Skip to main content

Helix Ultimate Extension For Joomla

2 CVEs product

Monthly

CVE-2026-57830 HIGH This Week

Arbitrary file deletion in JoomShaper's Helix Ultimate template framework for Joomla allows unauthenticated remote attackers to delete files on the server due to a missing authorization check (CWE-862). Any anonymous user can reach the vulnerable functionality without credentials (PR:N/UI:N), enabling deletion of critical Joomla files to corrupt or take down the site. No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Helix Ultimate Extension For Joomla
NVD
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-57829 HIGH This Week

Stored cross-site scripting in JoomShaper's Helix Ultimate template framework for Joomla lets unauthenticated attackers persist malicious JavaScript that executes in a victim's browser when the affected page is viewed. Because injection requires no authentication (PR:N) but relies on a victim rendering the poisoned content (UI:P), an attacker can hijack sessions, steal credentials, or perform actions as high-privilege administrators who visit the page. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS Helix Ultimate Extension For Joomla
NVD
CVSS 4.0
8.7
EPSS
0.3%
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary file deletion in JoomShaper's Helix Ultimate template framework for Joomla allows unauthenticated remote attackers to delete files on the server due to a missing authorization check (CWE-862). Any anonymous user can reach the vulnerable functionality without credentials (PR:N/UI:N), enabling deletion of critical Joomla files to corrupt or take down the site. No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Helix Ultimate Extension For Joomla
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Stored cross-site scripting in JoomShaper's Helix Ultimate template framework for Joomla lets unauthenticated attackers persist malicious JavaScript that executes in a victim's browser when the affected page is viewed. Because injection requires no authentication (PR:N) but relies on a victim rendering the poisoned content (UI:P), an attacker can hijack sessions, steal credentials, or perform actions as high-privilege administrators who visit the page. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS Helix Ultimate Extension For Joomla
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy