CVE-2026-49049
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
The Helix3 plugin for Joomla! exposes an AJAX handler task that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files, and update template parameters.
Risk Assessment
An attacker can delete critical system files, inject malicious JSON data, or alter template configuration, potentially leading to full compromise of the Joomla! site.
Recommendation
Immediately update the Helix3 plugin to the latest version and restrict AJAX task access to authenticated users only.
Original NVD description (English source)
The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.

