Deserialization in Joomshaper.net Sp Lms Extension For Joomla
CVE-2026-48909
SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.
Vulnerability class: Insecure Deserialization
Affected products
- Joomshaper.net Sp Lms Extension For Joomla — versions 1.0.0-4.1.3
Weakness classification (CWE)
References
- security@joomla.org (product)