What is the CVSS score of EUVD-2026-31878?

EUVD-2026-31878 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Joomla! CMS are affected by EUVD-2026-31878?

Joomla! CMS versions 3.9.0-5.4.5 and 6.0.0-6.1.0 contain a critical transport encryption vulnerability in password reset workflows that transmits reset tokens over HTTP instead of HTTPS when SSL…

How to fix or mitigate EUVD-2026-31878?

Within 24 hours: Inventory all Joomla! installations and identify affected versions (3.9.0-5.4.5, 6.0.0-6.1.0). Within 7 days: Enable the 'Force SSL' configuration flag in Joomla! administrator settings on all instances and verify that password/username reset links generate with HTTPS URLs. Within 30 days: Monitor Joomla! security advisories for patch availability and evaluate upgrade timeline to post-6.1.0 releases once patch is released.

Joomla! CMS EUVD-2026-31878

| CVE-2026-48902 CRITICAL

2026-05-26 Joomla

GHSA-w4ph-7vgc-vxrf

Information Disclosure

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 16:30 vuln.today

CVSS changed

May 28, 2026 - 14:22 NVD

9.8 (CRITICAL)

CVE Published

May 26, 2026 - 16:43 nvd

CRITICAL 9.8

CVE Published

May 26, 2026 - 16:43 nvd

UNKNOWN (no severity yet)

DescriptionNVD

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

AnalysisAI

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated with plain HTTP URLs instead of HTTPS when the 'Force SSL' configuration flag is not explicitly enabled. …

RemediationAI

Within 24 hours: Inventory all Joomla! installations and identify affected versions (3.9.0-5.4.5, 6.0.0-6.1.0). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-31878 vulnerability details – vuln.today

Back

Joomla! CMS EUVD-2026-31878

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code