Description
SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.
Published: 2026-06-20
Score: 9.5 Critical
EPSS: 2.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the SP LMS (com_splms) extension for Joomla, which before version 4.1.4 deserializes cookie data supplied by a user without any validation. This flaw follows the CWE-502 pattern of deserialization vulnerabilities. As a result, an unauthenticated attacker can inject a crafted PHP object into the cookie, causing the server to execute arbitrary code with the privileges of the web process. The impact is severe, allowing a remote attacker to compromise the entire site, exfiltrate data, or deploy further malware.

Affected Systems

JoomShaper’s SP LMS extension for Joomla is affected. All deployments running any version earlier than 4.1.4 are vulnerable. The extension is hosted by joomshaper.net and packaged under the product name SP LMS extension for Joomla.

Risk and Exploitability

The CVSS score of 9.5 indicates critical severity. An EPSS score of 3% indicates exploitation probability, and combined with the flaw’s unauthenticated nature suggests a high potential for exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can simply craft a malicious cookie, which the vulnerable server will unserialize and execute, creating a straightforward attack path with no prerequisite setup.

Generated by OpenCVE AI on July 10, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SP LMS extension to version 4.1.4 or newer, which removes the insecure deserialization of cookie data.
  • Deploy a Web Application Firewall rule that blocks HTTP requests containing serialized PHP object payloads in the cookie field, preventing malicious data from reaching the vulnerable code path.
  • Review the extension’s cookie handling logic; if possible, configure the module to avoid deserializing user-supplied cookies entirely or sanitize the cookie input before deserialization to ensure only trusted data is processed.

Generated by OpenCVE AI on July 10, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Joomshaper.net
Joomshaper.net sp Lms Extension For Joomla
Vendors & Products Joomshaper.net
Joomshaper.net sp Lms Extension For Joomla

Sat, 20 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.
Title Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

Joomshaper.net Sp Lms Extension For Joomla
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-23T05:52:22.025Z

Reserved: 2026-05-26T10:06:17.657Z

Link: CVE-2026-48909

cve-icon Vulnrichment

Updated: 2026-06-22T17:44:45.651Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T04:30:17Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data