CVE-2026-57830 is an unauthenticated arbitrary file deletion vulnerability in the Helix Ultimate extension for Joomla by JoomShaper. Affected versions are 1.0 through 2.2.6. The flaw allows a remote attacker, without authentication or user interaction, to cause deletion of files accessible to the vulnerable application. The available information identifies the issue as arbitrary file deletion but does not provide the specific vulnerable function, endpoint, or code path.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a small Python exploit set for an unauthenticated Joomla/JoomShaper Helix Ultimate vulnerability: one destructive PoC (helix_ultimate_delete_poc.py) and one non-destructive detector (helix_ultimate_detect.py), plus a detailed README documenting root cause, impact, and limitations. The exploit targets the Helix Ultimate system plugin's frontend com_ajax dispatch, specifically action=view-media for folder/image listing and action=delete-media for arbitrary file deletion or recursive folder deletion. Both scripts first fetch the target homepage and extract an anonymous CSRF token from HTML using regex, then POST to /index.php with option=com_ajax, helix=ultimate, request=task, and the chosen action. The delete PoC supports attacker-controlled paths and type=file/folder, including traversal examples using a single '/../' to escape one level above JPATH_ROOT and reach sibling directories on shared hosting. The detector safely proves exposure by listing /images only. The repository explicitly states this is a DoS and filesystem access issue, not RCE, and documents that an attempted installer-reexposure chain via deleting configuration.php was tested and disproved. Overall, this is a real, operational web exploit for unauthenticated read/list and delete capabilities against Helix Ultimate installations, with especially severe impact on shared-hosting environments.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.