CVE-2026-48948
Received Received - Intake

Improper Access Check in Joomla Contact VCard Export

Vulnerability report for CVE-2026-48948, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Joomla! Project

Description

An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
joomla joomla From 3.0.0 (inc) to 5.4.5 (inc)
joomla joomla From 6.0.0 (inc) to 6.1.1 (inc)
joomla joomla 5.4.7
joomla joomla 6.1.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized users to download vCard exports of contacts that should be inaccessible, indicating an improper access control issue.

Such unauthorized access to contact information could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict controls over personal and sensitive data access.

However, the provided information does not explicitly state the impact on compliance with these standards.

Executive Summary

CVE-2026-48948 is a security vulnerability in the Joomla! content management system that affects versions 3.0.0 through 5.4.5 and 6.0.0 through 6.1.1.

The issue is caused by incorrect access control in the com_contact component, which allows users to download vCard exports of contacts that they should not have permission to access.

This means that unauthorized users can obtain contact information that is meant to be restricted.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of contact information by allowing users to download vCard exports of contacts they are not authorized to access.

Such unauthorized access could compromise privacy and potentially expose sensitive contact details.

However, the severity is classified as low with a low probability of exploitation.

To mitigate the risk, users should upgrade Joomla! to versions 5.4.7 or 6.1.2 or later where the issue is fixed.

Mitigation Strategies

To mitigate CVE-2026-48948, users should upgrade their Joomla! CMS installations to the patched versions 5.4.7 or 6.1.2 where the incorrect access control issue in the com_contact component has been fixed.

This vulnerability affects versions 3.0.0 through 5.4.5 and 6.0.0 through 6.1.1, so ensuring your system is updated beyond these versions will reduce the risk of unauthorized vCard exports.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48948. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart