CVE-2026-57828
Received Received - Intake

Authenticated Arbitrary File Upload in Phoca Downloads Leads to RCE

Vulnerability report for CVE-2026-57828, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Joomla! Project

Description

The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
joomla phoca_downloads *
phoca phoca_download to 6.1.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Joomla extension Phoca Downloads, specifically in versions up to 6.1.2. It allows authenticated usersβ€”those with registered accountsβ€”to upload arbitrary executable files, such as PHP scripts, by bypassing the file-type restrictions that are normally enforced.

This happens because the member-upload feature uses a different internal mode that skips the configured allow-list for file types, enabling attackers to place executable files into the public user-upload folder.

Once uploaded, these executable files can be run on the server, leading to full Remote Code Execution (RCE), which means an attacker can execute arbitrary code remotely on the affected system.

The vulnerability requires a registered user account and the non-default user-upload feature to be enabled.

Impact Analysis

This vulnerability can have severe impacts including allowing an attacker with a registered account to upload and execute malicious code on your Joomla site.

This could lead to full Remote Code Execution (RCE), which means the attacker could take control of the server, manipulate files, steal data, create unauthorized administrator accounts, or cause service disruptions.

It is important to update Phoca Download to version 6.1.3 or later, which fixes this issue by enforcing the file-type allow-list on member uploads.

Additionally, you should check for signs of tampering such as unexpected PHP files in the user-upload folder or unauthorized administrator accounts.

Detection Guidance

This vulnerability can be detected by checking for unexpected executable files, such as PHP scripts, in the user-upload folder of the Phoca Downloads extension. Since the flaw allows registered users to upload executable files, inspecting this directory for unauthorized or suspicious files is a key detection method.

Additionally, monitoring for unauthorized administrator accounts or signs of tampering in the Joomla site can help identify exploitation.

  • Use commands to list suspicious files in the upload directory, for example:
  • find /path/to/joomla/components/com_phocadownload/user_upload/ -type f \( -name "*.php" -o -name "*.phtml" -o -name "*.php5" \)
  • Check for recently modified or created files:
  • find /path/to/joomla/components/com_phocadownload/user_upload/ -type f -mtime -7
  • Review Joomla user accounts for unauthorized administrators via the Joomla admin interface or database queries.
Mitigation Strategies

The immediate and most effective mitigation step is to update the Phoca Downloads extension to version 6.1.3 or later, which fixes the authenticated Remote Code Execution vulnerability by enforcing the file-type allow-list on member uploads.

If updating immediately is not possible, temporarily disable the member-upload feature or restrict registered user permissions to prevent file uploads.

Additionally, audit the user-upload folder for any unauthorized executable files and remove them.

Review Joomla user accounts for any unauthorized administrator accounts and remove or disable them.

Implement strict input validation and monitor your site for suspicious activity until the patch is applied.

Compliance Impact

The vulnerability in the Phoca Downloads Joomla extension allows authenticated users to upload executable files, leading to remote code execution (RCE). This can result in unauthorized access, data breaches, or manipulation of sensitive information.

Such security weaknesses can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data through adequate security controls. A successful exploitation could lead to exposure or compromise of protected data, violating these regulations.

Therefore, organizations using vulnerable versions of Phoca Downloads risk non-compliance due to potential unauthorized data access or system compromise.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart