• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • User Guide
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • What is Joomla Academy?
    • What is Google Summer of Code (GSoc)
    • Joomla License FAQs
    • Developer Network
    • Developer Manual
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

[20260502] - Core - XSS in com_associations

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.5, 6.0.0-6.1.0
  • Exploit type: XSS
  • Reported Date: 2026-04-01
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-25901

Description

Lack of output escaping leads to a XSS vector in the multilingual associations component.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5, 6.0.0-6.1.0

Solution

Upgrade to version 5.4.6 or 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  vnth4nhnt from CyStack, Pavel Kohout from Aisle Research

[20260501] - Core - XSS in feed modules

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.0.0-5.4.5, 6.0.0-6.1.0
  • Exploit type: XSS
  • Reported Date: 2026-03-28
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-25900

Description

Lack of output escaping leads to a XSS vector in the feed modules.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5, 6.0.0-6.1.0

Solution

Upgrade to version 5.4.6 or 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Mohamed Elabbas, Sun Huang

[20260301] - Core - ACL hardening in com_ajax

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Moderate
  • Versions: 3.0.0-5.4.3, 6.0.0-6.0.3
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-03-11
  • Fixed Date: 2026-03-31
  • CVE Number: CVE-2026-21629

Description

The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  JSST

[20260302] - Core - SQL injection in com_content articles webservice endpoint

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Probability: Moderate
  • Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
  • Exploit type: SQLi
  • Reported Date: 2026-03-05
  • Fixed Date: 2026-03-31
  • CVE Number: CVE-2026-21630

Description

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Antonio Morales from GitHub Security Lab Taskflow Agent / vnth4nhnt from CyStack

[20260303] - Core - XSS vector in com_associations comparison view

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
  • Exploit type: XSS
  • Reported Date: 2026-03-11
  • Fixed Date: 2026-03-31
  • CVE Number: CVE-2026-21631

Description

Lack of output escaping leads to a XSS vector in the multilingual associations component

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Shirsendu Mondal & Md Tanzimul Alam Fahim, UNC Pembroke

[20260304] - Core - XSS vectors in various article title outputs

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
  • Exploit type: XSS
  • Reported Date: 2026-03-10
  • Fixed Date: 2026-03-31
  • CVE Number: CVE-2026-21632

Description

Lack of output escaping for article titles leads to XSS vectors in various locations.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  peter vanderhulst

[20260305] - Core - Arbitrary file deletion in com_joomlaupdate

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
  • Exploit type: Arbitrary File Deletion
  • Reported Date: 2026-03-16
  • Fixed Date: 2026-03-31
  • CVE Number: CVE-2026-23898

Description

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Phil Taylor

[20260306] - Core - Improper access check in webservice endpoints

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-03-09
  • Fixed Date: 2026-03-31
  • CVE Number: CVE-2026-23899

Description

An improper access check allows unauthorized access to webservice endpoints.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  vnth4nhnt from CyStack

[20260101] - Core - Inadequate content filtering for data URLs

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.1, 6.0.0-6.0.1
  • Exploit type: XSS
  • Reported Date: 2025-11-14
  • Fixed Date: 2026-01-06
  • CVE Number: CVE-2025-63082

Description

Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.1, 6.0.0-6.0.1

Solution

Upgrade to version 5.4.2 or 6.0.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Sho Sugiyama of SUZUKI MOTOR CORPORATION

[20260102] - Core - XSS vectors in the pagebreak and pagenavigation plugins

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.9.0-5.4.1, 6.0.0-6.0.1
  • Exploit type: XSS
  • Reported Date: 2025-09-29
  • Fixed Date: 2026-01-06
  • CVE Number: CVE-2025-63083

Description

Lack of output escaping leads to a XSS vector in the pagebreak and pagenavigation plugins.

Affected Installs

Joomla! CMS versions 3.9.0-5.4.1, 6.0.0-6.0.1

Solution

Upgrade to version 5.4.2 or 6.0.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  peterhulst

[20250901] - Core - Inadequate content filtering within the checkAttribute filter code

  • Project: Joomla! / Joomla! Framework
  • SubProject: CMS / filter
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3
  • Exploit type: XSS
  • Reported Date: 2025-08-03
  • Fixed Date: 2025-09-30
  • CVE Number: CVE-2025-54476

Description

Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3

Solution

Upgrade to version 4.4.14 or 5.3.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Flydragon, Poi, Cwy, Xtrimi

[20250902] - Core - User-Enumeration in passkey authentication method

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.4.13, 5.0.0-5.3.3
  • Exploit type: User Enumeration
  • Reported Date: 2025-09-04
  • Fixed Date: 2025-09-30
  • CVE Number: CVE-2025-54477

Description

Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.13, 5.0.0-5.3.3

Solution

Upgrade to version 4.4.14 or 5.3.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Marco Schubert

[20250401] - Framework - SQL injection vulnerability in quoteNameStr method of Database package

  • Project: Joomla!
  • SubProject: Framework
  • Impact: High
  • Severity: Low
  • Probability: Low
  • Versions: 1.0.0-2.1.1, 3.0.0-3.3.1
  • Exploit type: SQL Injection
  • Reported Date: 2025-03-17
  • Fixed Date: 2025-04-02
  • CVE Number: CVE-2025-25226

Description

Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package.

Affected Installs

Database Package version: 1.0.0-2.1.1, 3.0.0-3.3.1

Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.

