Improper access control in Joomla! - CVE-2026-48947

 

Improper access control in Joomla! - CVE-2026-48947

Published: July 8, 2026


Vulnerability identifier: #VU137119
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-48947
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Joomla!
Affected software:
Joomla!

Detailed vulnerability description

The vulnerability allows a remote user to overwrite media files.

The vulnerability exists due to improper access control in com_media webservice endpoints when handling media overwrite requests. A remote user can send a request to overwrite media files.

The issue affects users who have sufficient privileges to access the webservice endpoints but do not have editing permissions for the targeted media files.


How to mitigate CVE-2026-48947

Install security update from vendor's website.

Sources