ctipilot.ch
← Back to the live brief
HIGHCVE-2026-57827 +1NATOB2vulnerability

Joomla file-upload RCE wave adds RSFiles! (CVE-2026-57827, unauth, CVSS 10.0) and Phoca Download (CVE-2026-57828, CVSS 9.0)

discovered 2026-07-11 13:00 UTCrun 2026-07-11T1210Z-intel3 sourcesmulti-source

Two more third-party Joomla extensions have patched unrestricted-file-upload flaws that end in remote code execution, both disclosed and fixed on 2026-07-10 by the same researcher (Phil Taylor of mySites.guru) whose source-code audits have been driving an ongoing wave of the identical CWE-434 bug class across the Joomla extension ecosystem. In RSFiles! (com_rsfiles) through 1.17.11, the permission gate and file-type allow-list live in a pre-flight method while the method that actually writes the upload to disk performs no permission check and no extension check; because that write method can be called directly with no site-wide CSRF token and no access check, an anonymous visitor bypasses the gate entirely, and RSFiles!'s default downloads folder sits inside the web root with PHP execution enabled (the protective .htaccess is an opt-in setting that is off by default) — so a .php upload lands in a directory that executes it, giving unauthenticated RCE (CVE-2026-57827, CVSS 4.0 10.0; the vendor RSJoomla! shipped 1.17.12 the same day, "update NOW!"). In Phoca Download (com_phocadownload) through 6.1.2, the non-default frontend member-upload feature runs under a different internal upload mode than the one the allow-list check was written for, so the configured file-type restriction is never consulted and a registered member can upload and execute a .php file into the public user-upload folder — authenticated RCE that requires an account plus the member-upload feature enabled (CVE-2026-57828, CVSS 4.0 9.0, fixed in 6.1.3) (mySites.guru, 2026-07-10).

Neither flaw has a published proof-of-concept and neither is confirmed exploited yet, but the wave's earlier members have a short track record from disclosure to in-the-wild abuse: JoomShaper SP Page Builder (CVE-2026-48908), Joomlack Page Builder CK (CVE-2026-56290), Balbooa Forms (CVE-2026-56291) and iCagenda (CVE-2026-48939) all carry the same unauthenticated-or-low-auth file-upload primitive, and several were added to CISA's KEV catalog within days — iCagenda after confirmed zero-day exploitation (mySites.guru, 2026-07-10). Joomla is heavily used across Swiss and European municipal and public-sector websites, and extension-level exposure is independent of core-Joomla patch status, so an otherwise up-to-date site can still be exposed through either component.

any attacker, without having an account on your website, can upload a .php file in your /downloads directory and execute it.

RSJoomla! (vendor advisory, quoted by mySites.guru)

A logged-in user could upload a file type that should have been rejected, such as a `.php` script, into the public user-upload folder and then run it.

mySites.guru 2026-07-10

Defender actions

  • Update RSFiles! (com_rsfiles) to ≥ 1.17.12 on every Joomla site now — this is unauthenticated RCE reachable by anyone, not a maintenance-window update — then check the component's web-root /downloads directory for stray .php/.phtml files and review admin accounts for tampering.
  • Update Phoca Download (com_phocadownload) to ≥ 6.1.3; if the frontend member-upload feature was enabled (it is off by default), treat as a priority and hunt the user-upload folder for web shells. Disable member-upload where not required to remove the exposure entirely.
  • As defense-in-depth against the whole wave, configure the web server to deny script execution in Joomla extension upload/download directories.

ATT&CK mapping

2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1505.003Server Software Component: Web Shell

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.