CVE-2026-48902

CVE-2026-48902: Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links

Vendor Joomla! Project
Product Joomla! CMS
Published May 26, 2026
Last update June 5, 2026

CVSS base score

What the vulnerability does

01Description

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

Explanation of Vulnerability in Simple Terms

02Summary

Insufficient metadata provided to generate a reliable CVE summary. The CVSS score, vector, CWE classification, and patched version are all unknown. A Joomla! CMS vulnerability affecting versions 3.9.0-5.4.5 has been reported, but the nature of the vulnerability, its severity, and the required fix cannot be determined from the available data.

What an attacker can do

03Attacker Capabilities

Unknown — insufficient vulnerability details provided.

Potential impact on your site

04Site Impact

Unable to assess impact without CVSS score and vulnerability classification.

Conditions required to exploit

05Prerequisites

Unknown — CVSS vector and CWE data missing.

Key dates

06Disclosure timeline

May 26, 2026 CVE published
June 5, 2026 Record updated