Password and Username Reset Vulnerability in Joomla
CVE-2026-48902

Currently unrated

Key Information:

Vendor: Joomla
Status: Joomla! Cms
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-48902?

A security flaw in Joomla's password and username reset features can lead to security vulnerabilities due to the generation of plain HTTP links for HTTPS connections when the 'Force SSL' flag is not set. This can expose sensitive information during the reset process and make it easier for attackers to intercept credentials. It is crucial for users to configure this setting correctly to ensure secure communications.

Affected Version(s)

Joomla! CMS 3.9.0-5.4.5

Joomla! CMS 6.0.0-6.1.0

References

https://developer.joomla.org/security-centre/1050-2026051...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 26, 2026

Credit

@ZeroXJacks, https://github.com/ZeroXJacks

CVE-2026-48902 Data

JSON