SB2026052686 - Multiple vulnerabilities in Joomla!
Published: May 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2026-48896)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass multi-factor authentication checks.
The vulnerability exists due to improper authentication state management in the MFA authentication flow when handling login requests. A remote attacker can send a specially crafted authentication sequence to bypass multi-factor authentication checks.
2) Improper Authentication (CVE-ID: CVE-2026-48897)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass multi-factor authentication checks.
The vulnerability exists due to improper authentication state management in the session handling logic when processing authentication sessions. A remote user can manipulate incorrectly reset session states to bypass multi-factor authentication checks.
3) Improper access control (CVE-ID: CVE-2026-48898)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the com_users batch task when handling batch user management operations. A remote user can perform a crafted batch task request to escalate privileges.
4) Improper access control (CVE-ID: CVE-2026-48904)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the com_users group editing webservice endpoint when handling webservice requests. A remote user can send a crafted request to escalate privileges.
5) Improper access control (CVE-ID: CVE-2026-48899)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform unauthorized actions related to the installation of sample data.
The vulnerability exists due to improper access control in sample data plugins when handling installation actions for sample data. A remote attacker can invoke sample data installation functionality to perform unauthorized actions related to the installation of sample data.
6) Improper access control (CVE-ID: CVE-2026-48900)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify the task types of existing scheduler tasks.
The vulnerability exists due to improper access control in com_scheduler when handling requests to edit existing scheduler tasks. A remote user can send a crafted request to modify the task types of existing scheduler tasks.
7) Use of cache containing sensitive information (CVE-ID: CVE-2026-48901)
CWE-ID: CWE-524 - Use of Cache Containing Sensitive Information
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass intended input filtering.
The vulnerability exists due to improper cache key construction in InputFilter::getInstance() when creating cached InputFilter objects. A remote attacker can trigger reuse of an InputFilter instance with an omitted security-sensitive parameter to bypass intended input filtering.
8) Cleartext transmission of sensitive information (CVE-ID: CVE-2026-48902)
CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to obtain password or username reset links over an unencrypted connection.
The vulnerability exists due to improper transport layer protection in the password and username reset features when generating reset links for https connections without the "Force SSL" flag explicitly set. A remote attacker can trigger generation of a reset link that uses plain http to obtain password or username reset links over an unencrypted connection.
Only installations where the "Force SSL" flag is not explicitly set are vulnerable.
9) Cross-site scripting (CVE-ID: CVE-2026-48903)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.
The vulnerability exists due to inadequate content filtering in the checkAttribute methods when processing crafted attribute content. A remote attacker can supply crafted input to execute arbitrary script code in a victim's browser.
10) Cross-site scripting (CVE-ID: CVE-2026-48905)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.
The vulnerability exists due to improper neutralization of input during web page generation in the cleanAttributes filter code when processing insufficiently filtered HTML content. A remote attacker can supply crafted content to execute arbitrary script code in a victim's browser.
Remediation
Install update from vendor's website.
References
- https://developer.joomla.org/security-centre/1043-20260511-core-mfa-authentication-bypass.html
- https://developer.joomla.org/security-centre/950-20260511-core-mfa-authentication-bypass.html
- https://developer.joomla.org/security-centre/1044-20260512-core-mfa-authentication-bypass.html
- https://developer.joomla.org/security-centre/1045-20260513-core-privilege-escalation-through-com-users-batch-task.html
- https://developer.joomla.org/security-centre/950-20260513-core-privilege-escalation-through-com-users-batch-task.html
- https://developer.joomla.org/security-centre/1046-20260514-core-privilege-escalation-through-com-users-webservice-endpoints.html
- https://developer.joomla.org/security-centre/950-20260514-core-privilege-escalation-through-com-users-webservice-endpoints.html
- https://developer.joomla.org/security-centre/1047-20260515-core-incorrect-access-control-in-sample-data-plugins.html
- https://developer.joomla.org/security-centre/1048-20260516-core-incorrect-access-control-in-com-scheduler.html
- https://developer.joomla.org/security-centre/950-20260516-core-incorrect-access-control-in-com-scheduler.html
- https://developer.joomla.org/security-centre/1049-20260517-core-incorrect-cache-key-construction-for-inputfilter-objects.html
- https://developer.joomla.org/security-centre/1050-20260518-core-transport-encryption-downgrade-for-password-and-username-reset-links.html
- https://developer.joomla.org/security-centre/1051-20260519-framework-inadequate-content-filtering-within-the-checkattribute-filter-code.html
- https://developer.joomla.org/security-centre/1052-20260520-framework-inadequate-content-filtering-within-the-cleanattributes-filter-code.html