Arbitrary file upload in Phoca.cz Phoca Download Extension For Joomla
CVE-2026-57828
The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE.
Vulnerability class: Unrestricted File Upload
Affected products
- Phoca.cz Phoca Download Extension For Joomla — versions 1.0-6.1.2
Weakness classification (CWE)
References
- security@joomla.org (product)
- security@joomla.org (third-party-advisory)