CVE-2026-48902

CVE-2026-48902: Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links

Vendor Joomla! Project

Product Joomla! CMS

Published May 26, 2026

Last update June 5, 2026

CVSS base score

—

What the vulnerability does

Description

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

Key dates

May 26, 2026 CVE published

June 5, 2026 Record updated

CVE CVE-2026-48902

Vendor Joomla! Project

Product Joomla! CMS

Affected 3.9.0-5.4.5

Vendor Joomla! Project

Product Joomla! CMS

Affected 6.0.0-6.1.0