CVE-2026-57828 CRITICAL

CVE-2026-57828: Joomla Extension - phoca.cz - Authenticated file upload in RSFiles component < 6.1.3

Vendor Phoca.cz
Product phoca.cz Phoca Download extension for Joomla
Weakness CWE-434 · Unrestricted file upload
Published July 11, 2026
Last update July 11, 2026

CVSS base score

9.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE.

Explanation of Vulnerability in Simple Terms

02Summary

The Phoca Download extension for Joomla contains an unrestricted file upload vulnerability. An authenticated user with low privileges can upload arbitrary files to the server, potentially including executable code. This allows an attacker to run their own code on the site and compromise the entire Joomla installation. The vulnerability affects versions 1.0-6.1.2.

What an attacker can do

03Attacker Capabilities

Upload arbitrary files, including executable code, to the server.

Potential impact on your site

04Site Impact

An authenticated attacker can run code on your site and take full control of your Joomla installation.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege Joomla user account.

Key dates

06Disclosure timeline

July 11, 2026 CVE published

Related vulnerabilities

08Related CVE