Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network-reachable deletion with no user interaction (AV:N/AC:L/PR:N/UI:N); file deletion harms integrity and availability (I:H/A:H) but exposes no data (C:N).
Primary rating from Vendor (Joomla).
CVSS VectorVendor: Joomla
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The Joomla extension Helix Ultimate is vulnerable to an unauthenticated arbitrary file deletion.
AnalysisAI
Arbitrary file deletion in JoomShaper's Helix Ultimate template framework for Joomla allows unauthenticated remote attackers to delete files on the server due to a missing authorization check (CWE-862). Any anonymous user can reach the vulnerable functionality without credentials (PR:N/UI:N), enabling deletion of critical Joomla files to corrupt or take down the site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default installations of the Helix Ultimate extension for Joomla, per the CVSS vector AV:N/AC:L/AT:N/PR:N/UI:N (no authentication, no user interaction, low complexity). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent toward a high but not maximal priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request to the vulnerable Helix Ultimate file-deletion task with an attacker-controlled file path, causing the server to delete that file without any credential check. By targeting core Joomla files (for example configuration.php or index.php), the attacker renders the site inoperable or forces it into an installation/error state. … |
| Remediation | No vendor-released patch version is identified in the available data, so the specific fixed release must be confirmed directly with JoomShaper before upgrading; monitor the vendor page at https://www.joomshaper.com/joomla-templates/helixultimate and the Joomla Vulnerable Extensions List, then upgrade Helix Ultimate to the corrected version as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Joomla installations running Helix Ultimate and isolate affected servers from production traffic if possible; implement operating-system-level file permission restrictions on critical Joomla directories (/administrator, /components, /modules) to prevent deletion. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43303
GHSA-rvq6-rmvg-2f9m