Description
Joomla com_jsjobs 1.2.6 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating custom userfield parameters. Attackers can send POST requests to the job.savejob task with path traversal sequences in the field_2 parameter to delete arbitrary files accessible to the web server.
Published: 2026-06-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Joomla’s com_jsjobs component version 1.2.6 allows an attacker who has authenticated access to delete arbitrary files on the web server. By sending a crafted POST request to the job.savejob task and including a path traversal payload in the field_2 parameter, the victim can instruct the server to delete any file that the web process can reach. This flaw can result in loss of critical data or removal of system files, potentially leading to denial of service or further exploitation.

Affected Systems

The vulnerability affects Joomsky’s JS Jobs extension for Joomla, specifically deployment of com_jsjobs version 1.2.6. Systems running this component without an updated patch are at risk.

Risk and Exploitability

The CVSS score of 7.1 categorizes this as a high‑severity issue. The vulnerability is only exploitable by users who have valid Joomla credentials; however, compromised credentials are common on poorly managed sites. Because EPSS is not available and the flaw is not listed in the CISA KEV catalog, the exploitation probability is uncertain but the potential impact is substantive if accessed. The flaw is a classic CWE‑22 path traversal weakness, meaning attackers can target any filesystem path allowable to the web process.

Generated by OpenCVE AI on June 4, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch or upgrade to the latest com_jsjobs component release provided by Joomsky.
  • Restrict or disable the job.savejob task for unauthenticated users, ensuring only authorized roles can execute file deletion actions.
  • Enforce strict filesystem permissions so that the web server process cannot delete critical directories, and consider monitoring /log deletions to detect exploitation attempts.

Generated by OpenCVE AI on June 4, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomsky
Joomsky js Jobs
Vendors & Products Joomsky
Joomsky js Jobs

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Joomla com_jsjobs 1.2.6 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating custom userfield parameters. Attackers can send POST requests to the job.savejob task with path traversal sequences in the field_2 parameter to delete arbitrary files accessible to the web server.
Title Joomla com_jsjobs 1.2.6 Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Joomsky Js Jobs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-04T13:56:39.842Z

Reserved: 2026-06-04T11:09:18.043Z

Link: CVE-2019-25740

cve-icon Vulnrichment

Updated: 2026-06-04T13:56:36.071Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T14:16:32.587

Modified: 2026-06-04T15:00:40.757

Link: CVE-2019-25740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T14:45:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')