CVE-2026-48900
Description
An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A flaw in Joomla! CMS allows low-privileged users to modify task types of scheduler tasks due to improper access check.
Vulnerability
An improper access check in the Joomla! CMS scheduler component (com_scheduler) allows low-privileged users to edit the task types of existing scheduler tasks. Affected versions: Joomla! CMS versions 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0 [1].
Exploitation
An attacker with low privileges (e.g., registered user) can exploit this by accessing the scheduler task edit functionality, which fails to properly verify permissions. No additional authentication or special conditions are required beyond having a low-privileged account.
Impact
Successful exploitation allows the attacker to change the task type of scheduled tasks, potentially altering the behavior of the scheduler. This could lead to unauthorized actions depending on the task type, such as executing arbitrary code or accessing sensitive data, but the exact impact depends on the available task types.
Mitigation
Upgrade to Joomla! CMS version 5.4.6 or 6.1.1, which contain the fix. No known workarounds are provided. The vulnerability was reported by Federico Brasili and fixed on 2026-05-26 [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.