The InputFilter::getInstance() method creates a cache key from its arguments but fails to include a security‑sensitive parameter. As a consequence, distinct filtering contexts may, unintentionally, share the same InputFilter instance. Based on the description, it is inferred that an attacker could exploit this cache collision by providing crafted input that depends on the omitted parameter, causing the filter to swallow malicious data or bypass validation checks. Based on the description, it is inferred that the result is a loss of data integrity that could lead to privilege escalation or other downstream attacks, depending on how the filtered content is used.

The affected product is Joomla! CMS from Joomla! Project. No explicit version range is given; the advisory references the 2026‑05‑17 bulletin, so any installation that has not applied the 1049 security update is potentially vulnerable. There is no listing of additional product variants, so the scope covers all standard Joomla! CMS builds that include the current InputFilter::getInstance() implementation.

CVSS score of 7.5 and EPSS < 1% indicate a high severity but low probability of exploitation. Based on the description, it is inferred that the flaw can be triggered through regular input mechanisms that reach the InputFilter, such as form submissions or API payloads. Based on the description, it is inferred that because the bug removes a security‑sensitive parameter from the cache key, an attacker can force reuse of a cached InputFilter instance, injecting data that bypasses validation. Based on the description, it is inferred that no exploitation reports exist, but the defect could be used in the wild by anyone who can supply input to a vulnerable site.