Skip to main content

Joomla! CMS EUVDEUVD-2026-31878

| CVE-2026-48902 CRITICAL
Cleartext Transmission of Sensitive Information (CWE-319)
2026-05-26 Joomla GHSA-w4ph-7vgc-vxrf
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 28, 2026 - 16:30 vuln.today
CVSS changed
May 28, 2026 - 14:22 NVD
9.8 (CRITICAL)
CVE Published
May 26, 2026 - 16:43 nvd
UNKNOWN (no severity yet)
CVE Published
May 26, 2026 - 16:43 nvd
CRITICAL 9.8

DescriptionCVE.org

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

AnalysisAI

Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated with plain HTTP URLs instead of HTTPS when the 'Force SSL' configuration flag is not explicitly enabled. Affected installations span Joomla! 3.9.0 through 5.4.5 and 6.0.0 through 6.1.0, exposing reset tokens to network interception. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.02% (5th percentile) despite the 9.8 CVSS rating.

Technical ContextAI

Joomla! is a widely deployed PHP-based content management system that includes self-service account recovery flows for password and username reset. The reset workflow emails users a tokenized link that, when visited, allows them to complete the recovery action. According to the Joomla! developer advisory, the link-construction logic uses the configured site URL scheme rather than forcing HTTPS, so when an administrator has not enabled the 'Force SSL' option in global configuration the framework emits http:// URLs even on sites that serve traffic over TLS. This is a transport encryption downgrade pattern (aligned with CWE-319 Cleartext Transmission of Sensitive Information, though no CWE was assigned in the input) where a sensitive bearer token is delivered to the user agent in clear-text-capable form. The CPE explicitly identifies cpe:2.3:a:joomla!_project:joomla!_cms as the affected product family.

RemediationAI

Patch available per vendor advisory: upgrade to a fixed Joomla! release above 5.4.5 on the 3.x-5.x line and above 6.1.0 on the 6.x line as published in the Joomla! Security Centre bulletin at https://developer.joomla.org/security-centre/1050-20260518-core-transport-encryption-downgrade-for-password-and-username-reset-links.html (exact patched build numbers should be taken from that advisory, as the input data does not enumerate them). As an immediate compensating control administrators should enable the 'Force SSL = Entire Site' option in Global Configuration, which causes Joomla! to always emit https:// URLs (including in reset emails) - the trade-off is that any legacy embedded resource still referenced over http will need to be migrated to avoid mixed-content breakage. Additionally, enforce HSTS at the web server or CDN layer so that even if an http link is generated the user agent upgrades the request before it leaves the browser, accepting that HSTS only protects users who have previously visited the site over HTTPS.

CVE-2026-23898 HIGH
8.6 Apr 01

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote atta

CVE-2026-35223 HIGH
8.6 May 26

Authorization bypass in Joomla CMS com_config webservice endpoints allows authenticated attackers with high privileges t

CVE-2026-23899 HIGH POC
8.6 Apr 01

Improper access control in Joomla! CMS webservice endpoints allows unauthorized attackers to bypass authentication and a

CVE-2026-48897 HIGH
8.2 May 26

Authentication bypass in Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumvent multi-factor auth

CVE-2026-48896 HIGH
8.2 May 26

Two-factor authentication bypass in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to circumve

CVE-2026-48904 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 allows remote attackers to abus

CVE-2026-48898 HIGH
8.2 May 26

Privilege escalation in Joomla! CMS versions 4.0.0-5.4.5 and 6.0.0-6.1.0 allows remote attackers to abuse the com_users

CVE-2026-48901 HIGH
7.5 May 26

Information disclosure in Joomla! CMS arises because InputFilter::getInstance() builds its instance cache key without in

CVE-2026-40383 HIGH
7.5 May 26

Local file inclusion in Joomla! CMS versions 3.2.1 through 5.4.5 and 6.0.0 through 6.1.0 allows authenticated high-privi

CVE-2026-25901 MEDIUM
6.9 May 26

Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated hig

CVE-2026-25900 MEDIUM
6.9 May 26

Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsani

CVE-2026-30895 MEDIUM
6.9 May 26

Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to injec

Share

EUVD-2026-31878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy