Description
The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.
Published: 2026-06-29
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Helix3 plugin for Joomla contains a flaw in an AJAX handler that lets anyone on the network delete arbitrary files, write arbitrary JSON files, and change template parameters. This authorization weakness (CWE‑284) allows an attacker to tamper with site files, corrupt configuration, and potentially facilitate further compromise. The flaw threatens the integrity and availability of the Joomla site, though it does not directly expose sensitive data.

Affected Systems

All installations of the Helix3 extension for Joomla, regardless of specific version, are vulnerable because the description does not limit the impact to any particular release.

Risk and Exploitability

The vulnerability can be triggered by sending unauthenticated HTTP requests to the Helix3 AJAX endpoint with crafted task parameters. It carries a CVSS score of 7.5, indicating a high severity level. No authentication is required, so the attack vector is straightforward and can be performed remotely. The EPSS score is not available, but the strength of the flaw and the widespread use of Joomla suggest a high likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 29, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Helix3 extension to the latest vendor‑supplied version as soon as it is available.
  • Disable or restrict the AJAX handler that accepts the delete/write/task operations, for example by configuring the extension or the web server to block unauthenticated access to that endpoint.
  • Implement file‑integrity monitoring on the Joomla site and review logs for unauthorized file modifications to detect any exploitation attempts.

Generated by OpenCVE AI on June 29, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomshaper
Joomshaper helix3 Extension For Joomla
Vendors & Products Joomshaper
Joomshaper helix3 Extension For Joomla

Mon, 29 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.
Title Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler
Weaknesses CWE-284
References

Subscriptions

Joomshaper Helix3 Extension For Joomla
cve-icon MITRE

Status: PUBLISHED

Assigner: Joomla

Published:

Updated: 2026-06-30T05:56:57.672Z

Reserved: 2026-05-27T09:16:31.897Z

Link: CVE-2026-49049

cve-icon Vulnrichment

Updated: 2026-06-29T15:27:37.045Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:04:22Z

Weaknesses