CVE-2026-48901

Vulnerability

The InputFilter::getInstance() method in Joomla! CMS constructs a cache key for storing and reusing filter instances. A security-sensitive parameter was omitted from this cache key, meaning that different filter configurations could incorrectly share the same cached instance. This affects Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 [1].

Exploitation

An attacker would need to be able to trigger the creation of InputFilter instances with different security-sensitive parameters. By exploiting the incorrect cache key, the attacker could cause a filter instance intended for one context (e.g., with stricter filtering) to be reused in another context where weaker filtering is expected. The exact attack vector is not detailed, but it likely involves crafting requests that cause the application to retrieve a cached filter instance that does not match the current security requirements [1].

Impact

The impact is rated Low. An attacker could potentially bypass input filtering protections, leading to injection attacks or other security issues depending on how the filter is used. The scope is limited to scenarios where the cache key mismatch leads to reuse of an inappropriate filter instance [1].

Mitigation

The fix is included in Joomla! CMS versions 5.4.6 and 6.1.1, released on 2026-05-26. Users should upgrade to these versions. No workaround is provided for earlier versions. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog [1].