CVE-2026-48909
PUBLISHED
Published: 20 Jun 2026, 11:56
Last modified:20 Jun 2026, 11:56
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.5 CRITICAL
v4.0 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
20 Jun 2026, 11:56
Published
Vulnerability first disclosed
Description
SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.
CVSS Metrics
- v4.0•CRITICAL•Score: 9.5CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Techniques & Countermeasures
- CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Systems
- joomshaper.net•sp lms extension for joomla
1.0.0-4.1.3