CVE-2016-9838

HIGH LAB

Joomla! < 3.6.4 - Improper Access Control via Registration Form Session Data

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-9838. PoCs published by Charles Fol, cved-sources.

AI-analyzed exploit summary This exploit leverages a vulnerability in Joomla! <= 3.6.4 to take over an admin account by manipulating the registration form to associate a new user with an existing admin ID. It bypasses password validation by first submitting mismatched passwords and then resubmitting with matching passwords.

Description

An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and password, as demonstrated by submitting a form that targets the `registration.register` task.

Exploits (2)

exploitdb WORKING POC

by Charles Fol · pythonwebappsphp

https://www.exploit-db.com/exploits/41157

View Code ZIP pw:eip

This exploit leverages a vulnerability in Joomla! <= 3.6.4 to take over an admin account by manipulating the registration form to associate a new user with an existing admin ID. It bypasses password validation by first submitting mismatched passwords and then resubmitting with matching passwords.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Joomla! <= 3.6.4

No auth needed

Prerequisites: Access to the Joomla! registration page · Knowledge of an existing admin user ID

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by cved-sources · poc

https://github.com/cved-sources/cve-2016-9838

View Code ZIP pw:eip

This repository provides a Dockerized environment for Joomla 3.6.4, which is vulnerable to CVE-2016-9838. The setup includes a pre-configured Joomla installation with a database, allowing for testing of the vulnerability in an isolated container.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Joomla 3.6.4

No auth needed

Prerequisites: Docker environment · Basic knowledge of Joomla exploitation

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory x_refsource_confirm

https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41157/

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/94893

Scores

CVSS v3 7.5

EPSS 0.1410

EPSS Percentile 96.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull cved/base-lamp

https://github.com/cved-sources/cve-2016-9838

View in Library

Details

CWE

CWE-284

Status published

Products (1)

joomla/joomla\! < 3.6.4

Published Dec 16, 2016

Tracked Since Feb 18, 2026