Primary

Context

Joomla! Password and Username Reset Link Downgrade Vulnerability

Vulnerability

Patched

A vulnerability exists in Joomla! CMS versions 3.9.0 prior to 5.4.5 and 6.0.0 prior to 6.1.0, where the password and username reset features generated plain HTTP links for HTTPS connections, unless the 'Force SSL' flag was explicitly enabled. This flaw creates a mixed content issue, potentially exposing users to security risks by downgrading the transport encryption of these critical links.

Impact

This vulnerability could lead to a mixed content issue, where secure HTTPS connections are downgraded to HTTP, potentially exposing sensitive information during the password and username reset process.

Remediation

Users can upgrade to Joomla! CMS version 5.4.6 or 6.1.1 to address this vulnerability.

Added: May 26, 2026, 10:57 PM

Updated: May 26, 2026, 10:57 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.5

exploitability

6.4

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.5

exploitability

6.4

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Joomla! Password and Username Reset Link Downgrade Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Joomla

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating