Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

CVE-2026-48902: Apache HTTP Server: Unencrypted links for password reset

CVE-2026-48902

Summary

The Apache HTTP Server may generate unencrypted links for password and username reset features if the 'Force SSL' setting isn't enabled. This could allow attackers to intercept sensitive information. To fix this, ensure the 'Force SSL' flag is set, or upgrade to a version that includes the necessary fix.

Original title

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

Original description

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

https://developer.joomla.org/security-centre/1050-20260518-core-transport-encryp...

Published: 26 May 2026 · Updated: 30 May 2026 · First seen: 26 May 2026