PT-2026-51136 · Joomshaper.Net · Sp Lms Extension For Joomla

Amin Isayev

·

Published

2026-06-20

·

Updated

2026-06-20

·

CVE-2026-48909

CVSS v4.0

9.5

Critical

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SP LMS (com splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2026-48909

Affected Products

Sp Lms Extension For Joomla