Main Vulnerability Database Vulnerabilities #VU132333

Cleartext transmission of sensitive information in Joomla! - CVE-2026-48902

Published: May 26, 2026

Vulnerability identifier: #VU132333

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-48902

CWE-ID: CWE-319

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Joomla!

Affected software:
Joomla!

Detailed vulnerability description

The vulnerability allows a remote attacker to obtain password or username reset links over an unencrypted connection.

The vulnerability exists due to improper transport layer protection in the password and username reset features when generating reset links for https connections without the "Force SSL" flag explicitly set. A remote attacker can trigger generation of a reset link that uses plain http to obtain password or username reset links over an unencrypted connection.

Only installations where the "Force SSL" flag is not explicitly set are vulnerable.

How to mitigate CVE-2026-48902

Install security update from vendor's website.

Sources

https://developer.joomla.org/security-centre/1050-20260518-core-transport-encryption-downgrade-for-password-and-username-reset-links.html

Cleartext transmission of sensitive information in Joomla! - CVE-2026-48902

Detailed vulnerability description

How to mitigate CVE-2026-48902

Sources

Please verify you're human