CVE-2026-49049

HIGH

Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-49049 has been observed exploited in the wild (reported by ENISA EUVD). EIP tracks 4 public exploits from researchers including ExDev994, Dr-D25, frada321.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-49049, an unauthenticated remote code execution vulnerability in Helix3 Joomla templates (JoomShaper). The exploit leverages arbitrary file write via path traversal in the AJAX handler to drop a webshell and achieve RCE.

Description

The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.

Exploits (4)

github WORKING POC
by ExDev994 · pythonpoc
https://github.com/ExDev994/CVE-2026-49049

This repository contains a functional exploit for CVE-2026-49049, an unauthenticated remote code execution vulnerability in Helix3 Joomla templates (JoomShaper). The exploit leverages arbitrary file write via path traversal in the AJAX handler to drop a webshell and achieve RCE.

Classification
Working Poc 98%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Helix3 Joomla templates (JoomShaper) versions before 3.1.1
No auth needed
Prerequisites: Target must have a vulnerable version of Helix3 Joomla template installed · AJAX endpoint (/index.php?option=com_ajax&plugin=helix3&format=json) must be accessible
mistral-large-3 · analyzed Jul 14, 2026 Full analysis →
github WORKING POC
by Dr-D25 · shellpoc
https://github.com/Dr-D25/CVE-2026-49049

This repository provides a functional PoC for CVE-2026-49049, an unauthenticated arbitrary file write vulnerability in JoomShaper Helix3 (Joomla) via path traversal in the `layoutName` parameter. The exploit demonstrates how to write a JSON file to an arbitrary location on the server.

Classification
Working Poc 98%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: JoomShaper Helix3 (Joomla) versions 1.0 to 3.1.0
No auth needed
Prerequisites: Target must have JoomShaper Helix3 plugin installed (versions 1.0-3.1.0) · AJAX endpoint (`com_ajax`) must be accessible · Attacker must know or guess writable paths on the target server
mistral-large-3 · analyzed Jul 10, 2026 Full analysis →
nomisec STUB
by frada321 · poc
https://github.com/frada321/asdsadsadasdasdsadsad

The repository contains an empty README.md file with no technical details, exploit code, or vulnerability analysis. It appears to be a placeholder or incomplete submission with no functional content.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
mistral-large-3 · analyzed Jul 06, 2026 Full analysis →
github SCANNER
by shinthink · pythonpoc
https://github.com/shinthink/CVE-2026-49049

This repository provides a non-destructive scanner for CVE-2026-49049, an unauthenticated AJAX handler vulnerability in the Helix3 Joomla template framework (versions 1.0-3.1.0). The tool detects accessible endpoints (`save`, `remove`, `import`) without exploiting them, using a temporary probe file that is immediately cleaned up.

Classification
Scanner 99%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Helix3 Joomla Plugin (JoomShaper) versions 1.0 through 3.1.0
No auth needed
Prerequisites: Joomla installation with Helix3 template framework (versions 1.0-3.1.0) · Unauthenticated access to the `com_ajax` endpoint
mistral-large-3 · analyzed Jul 04, 2026 Full analysis →

References (1)

Core 1
Core References
Product product
https://www.joomshaper.com/

Scores

CVSS v3 7.5
EPSS 0.0023
EPSS Percentile 13.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

ENISA EUVD EUVD-2026-40122
CWE
CWE-284
Status published
Products (2)
joomshaper.com/Helix3 extension for Joomla 1.0-3.1.1
ollyo/helix3 1.0 - 3.1.1
Published Jun 29, 2026
Tracked Since Jun 29, 2026