web root
Persist
Request uploaded file URL
Impact
Execute code as web server user

Vulnerability AssessmentAI

Exploitation Requires a valid low-privilege Joomla account (PR:L) with access to Phoca Download's file-upload functionality - in practice a site that allows user registration or otherwise grants upload rights to the 'Registered' group. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent and point to a genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers (or uses an existing low-privilege) account on a Joomla site running Phoca Download, then abuses the extension's upload function to submit a PHP webshell disguised or mis-validated as an allowed file type. Once the file lands in a web-accessible directory, the attacker requests its URL, causing PHP execution and granting remote command execution as the web server user. …
Remediation Update the Phoca Download extension to the latest version from the vendor via https://www.phoca.cz/phocadownload and the Joomla Extensions updater; no exact fixed version number was provided in the source data, so verify the patched release directly with Phoca before deploying (No vendor-released patch version identified with certainty at time of analysis). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable the Phoca Download extension in Joomla admin panel or immediately disable self-registration if the extension is business-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy