CVE Catalog

CVE-2026-48909

CriticalCVSS 9.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.80%

52th percentile — higher than 52% of all known CVEs

Summary

SP LMS (com_splms) version < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, allowing an unauthenticated remote attacker to execute arbitrary code on the server.

Risk Assessment

This vulnerability poses a serious risk to organizations as it allows attackers to remotely take control of the server.

Recommendation

It is recommended to update the component to version 4.1.4 or newer and implement additional security measures against cookie data deserialization.

Original NVD description (English source)

SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS