{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/joomla--5.2.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48909"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["JoomShaper SP LMS \u003c= 4.1.3","Joomla \u003c 5.2.2"],"_cs_severities":["high"],"_cs_tags":["webapps","php","object-injection","rce","webshell"],"_cs_type":"advisory","_cs_vendors":["JoomShaper","Joomla"],"content_html":"\u003cp\u003eA high-severity PHP object injection vulnerability, identified as CVE-2026-48909, has been discovered and publicly exploited in JoomShaper SP LMS versions up to 4.1.3. This vulnerability, affecting a popular Joomla Extension, enables an unauthenticated remote attacker to execute arbitrary code on the underlying server. Exploitation occurs by sending a specially crafted 'lmsOrders' cookie to the \u003ccode\u003ecom_splms\u0026amp;view=cart\u003c/code\u003e endpoint. If the main Joomla CMS version is older than 5.2.2, a known gadget chain involving \u003ccode\u003eFormattedtextLogger::__destruct()\u003c/code\u003e can be leveraged to write a webshell to disk, granting the attacker full control over the compromised web server. The availability of a public exploit significantly increases the risk for unpatched systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious PHP serialized object payload designed to trigger the object injection gadget chain.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully base64-encodes this payload, manipulating it to avoid characters (\u003ccode\u003e/\u003c/code\u003e, \u003ccode\u003e+\u003c/code\u003e, \u003ccode\u003e=\u003c/code\u003e) that would be filtered by Joomla's input sanitizer when transmitted in a cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the \u003ccode\u003e/index.php?option=com_splms\u0026amp;view=cart\u003c/code\u003e endpoint of the vulnerable Joomla instance, including the specially crafted payload within the \u003ccode\u003elmsOrders\u003c/code\u003e cookie.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003ecom_splms\u003c/code\u003e component retrieves the \u003ccode\u003elmsOrders\u003c/code\u003e cookie, base64-decodes it, and then \u003ccode\u003eunserialize()\u003c/code\u003es the PHP object.\u003c/li\u003e\n\u003cli\u003eDuring the deserialization process, if the Joomla CMS version is less than 5.2.2, the \u003ccode\u003eFormattedtextLogger::__destruct()\u003c/code\u003e gadget is triggered, calling \u003ccode\u003eFile::write()\u003c/code\u003e with attacker-controlled data.\u003c/li\u003e\n\u003cli\u003eThis action writes an initial PHP loader (containing \u003ccode\u003ehex2bin()\u003c/code\u003e to write the real payload) to a specified, PHP-writable path on the server (e.g., \u003ccode\u003e/tmp/x.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker then makes a subsequent HTTP GET request to the newly created loader file, causing it to execute and write the full PHP webshell to the same location.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker can interact with the deployed webshell by sending commands via URL parameters (e.g., \u003ccode\u003e?c=id\u003c/code\u003e), achieving unauthenticated remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-48909 grants unauthenticated remote code execution on the target server. This allows attackers to completely compromise the affected Joomla instance and the underlying server, leading to data exfiltration, website defacement, further network penetration, or the deployment of additional malicious payloads such as ransomware. Organizations running JoomShaper SP LMS versions 4.1.3 or earlier, particularly on Joomla CMS versions prior to 5.2.2, are at severe risk of server compromise and potential business disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-48909 immediately:\u003c/strong\u003e Upgrade JoomShaper SP LMS to version 4.1.4 or higher to remediate the PHP Object injection vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUpdate Joomla CMS:\u003c/strong\u003e Ensure your core Joomla CMS is updated to version 5.2.2 or higher to mitigate the RCE gadget chain, even if the SP LMS extension cannot be immediately patched.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule in this brief\u003c/strong\u003e to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable webserver access logging:\u003c/strong\u003e Ensure comprehensive logging of HTTP requests, including full URI paths and cookie headers, to aid in detecting and investigating exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T13:45:49Z","date_published":"2026-07-06T13:45:49Z","id":"https://feed.craftedsignal.io/briefs/2026-07-joomshaper-sp-lms-rce/","summary":"A critical PHP object injection vulnerability (CVE-2026-48909) in JoomShaper SP LMS versions \u003c= 4.1.3 allows unauthenticated attackers to achieve remote code execution (RCE) via a crafted 'lmsOrders' cookie, leading to webshell deployment on vulnerable Joomla installations (\u003c 5.2.2).","title":"JoomShaper SP LMS PHP Object Injection Leads to RCE (CVE-2026-48909)","url":"https://feed.craftedsignal.io/briefs/2026-07-joomshaper-sp-lms-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Joomla \u003c 5.2.2","version":"https://jsonfeed.org/version/1.1"}