CVE-2025-54473

9.2

Critical

Published:15 Aug 2025

Last updated:17 Jun 2026

Source:security@joomla.org

Deferred

Weakness (CWE)

CWE-434Unrestricted File Upload

CVSS Vector

v4.0

Attack Vector: Network
Attack Complexity: Low
Attack Requirements: None
Privileges Required: High
User Interaction: None
Confidentiality (Vulnerable): High
Integrity (Vulnerable): High
Availability (Vulnerable): High
Confidentiality (Subsequent): High
Integrity (Subsequent): None
Availability (Subsequent): None

View on MITRE Find PoC on GitHub

Description

An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature.

References

security@joomla.org

https://phoca.cz/