Solution

Upgrade to version 2.2.0 or 3.4.0

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Nicholas K. Dionysopoulos, akeeba.com

[20250402] - Core - MFA Authentication Bypass

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0 - 4.4.12, 5.0.0 - 5.2.5
  • Exploit type: Authentication Bypass
  • Reported Date: 2025-03-20
  • Fixed Date: 2025-04-08
  • CVE Number: CVE-2025-25227

Description

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

Affected Installs

Joomla! CMS versions: 4.0.0 - 4.4.12, 5.0.0 - 5.2.5

Solution

Upgrade to version 4.4.13 or 5.2.6

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Undisclosed Reporter

[20250301] - Core - Malicious file uploads via Media Manager

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.4.11, 5.0.0-5.2.4
  • Exploit type: Malicious file upload
  • Reported Date: 2025-02-25
  • Fixed Date: 2025-03-10
  • CVE Number: CVE-2025-22213

Description

Inadequate checks in the Media Manager allowed users with "edit" privileges to create executable PHP files.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.11, 5.0.0-5.2.4

Solution

Upgrade to version 4.4.12 or 5.2.5

Contact

The JSST at the Joomla! Security Centre.

Reported By:  ErPaciocco

[20250103] - Core - Read ACL violation in multiple core views

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
  • Exploit type: ACL Violation
  • Reported Date: 2024-08-26
  • Fixed Date: 2025-01-07
  • CVE Number: CVE-2024-40749

Description

Improper Access Controls allows access to protected views.

Affected Installs

Joomla! CMS versions 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2

Solution

Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Dominik Ziegelmüller

[20250201] - Core - SQL injection vulnerability in Scheduled Tasks component

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Probability: Low
  • Versions: 4.1.0-4.4.10, 5.0.0-5.2.3
  • Exploit type: SQL Injection
  • Reported Date: 2024-12-10
  • Fixed Date: 2025-02-18
  • CVE Number: CVE-2025-22207

Description

Improperly built order clauses lead to a SQL injection vulnerability in the backend task list of com_scheduler

Affected Installs

Joomla! CMS versions 4.1.0-4.4.10, 5.0.0-5.2.3

Solution

Upgrade to version 4.4.11 or 5.2.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Calum Hutton, snyk.io

[20250102] - Core - XSS vector in the id attribute of menu lists

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
  • Exploit type: XSS
  • Reported Date: 2024-09-19
  • Fixed Date: 2025-01-07
  • CVE Number: CVE-2024-40748

Description

Lack of output escaping in the id attribute of menu lists.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2

Solution

Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Lokesh Dachepalli

[20250101] - Core - XSS vectors in module chromes

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-4.4.9, 5.0.0-5.2.2
  • Exploit type: XSS
  • Reported Date: 2024-08-29
  • Fixed Date: 2025-01-07
  • CVE Number: CVE-2024-40747

Description

Various module chromes didn't properly process inputs, leading to XSS vectors.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.9, 5.0.0-5.2.2

Solution

Upgrade to version 4.4.10 or 5.2.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Catalin Iovita

[20240805] - Core - XSS vectors in Outputfilter::strip* methods

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: XSS
  • Reported Date: 2024-07-22
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-40743

Description

The stripImages and stripIframes methods didn't properly process inputs, leading to XSS vectors.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jesper den Boer

[20240804] - Core - Improper ACL for backend profile view

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: XSS
  • Reported Date: 2024-07-22
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-27187

Description

Improper Access Controls allows backend users to overwrite their username when disallowed.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Elysee Franchuk

[20240803] - Core - XSS in HTML Mail Templates

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: XSS
  • Reported Date: 2024-07-22
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-27186

Description

The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Elysee Franchuk

[20240802] - Core - Cache Poisoning in Pagination

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: Cache Poisoning
  • Reported Date: 2024-05-23
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-27185

Description

The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Shane Edwards

[20240801] - Core - Inadequate validation of internal URLs

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 3.4.6-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
  • Exploit type: Open redirect
  • Reported Date: 2024-03-20
  • Fixed Date: 2024-08-20
  • CVE Number: CVE-2024-27184

Description

Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.

Affected Installs

Joomla! CMS versions 3.4.6-3.10.16-elts,4.0.0-4.4.6, 5.0.0-5.1.2

Solution

Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Gareth Heyes (PortSwigger Research) & Teodor Ivanov

[20240705] - Core - XSS in com_fields default field value

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1
  • Exploit type: XSS
  • Reported Date: 2024-06-09
  • Fixed Date: 2024-07-09
  • CVE Number: CVE-2024-26278

Description

The Custom Fields component not correctly filter inputs, leading to a XSS vector.

Affected Installs

Joomla! CMS versions 3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1

Solution

Upgrade to version 3.10.16-elts, 4.4.6 or 5.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jesper den Boer

Page 2 of 13

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  1. You are here:  
  2. Home
  3. Security Announcements

Joomla! CMS

  • Current Release Joomla! CMS 6 6.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 4.x
  • Development Status

Resources

  • Development Strategy
  • Product Strategy
  • Planned Features
  • Security Announcements
  • Report Security Issues
  • Generative AI policy
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Facebook
  • Joomla! on X
  • Joomla! on Bluesky
  • Joomla! on Threads
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Services
  • User Guide
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in
 A Digital Public Good.

© 2005 - 2026 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.