CVE-2026-48900
Improper Access Control in Joomla Scheduler Tasks
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: Joomla! Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joomla | joomla! | From 4.1.0 (inc) to 5.4.5 (inc) |
| joomla | joomla! | From 6.0.0 (inc) to 6.1.0 (inc) |
| joomla | joomla! | 5.4.6 |
| joomla | joomla! | 6.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48900 is a security vulnerability in the Joomla! CMS affecting versions 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0.
The issue involves an improper access check in the com_scheduler component, which allows low-privileged users to edit the task types of existing scheduler tasks.
This means that users who should not have permission to modify certain scheduled tasks can do so due to incorrect access control.
How can this vulnerability impact me? :
This vulnerability could allow unauthorized users with low privileges to modify scheduled tasks within the Joomla! CMS.
Such unauthorized modifications could lead to unexpected or malicious task executions, potentially disrupting normal operations or compromising system integrity.
Although classified as moderate impact with low severity and low probability of exploitation, it still poses a risk to the security and stability of affected Joomla! installations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade their Joomla! CMS installations to versions 5.4.6 or 6.1.1, where the issue has been fixed.