CVE-2026-48900 Joomla! Project CVE debrief

Who should care

Joomla site administrators, security teams managing Joomla CMS deployments, and organizations using scheduled task functionality in Joomla 4.x or 6.x installations

Technical summary

CVE-2026-48900 is an improper access control vulnerability (CWE-284) in Joomla's com_scheduler component. The flaw allows users with low privileges to edit the task types of existing scheduler tasks due to insufficient access validation. The vulnerability affects Joomla versions 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0. CVSS 4.0 scoring reflects network accessibility, low attack complexity, and high privilege requirements with impacts to system confidentiality, integrity, and availability. The vendor has released patches in versions 5.4.6 and 6.1.1.

Defensive priority

medium

Recommended defensive actions

• Upgrade Joomla installations to version 5.4.6 or 6.1.1 or later to address the improper access control vulnerability in com_scheduler
• Review scheduled task configurations for unauthorized modifications if running affected versions prior to patching
• Apply principle of least privilege to Joomla user accounts to minimize exposure to access control weaknesses
• Monitor Joomla security advisories at developer.joomla.org/security-centre for related security updates

Evidence notes

The vulnerability affects Joomla versions 4.1.0 and above (excluding patched 5.4.6+) and 6.0.0 through 6.1.0. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring high privileges but no user interaction. The vendor advisory confirms this is an incorrect access control issue in com_scheduler.

Official resources