CVE-2026-49049

CVE-2026-49049: Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler

Vendor Joomshaper.com
Product Helix3 extension for Joomla
Weakness CWE-284
Published June 29, 2026
Last update June 30, 2026

CVSS base score

What the vulnerability does

01Description

The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.

Explanation of Vulnerability in Simple Terms

02Summary

Helix3 extension for Joomla contains an access control vulnerability that may allow unauthorized users to perform restricted actions. The exact attack vector and impact cannot be fully determined due to incomplete CVSS data. Site administrators should contact JoomShaper for clarification on affected versions and available patches.

What an attacker can do

03Attacker Capabilities

Perform actions restricted to higher-privilege users, depending on the specific access control flaw.

Potential impact on your site

04Site Impact

Unauthorized users may bypass intended access restrictions within the Helix3 extension.

Conditions required to exploit

05Prerequisites

Access to the Joomla site; specific privilege level and user interaction requirements unknown.

Key dates

06Disclosure timeline

June 29, 2026 CVE published
June 30, 2026 Record updated