CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49049

highpublic exploitCVSS 7.5covered by 1 sourcefirst seen 2026-06-29
Public exploit code is available. Proof-of-concept or working exploit code for CVE-2026-49049 is indexed in GitHub PoC. Expect opportunistic scanning and exploitation attempts — prioritize remediation even though it is not (yet) in the CISA KEV catalog.
The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.

⚡ Watch CVE-2026-49049

Get an email if CVE-2026-49049 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Exploit availability

Public exploit or proof-of-concept code for CVE-2026-49049 is indexed in these free datasets. Available exploit code raises real-world risk independent of the CVSS score.

Advisory coverage (1)

External references

NVD record for CVE-2026-49049

CVE.org record

Embed the live status

CVE-2026-49049 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49049 status](https://www.csirts.com/badge/CVE-2026-49049)](https://www.csirts.com/cve/CVE-2026-49049)