CVE-2026-48901 Joomla! Project CVE debrief

Who should care

Joomla site administrators, particularly those running multi-site installations or shared hosting environments; security teams managing Joomla-based web applications; developers of Joomla extensions that rely on custom InputFilter configurations

Technical summary

The `InputFilter::getInstance()` method in Joomla constructs a cache key to reuse InputFilter instances. A security-sensitive parameter was inadvertently excluded from this cache key calculation, meaning that instances created with different security parameters could be incorrectly reused from cache. This could result in input filtering being applied with incorrect security rules—potentially allowing more permissive filtering than intended, or conversely blocking legitimate input. The vulnerability affects the integrity of security context separation in Joomla's input sanitization layer.

Defensive priority

medium

Recommended defensive actions

• Review Joomla security advisory 20260517 for detailed technical information and affected versions
• Apply security updates from Joomla when available, prioritizing systems with multi-tenant or shared hosting configurations where InputFilter context separation is critical
• Audit custom extensions or integrations that directly invoke InputFilter::getInstance() with custom security parameters
• Monitor NVD entry for CVSS scoring and updated analysis once completed
• Review application logs for unexpected InputFilter behavior or cache-related anomalies

Evidence notes

The vulnerability description indicates incorrect cache key construction in `InputFilter::getInstance()`, which is a core Joomla security component. The reference to developer.joomla.org/security-centre/1049-20260517-core-incorrect-cache-key-construction-for-inputfilter-objects.html confirms this is a Joomla core issue. The NVD status shows 'Undergoing Analysis' as of the last modification timestamp.

Official resources