CVE-2026-57828
Phoca · Phoca Download
The Phoca Download extension for Joomla contains an authenticated file upload vulnerability that allows registered users to upload executable files and achieve remote code execution.
Executive summary
An authenticated arbitrary file upload vulnerability in the Phoca Download Joomla extension allows registered users to gain full remote code execution.
Vulnerability
The vulnerability is an unrestricted file upload flaw (CWE-434) requiring authenticated access to the Joomla instance. An attacker with a registered user account can upload malicious scripts to the server.
Business impact
While this vulnerability requires prior authentication, the ability for a registered user to escalate privileges to full remote code execution poses a severe risk to the integrity and availability of the Joomla site. With a CVSS score of 9.0, the impact includes unauthorized data access, server-side code execution, and potential lateral movement within the network.
Remediation
Immediate Action: Update the Phoca Download extension to the latest version to prevent malicious file uploads.
Proactive Monitoring: Monitor user activity logs for suspicious upload patterns or file creation events initiated by registered users.
Compensating Controls: Implement strict file type validation at the WAF level and review user account permissions to ensure the principle of least privilege is applied to all registered users.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Administrators should prioritize updating the Phoca Download extension. Furthermore, audit existing user accounts to identify and disable any unauthorized or suspicious accounts that could be leveraged to trigger this vulnerability.