CRITICALCVE-2026-48902Published Modified CNA Joomla
CVE-2026-48902: Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
Affected packages
- Joomla! Project / Joomla! CMS3.9.0-5.4.5 · 6.0.0-6.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences