CVE-2026-48902

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

critical 9.8 CVSS 3.1
Published: May 26, 2026
Modified: May 28, 2026
Vendor: Joomla
Product: Joomla\!

Description

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

References

Related CVEs

CVE-2026-48903 medium · 6.1
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
CVE-2026-48904 critical · 9.8
An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
CVE-2026-48905 medium · 6.1
Lack of input filtering leads to an XSS vector in the HTML filter code.
CVE-2026-48896 high · 7.5
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
CVE-2026-48897 high · 7.5
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
CVE-2026-48898 critical · 9.8
An improper access check allows privilege escalation through the com_users batch task.