What the vulnerability does
01Description
Joomla com_jsjobs 1.2.6 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating custom userfield parameters. Attackers can send POST requests to the job.savejob task with path traversal sequences in the field_2 parameter to delete arbitrary files accessible to the web server.
Explanation of Vulnerability in Simple Terms
02Summary
JS Jobs contains a path traversal vulnerability that allows authenticated users to read files outside the intended directory. An attacker with low-level access can craft requests to access sensitive files on the server. This affects versions 1.2.6 and requires an active user account to exploit.
What an attacker can do
03Attacker Capabilities
Read arbitrary files from the server outside the intended directory.
Potential impact on your site
04Site Impact
Sensitive files (config, database credentials, private keys) may be exposed to authenticated users.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site.
Key dates
06Disclosure timeline
June 4, 2026
CVE published
June 4, 2026
Record updated