Description
SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.
Published: 2026-06-20
Score: 9.5 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the SP LMS (com_splms) extension for Joomla, which before version 4.1.4 deserializes cookie data supplied by a user without any validation. This flaw follows the CWE‑502 pattern of deserialization vulnerabilities. As a result, an unauthenticated attacker can inject a crafted PHP object into the cookie, causing the server to execute arbitrary code with the privileges of the web process. The impact is severe, allowing a remote attacker to compromise the entire site, exfiltrate data, or deploy further malware.

Affected Systems

JoomShaper’s SP LMS extension for Joomla is affected. All deployments running any version earlier than 4.1.4 are vulnerable. The extension is distributed by JoomShaper.net and packaged under the product name SP LMS extension for Joomla.

Risk and Exploitability

The CVSS score of 9.5 indicates critical severity. While an EPSS score is not provided, the fact that the flaw is exploitable without any authentication suggests high potential for exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can simply craft a malicious cookie, which the vulnerable server will unserialize and execute, creating a straightforward attack path with no prerequisite setup.

Generated by OpenCVE AI on June 20, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SP LMS extension to version 4.1.4 or newer, which removes the insecure deserialization of cookie data.
  • Deploy a Web Application Firewall rule that blocks HTTP requests containing serialized PHP object payloads in the cookie field, preventing malicious data from reaching the vulnerable code path.
  • Review the extension’s cookie handling logic; if possible, configure the module to avoid deserializing user-supplied cookies entirely or sanitize the cookie input before deserialization to ensure only trusted data is processed.

Generated by OpenCVE AI on June 20, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.joomshaper.com/ cve-icon
History

Sat, 20 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.
Title Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-20T11:56:46.771Z

Reserved: 2026-05-26T10:06:17.657Z

Link: CVE-2026-48909

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T14:00:06Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data