PT-2026-43320 · Joomla · Joomla!

Zeroxjacks

·

Published

2026-05-26

·

Updated

2026-06-15

·

CVE-2026-48902

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Joomla (affected versions not specified)
Description The password and username reset features generate plain http links even when https connections are used, provided the "Force SSL" flag is not explicitly enabled. This leads to a transport encryption downgrade, where secure communications are reverted to an unencrypted state.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Cleartext Transmission of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BIT-JOOMLA-2026-48902
CVE-2026-48902

Affected Products

Joomla!