## https://sploitus.com/exploit?id=B702BA44-2C7E-5689-A871-7FC6020F95FC
# CVE-2026-48909-Joomla-SP-Exploit
CVE-2026-48909 - Unauthenticated PHP Object Injection to RCE exploit for Joomla SP LMS extension versions <= 4.1.3. Exploits lmsOrders cookie deserialization to write webshell via Joomla FormattedtextLogger gadget chain. Includes interactive shell, path discovery, and cleanup. For authorized security testing only.