Product
A critical PHP object injection vulnerability (CVE-2026-48909) in JoomShaper SP LMS versions <= 4.1.3 allows unauthenticated attackers to achieve remote code execution (RCE) via a crafted 'lmsOrders' cookie, leading to webshell deployment on vulnerable Joomla installations (< 5.2.2).