ctipilot.ch

Joomla Phoca Download (com_phocadownload) authenticated file-upload RCE via member-upload allow-list bypass (CVSS 4.0 9.0)

cve · CVE-2026-57828

Coverage timeline
1
first 2026-07-11 → last 2026-07-11
Peak priority
high
1 high
Sources cited
3
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
3
see Related entities below
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
Phoca Download for JoomlaRSFiles! for Joomla

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-11/joomla-rsfiles-phoca-file-upload-rce-cve-2026-57827-57828 · ATT&CK page ↗

Persistence TA0003

T1505.003Server Software Component: Web Shell×1

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

Evidence: 2026-07-11/joomla-rsfiles-phoca-file-upload-rce-cve-2026-57827-57828 · ATT&CK page ↗

Story timeline

  1. 2026-07-11Joomla file-upload RCE wave adds RSFiles! (CVE-2026-57827, unauth, CVSS 10.0) and Phoca Download (CVE-2026-57828, CVSS 9.0)
    trending-vulnerabilitiesTwo more Joomla extensions patch file-upload-to-RCE flaws — RSFiles! is reachable with no login at all (CVSS 10.0)

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • mysites.guru2 (67%)
  • rsjoomla.com1 (33%)

Related entities

Entries about Joomla Phoca Download (com_phocadownload) authenticated file-upload RCE via member-upload allow-list bypass (CVSS 4.0 9.0) (1)

2026-07-11 · view entry permalink →

Joomla file-upload RCE wave adds RSFiles! (CVE-2026-57827, unauth, CVSS 10.0) and Phoca Download (CVE-2026-57828, CVSS 9.0)

Two more third-party Joomla extensions have patched unrestricted-file-upload flaws that end in remote code execution, both disclosed and fixed on 2026-07-10 by the same researcher (Phil Taylor of mySites.guru) whose source-code audits have been driving an ongoing wave of the identical CWE-434 bug class across the Joomla extension ecosystem. In RSFiles! (com_rsfiles) through 1.17.11, the permission gate and file-type allow-list live in a pre-flight method while the method that actually writes the upload to disk performs no permission check and no extension check; because that write method can be called directly with no site-wide CSRF token and no access check, an anonymous visitor bypasses the gate entirely, and RSFiles!'s default downloads folder sits inside the web root with PHP execution enabled (the protective .htaccess is an opt-in setting that is off by default) — so a .php upload lands in a directory that executes it, giving unauthenticated RCE (CVE-2026-57827, CVSS 4.0 10.0; the vendor RSJoomla! shipped 1.17.12 the same day, "update NOW!"). In Phoca Download (com_phocadownload) through 6.1.2, the non-default frontend member-upload feature runs under a different internal upload mode than the one the allow-list check was written for, so the configured file-type restriction is never consulted and a registered member can upload and execute a .php file into the public user-upload folder — authenticated RCE that requires an account plus the member-upload feature enabled (CVE-2026-57828, CVSS 4.0 9.0, fixed in 6.1.3) (mySites.guru, 2026-07-10).

Neither flaw has a published proof-of-concept and neither is confirmed exploited yet, but the wave's earlier members have a short track record from disclosure to in-the-wild abuse: JoomShaper SP Page Builder (CVE-2026-48908), Joomlack Page Builder CK (CVE-2026-56290), Balbooa Forms (CVE-2026-56291) and iCagenda (CVE-2026-48939) all carry the same unauthenticated-or-low-auth file-upload primitive, and several were added to CISA's KEV catalog within days — iCagenda after confirmed zero-day exploitation (mySites.guru, 2026-07-10). Joomla is heavily used across Swiss and European municipal and public-sector websites, and extension-level exposure is independent of core-Joomla patch status, so an otherwise up-to-date site can still be exposed through either component.

any attacker, without having an account on your website, can upload a .php file in your /downloads directory and execute it.

RSJoomla! (vendor advisory, quoted by mySites.guru)

A logged-in user could upload a file type that should have been rejected, such as a `.php` script, into the public user-upload folder and then run it.

mySites.guru 2026-07-10
vulnerability11 Jul 13:00Zmulti-sourceOpen finding ↗