CVE-2026-48909 PUBLISHED

Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4

Assigner: Joomla
Reserved: 26.05.2026 Published: 20.06.2026 Updated: 20.06.2026

SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.5

Product Status

Vendor joomshaper.net
Product SP LMS extension for Joomla
Versions Default: unaffected
  • Version 1.0.0-4.1.3 is affected

Credits

  • Amin Isayev finder

References

Problem Types

  • CWE-502 Deserialization of Untrusted Data CWE

Impacts

  • CAPEC-586: Object Injection