CVE-2026-49049 | The Helix3 plugin for Joomla exposes an ajax handler task, t… | CVSS 7.5 HIGH

Description

The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.

Metadata

CVE ID: CVE-2026-49049
State: PUBLISHED
Assigner: Joomla
Reserved: 2026-05-27 09:16 UTC
Published: 2026-06-29 14:34 UTC
Last updated: 2026-06-29 15:28 UTC
Primary CWE: CWE-284
CWE-284 Improper Access Control
Vendor / Product: joomshaper.com / Helix3 extension for Joomla
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
joomshaper.com	Helix3 extension for Joomla	—	1.0-3.1.1

Weakness (CWE)

CWE	Source	Description
CWE-284	cna	CWE-284 Improper Access Control

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (1)

https://www.joomshaper.com/