CVE-2026-57828
Received
Received - Intake
Authenticated Arbitrary File Upload in Phoca Downloads Leads to RCE
Vulnerability report for CVE-2026-57828, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-11
Last updated on: 2026-07-11
Assigner: Joomla! Project
Description
Description
The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| joomla | phoca_downloads | * |
| phoca | phoca_download | to 6.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |