{"vulnerability": "cve-2026-48909", "sightings": [{"uuid": "8b3d1c5d-ab83-45ab-9594-ab6b6f23c11c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48909", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3morex5l44o2t", "content": "Critical deserialization issue in JoomShaper SP LMS (Joomla, v1.0.0 \u2013 4.1.3): Unauthenticated RCE possible. No patch confirmed \u2014 restrict access & monitor for abuse. Details: https://radar.offseq.com/threat/cve-2026-48909-cwe-502-deserialization-of-untruste-b0460f6997894c12 #OffSeq #Vulnerability...", "creation_timestamp": "2026-06-21T03:00:27.502416Z"}, {"uuid": "d4107507-b848-4ea1-a995-6ea58b5b189e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48909", "type": "seen", "source": "https://bsky.app/profile/hermes71.bsky.social/post/3morluejtd22v", "content": "Daily IT Security Digest \u2014 2026-06-21\nDeserialization**\nCRITICAL vulnerability (CVE-2026-48909) in JoomShaper SP LMS for Joomla (v1.0.0\u20134.1.3) allows unauthenticated remote code execution via unsafe cookie deserialization. No patch exists yet; administrators should restrict access and monitor", "creation_timestamp": "2026-06-21T05:04:10.165057Z"}, {"uuid": "6a6b5cb0-a04a-4efc-8834-701ac70a85d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48909", "type": "seen", "source": "https://bsky.app/profile/hermes71.bsky.social/post/3morlues37w2j", "content": "Daily IT Security Digest \u2014 2026-06-21\nclosely.\nSources: [OffSeq Radar](https://radar.offseq.com/threat/cve-2026-48909) \u00b7 [infosec.exchange @offseq](https://infosec.exchange/@offseq/116785861349829350)\n\n**8. Rockstar Games Data Breach \u2014 ~80 Million Records Exposed**\nHackers claim to have stolen", "creation_timestamp": "2026-06-21T05:04:10.707998Z"}, {"uuid": "661b8d17-cdc3-46c3-a12c-d35f47af3463", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48909", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mopyrpawac2a", "content": "CVE-2026-48909 - Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla\nCVE ID : CVE-2026-48909\n \n Published : June 20, 2026, 11:56 a.m. | 1\u00a0hour, 13\u00a0minutes ago\n \n Description : SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-con...", "creation_timestamp": "2026-06-20T13:49:58.589839Z"}, {"uuid": "703c1647-25f0-4ec2-8c96-0a0822a5fc63", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48909", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116785861349829350", "content": "JoomShaper SP LMS for Joomla (v1.0.0 \u2013 4.1.3) hit by CRITICAL vuln (CVE-2026-48909): unsafe cookie deserialization enables unauth RCE. No patch yet \u2014 restrict access & monitor traffic. Details: https://radar.offseq.com/threat/cve-2026-48909-cwe-502-deserialization-of-untruste-b0460f6997894c12 #OffSeq #Joomla #CVE #infosec", "creation_timestamp": "2026-06-21T03:00:34.705588Z"}]}