Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2026-57828 | The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE. | 9.0 | N/A | 2026-07-11 | 2026-07-11 |
| CVE-2026-57827 | The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. | 10.0 | N/A | 2026-07-11 | 2026-07-11 |
| CVE-2026-56292 | A SQLi vulnerability in AcyMailing component < 10.11.1 for Joomla was discovered. Exploiting this flaw can lead to unauthorized database access and data leakage. | 9.2 | 0.27% | 2026-07-09 | 2026-07-10 |
| CVE-2026-56291 KEV | The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. | 10.0 | 0.84% | 2026-07-09 | 2026-07-11 |
| CVE-2026-48958 | An improper access check allows unauthorized users to create custom fields via webservices endpoints. | 6.4 | 0.27% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48957 | An improper access check allows unauthorized users to access com_privacy datasets. | 6.4 | 0.24% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48956 | An improper access check allows users to display a list of modules in the frontend. | 6.4 | 0.17% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48955 | An improper access check allows unauthorized users to access workflow stage and transition information. | 6.4 | 0.21% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48954 | Improper validation leads to a generic XSS vector in the language override feature. | 5.9 | 0.15% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48953 | Lack of escaping leads to an XSS vulnerability in the generic image output layout. | 5.9 | 0.15% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48952 | Lack of escaping leads to an XSS vulnerability in the update list view of com_installer. | 5.9 | 0.15% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48951 | Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components. | 5.9 | 0.15% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48950 | Lack of escaping leads to an XSS vulnerability in the file management view of com_templates. | 5.9 | 0.15% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48949 | Lack of validation leads to an XSS vulnerability in the MFA management views. | 5.9 | 0.15% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48948 | An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible. | 6.4 | 0.24% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48947 | An improper access check allows privileged users to overwrite media files without editing permissions. | 6.4 | 0.20% | 2026-07-07 | 2026-07-09 |
| CVE-2026-56290 KEV | The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. | 10.0 | 2.91% | 2026-06-29 | 2026-07-08 |
| CVE-2026-49049 | The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters. | 7.5 | 0.23% | 2026-06-29 | 2026-06-30 |
| CVE-2026-49048 | The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation. | 8.7 | 0.51% | 2026-06-28 | 2026-06-30 |
| CVE-2026-48946 | The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context. | 6.3 | 0.17% | 2026-06-25 | 2026-06-28 |