Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable upload needing only a low-privilege registered account (PR:L, AC:L, UI:N); RCE escapes the app into the OS/web-server context, so S:C with full C/I/A impact.
Primary rating from Vendor (Joomla).
CVSS VectorVendor: Joomla
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE.
AnalysisAI
Arbitrary file upload in the Phoca Download extension for Joomla lets any authenticated registered user upload executable files (e.g. PHP) that the server will run, yielding full remote code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid low-privilege Joomla account (PR:L) with access to Phoca Download's file-upload functionality - in practice a site that allows user registration or otherwise grants upload rights to the 'Registered' group. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent and point to a genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers (or uses an existing low-privilege) account on a Joomla site running Phoca Download, then abuses the extension's upload function to submit a PHP webshell disguised or mis-validated as an allowed file type. Once the file lands in a web-accessible directory, the attacker requests its URL, causing PHP execution and granting remote command execution as the web server user. … |
| Remediation | Update the Phoca Download extension to the latest version from the vendor via https://www.phoca.cz/phocadownload and the Joomla Extensions updater; no exact fixed version number was provided in the source data, so verify the patched release directly with Phoca before deploying (No vendor-released patch version identified with certainty at time of analysis). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable the Phoca Download extension in Joomla admin panel or immediately disable self-registration if the extension is business-critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43167
GHSA-wjv4-xh6c-w4j7