Joomla Auth Reset Generates Plain HTTP Links Without Force SSL
CVE-2026-48902 Published on May 26, 2026
Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links
The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
Products Associated with CVE-2026-48902
Want to know whenever a new CVE is published for Joomla? stack.watch will email you.
Affected Versions
Joomla! Project Joomla! CMS:- Version 3.9.0-5.4.5 is affected.
- Version 6.0.0-6.1.0 is affected.