Description
User provided uploads to the Easy Discuss component for Joomla aren't properly validated. Uploads are purely checked by file extensions, no mime type checks are happening.
Published: 2026-01-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file upload via MIME type bypass
Action: Patch
AI Analysis

Impact

The Easy Discuss component for Joomla verifies uploads only by file extension, ignoring the MIME type reported by the browser or derived from file content, a flaw that constitutes a CWE-434 vulnerability (Unrestricted upload of binaries). This oversight allows an attacker to supply a file whose name ends with a permitted extension—such as .jpg or .png—while embedding executable code or scripts inside the payload. If the server later serves or executes the file, the attacker could gain local code execution, upload backdoors, or compromise the entire Joomla installation (inferred).

Affected Systems

Stackideas EasyDiscuss extension for Joomla versions 1.0.0 through 5.0.15 is affected. Administrators using any edition of these releases should verify the build number against the vulnerable range.

Risk and Exploitability

The vulnerability carries a CVSS base score of 4.8, indicating moderate severity, while the EPSS score is below 1 %, suggesting a low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog, further implying limited public exploitation. It is inferred that attackers would typically need to interact with the public upload interface or compromise an authenticated user to upload the malicious file, after which they could exploit the server’s ability to serve or execute the file.

Generated by OpenCVE AI on April 18, 2026 at 20:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Easy Discuss to a patched version that includes MIME type validation
  • If an immediate upgrade is not possible, restrict the upload directory so that uploaded files cannot be executed (e.g., remove execute permissions on the directory or configure the web server to treat uploaded files as non-executable types)
  • Review and tighten user permissions for the upload feature, or disable uploads for untrusted users, and monitor the upload directory for unexpected or suspicious files

Generated by OpenCVE AI on April 18, 2026 at 20:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://stackideas.com/easydiscuss cve-icon cve-icon
History

Fri, 30 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:stackideas:easydiscuss:*:*:*:*:*:joomla\!:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomla
Joomla joomla
Joomla joomla!
Stackideas
Stackideas easydiscuss
Vendors & Products Joomla
Joomla joomla
Joomla joomla!
Stackideas
Stackideas easydiscuss

Fri, 16 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Description User provided uploads to the Easy Discuss component for Joomla aren't properly validated. Uploads are purely checked by file extensions, no mime type checks are happening.
Title Extension - stackideas.com - Lack of mime type validation in EasyDiscuss component 1.0.0-5.0.15 for Joomla
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Joomla Joomla Joomla!
Stackideas Easydiscuss
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-01-16T15:35:53.746Z

Reserved: 2026-01-01T04:42:27.959Z

Link: CVE-2026-21625

cve-icon Vulnrichment

Updated: 2026-01-16T15:35:45.959Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T15:15:55.017

Modified: 2026-01-30T18:45:43.407

Link: CVE-2026-21625

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses