CVE-2026-48909
Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.
| CWE | CWE-502 |
| Vendor | joomshaper.net |
| Product | sp lms extension for joomla |
| Published | Jun 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for joomshaper.net sp lms extension for joomla
Be the first to know when new unknown vulnerabilities affecting joomshaper.net sp lms extension for joomla are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
joomshaper.net / SP LMS extension for Joomla
1.0.0-4.1.3
Credits
Amin Isayev