CVE Catalog
CVE-2026-48909
CriticalCVSS 9.5Exploitation Probability (EPSS)
Elevated risk0.80%
52th percentile — higher than 52% of all known CVEs
Summary
SP LMS (com_splms) version < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, allowing an unauthenticated remote attacker to execute arbitrary code on the server.
Risk Assessment
This vulnerability poses a serious risk to organizations as it allows attackers to remotely take control of the server.
Recommendation
It is recommended to update the component to version 4.1.4 or newer and implement additional security measures against cookie data deserialization.
Original NVD description (English source)
SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.

