{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-57828","assignerOrgId":"6ff30186-7fb7-4ad9-be33-533e7b05e586","state":"PUBLISHED","assignerShortName":"Joomla","dateReserved":"2026-06-25T16:55:04.094Z","datePublished":"2026-07-11T09:27:16.840Z","dateUpdated":"2026-07-13T15:42:43.998Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"phoca.cz Phoca Download extension for Joomla","vendor":"phoca.cz","versions":[{"status":"affected","version":"1.0-6.1.2"}]}],"credits":[{"lang":"en","type":"finder","value":"Phil Taylor"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE."}],"value":"The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE."}],"impacts":[{"capecId":"CAPEC-242","descriptions":[{"lang":"en","value":"CAPEC-242: Code Injection"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","subIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"CRITICAL","baseScore":9,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-434","description":"CWE-434: Unrestricted Upload of File with Dangerous Type","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"6ff30186-7fb7-4ad9-be33-533e7b05e586","shortName":"Joomla","dateUpdated":"2026-07-11T09:27:16.840Z"},"references":[{"tags":["product"],"url":"https://www.phoca.cz/phocadownload"},{"tags":["third-party-advisory"],"url":"https://mysites.guru/blog/phoca-download-authenticated-file-upload-rce/"}],"source":{"discovery":"UNKNOWN"},"title":"Joomla Extension - phoca.cz - Authenticated file upload in RSFiles component < 6.1.3","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-13T15:42:34.957835Z","id":"CVE-2026-57828","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-13T15:42:43.998Z"}}]}}