Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2026-48949 | Lack of validation leads to an XSS vulnerability in the MFA management views. | 5.9 | 0.15% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48948 | An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible. | 6.4 | 0.24% | 2026-07-07 | 2026-07-09 |
| CVE-2026-48947 | An improper access check allows privileged users to overwrite media files without editing permissions. | 6.4 | 0.20% | 2026-07-07 | 2026-07-09 |
| CVE-2026-56290 KEV | The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. | 10.0 | 2.91% | 2026-06-29 | 2026-07-08 |
| CVE-2026-49049 | The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters. | 7.5 | 0.23% | 2026-06-29 | 2026-06-30 |
| CVE-2026-49048 | The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation. | 8.7 | 0.51% | 2026-06-28 | 2026-06-30 |
| CVE-2026-48946 | The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context. | 6.3 | 0.17% | 2026-06-25 | 2026-06-28 |
| CVE-2026-48945 | The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names — non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access. | 5.3 | 0.20% | 2026-06-25 | 2026-06-28 |
| CVE-2026-48944 | The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user — including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint. | 6.5 | 0.29% | 2026-06-25 | 2026-06-28 |
| CVE-2026-48943 | K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table — none of which are exposed by the K2 frontend profile-edit form. | 6.5 | 0.18% | 2026-06-25 | 2026-06-28 |
| CVE-2026-48942 | K2 ≤ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping. | 6.1 | 0.15% | 2026-06-25 | 2026-06-28 |
| CVE-2026-48941 | The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/` | 6.5 | 0.16% | 2026-06-25 | 2026-06-28 |
| CVE-2026-48940 | A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page. | 3.4 | 0.17% | 2026-06-25 | 2026-06-28 |
| CVE-2026-48939 KEV | A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution. | 10.0 | 1.50% | 2026-06-20 | 2026-07-11 |
| CVE-2026-48909 | SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server. | 9.5 | 2.73% | 2026-06-20 | 2026-06-22 |
| CVE-2026-48908 KEV | A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code. | 10.0 | 1.57% | 2026-06-20 | 2026-07-08 |
| CVE-2026-48907 KEV | A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution. | 10.0 | 80.42% | 2026-06-05 | 2026-06-17 |
| CVE-2026-48906 | The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites. | 9.3 | 0.27% | 2026-05-27 | 2026-06-17 |
| CVE-2026-48905 | Lack of input filtering leads to an XSS vector in the HTML filter code. | 6.9 | 0.14% | 2026-05-26 | 2026-06-17 |
| CVE-2026-48904 | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | 8.2 | 0.29% | 2026-05-26 | 2026-06-17 |