[20260518] - Core - Transport encryption downgrade for password and username reset links

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Probability: Low
Versions: 3.9.0-5.4.5,6.0.0-6.1.0
Exploit type: Mixed Content
Reported Date: 2026-04-20
Fixed Date: 2026-05-26
CVE Number: CVE-2026-48902

Description

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

Affected Installs

Joomla! CMS versions 3.9.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: ZeroXJacks, Github