CVE-2026-48902
published 2026-05-26CVE-2026-48902: The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
PriorityP347critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.19%
8.8th percentile
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla!_project | joomla!_cms | — | — |
| joomla!_project | joomla!_cms | — | — |
| joomla | joomla_! | >= 3.0.0 < 5.4.6 | 5.4.6 |
| joomla | joomla_! | >= 6.0.0 < 6.1.1 | 6.1.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Joomla CMS up to 5.4.5/6.1.0 HTTPS Connection cleartext transmission (WID-SEC-2026-1688)
vuldb·2026-05-28
CVE-2026-48902 [LOW] Joomla CMS up to 5.4.5/6.1.0 HTTPS Connection cleartext transmission (WID-SEC-2026-1688)
A vulnerability described as problematic has been identified in Joomla CMS up to 5.4.5/6.1.0. This vulnerability affects unknown code of the component HTTPS Connection Handler. Such manipulation leads to cleartext transmission of sensitive information.
This vulnerability is referenced as CVE-2026-48902. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is recommended.
GHSA
GHSA-w4ph-7vgc-vxrf: The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set
ghsa_unreviewed·2026-05-26
CVE-2026-48902 GHSA-w4ph-7vgc-vxrf: The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-26
Published