Back to overview

CVE-2026-57828

CRITICAL
9.0
CVSS 4.0
Description
The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE.

Metadata

CVE ID
CVE-2026-57828
State
PUBLISHED
Assigner
Joomla
Reserved
2026-06-25 16:55 UTC
Published
2026-07-11 09:27 UTC
Last updated
2026-07-11 09:27 UTC
Primary CWE
CWE-434
CWE-434: Unrestricted Upload of File with Dangerous Type
Vendor / Product
phoca.cz / phoca.cz Phoca Download extension for Joomla
Sources
cve.org  ·  NVD

Severity & Metrics

9.0 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products (1)
VendorProductPlatformVersions
phoca.cz phoca.cz Phoca Download extension for Joomla 1.0-6.1.2
Weakness (CWE)
CWESourceDescription
CWE-434 cna CWE-434: Unrestricted Upload of File with Dangerous Type
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.0 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Back to overview