How is CVE-2026-48909 exploited?

Network reachability (required): The vulnerable deserialization endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the Joomla host. Authentication (not-required): No account or session credential is needed; the malicious payload is delivered in an unauthenticated cookie. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no user action or social engineering step is involved. Attack complexity (info): Base exploit complexity is low and condition-free, though the CVSS AT:P token notes that a specific deployment condition (such as a gadget chain present in the PHP environment) must be met for the payload to execute.

What is the impact of CVE-2026-48909?

Attacker executes arbitrary OS commands on the web server, with the privileges of the PHP process. Attacker reads all data accessible to that process, including database credentials, session tokens, and stored customer records. Attacker modifies or deletes persisted database rows, application files, or configuration, affecting the integrity of the Joomla site and any connected systems. Attacker crashes or degrades the affected service and any downstream systems that share the same host or trust boundary, as reflected in the CVSS v4.0 subsequent-system impact scores.

Back to search

CRITICALCVE-2026-48909Published 2026-06-20Modified 2026-06-20CNA Joomla

CVE-2026-48909: Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4

Q: What is CVE-2026-48909?

PHP object injection (unsafe deserialization) in the SP LMS extension (com_splms) for Joomla allows an unauthenticated remote attacker to execute arbitrary code on the server. The extension deserializes user-controlled cookie data without any validation, reachable over the network with no credentials required. Successful exploitation gives the attacker full remote code execution, reading, modification, and disruption of the host and any downstream systems. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-48909 patched?

No fix version has been published by JoomShaper as of the CVE publication date; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix ships. For customers with auto-remediation enabled, the rebuild, regression-test run, and a PR opened against affected workloads will follow immediately upon fix availability.

SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.

CVSS v4.0: 9.5
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP object injection (unsafe deserialization) in the SP LMS extension (com_splms) for Joomla allows an unauthenticated remote attacker to execute arbitrary code on the server. The extension deserializes user-controlled cookie data without any validation, reachable over the network with no credentials required. Successful exploitation gives the attacker full remote code execution, reading, modification, and disruption of the host and any downstream systems. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-48909 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the SP LMS extension.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.5 (Critical, v4.0) and weighting it against each environment's compliance policy to determine priority. Routing to the appropriate team inbox within each customer organization is available based on configured ownership rules.

Available

Patch

No fix version has been published by JoomShaper as of the CVE publication date; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix ships. For customers with auto-remediation enabled, the rebuild, regression-test run, and a PR opened against affected workloads will follow immediately upon fix availability.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable deserialization endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the Joomla host.
AuthenticationNot required
No account or session credential is needed; the malicious payload is delivered in an unauthenticated cookie.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or social engineering step is involved.
Attack complexityDetail
Base exploit complexity is low and condition-free, though the CVSS AT:P token notes that a specific deployment condition (such as a gadget chain present in the PHP environment) must be met for the payload to execute.

Blast Radius

Attacker executes arbitrary OS commands on the web server, with the privileges of the PHP process.
Attacker reads all data accessible to that process, including database credentials, session tokens, and stored customer records.
Attacker modifies or deletes persisted database rows, application files, or configuration, affecting the integrity of the Joomla site and any connected systems.
Attacker crashes or degrades the affected service and any downstream systems that share the same host or trust boundary, as reflected in the CVSS v4.0 subsequent-system impact scores.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet, the platform monitors the JoomShaper advisory on every ingest cycle and will surface a patched-image rebuild the moment version 4.1.4 or later is published. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict inbound HTTP access to the Joomla host to known-good sources, egress filtering to limit outbound connections from the web-server container, and feature-flag or component-level gating to disable com_splms in images where it is not actively required. Where compliance policy permits, auto-remediation customers will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads within the typical median window for critical-severity issues (around 90 minutes from fix publication) once the patch is available.

See how HarborGuard automates this

Affected packages

joomshaper.net / SP LMS extension for Joomla
1.0.0-4.1.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

joomshaper.com

Metrics

Get notified