CVE-2026-48902
9.8 CRITICALThe password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set
Published: 2026-05-26 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-319
Affected products
| Vendor | Product |
|---|---|
| joomla | joomla\! |
Description
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-48905 — Lack of input filtering leads to an XSS vector in the HTML filter code (6.1 MEDIUM)
- CVE-2026-48904 — An improper access check allows privelege escalation through the com_users group editing webservice endpoint (9.8 CRITICAL)
- CVE-2026-48903 — Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components (6.1 MEDIUM)
- CVE-2026-48901 — The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key (7.5 HIGH)
- CVE-2026-48900 — An improper access check allowed low privileged users to edit the task types of existing scheduler tasks (4.3 MEDIUM)
Same CWE
- CVE-2026-9741 — A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryp... (6.5 MEDIUM)
- CVE-2026-45432 — This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management...
- CVE-2026-8874 — Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted ... (7.1 HIGH)
- CVE-2026-36610 — Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding (5.9 MEDIUM)
- CVE-2026-7666 — An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)