Security Announcements
This feed provides announcements of resolved security issues in Joomla! software releases.
For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.
To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.
You can subscribe to notifications from this feed through a RSS reader.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 4.0.0-5.4.5, 6.0.0-6.1.0
- Exploit type: XSS
- Reported Date: 2026-04-01
- Fixed Date: 2026-05-26
- CVE Number: CVE-2026-25901
Description
Affected Installs
Joomla! CMS versions 4.0.0-5.4.5, 6.0.0-6.1.0
Solution
Upgrade to version 5.4.6 or 6.1.1
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 3.0.0-5.4.5, 6.0.0-6.1.0
- Exploit type: XSS
- Reported Date: 2026-03-28
- Fixed Date: 2026-05-26
- CVE Number: CVE-2026-25900
Description
Affected Installs
Joomla! CMS versions 3.0.0-5.4.5, 6.0.0-6.1.0
Solution
Upgrade to version 5.4.6 or 6.1.1
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Probability: Moderate
- Versions: 3.0.0-5.4.3, 6.0.0-6.0.3
- Exploit type: Incorrect Access Control
- Reported Date: 2026-03-11
- Fixed Date: 2026-03-31
- CVE Number: CVE-2026-21629
Description
Affected Installs
Joomla! CMS versions 3.0.0-5.4.3, 6.0.0-6.0.3
Solution
Upgrade to version 5.4.4 or 6.0.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Probability: Moderate
- Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
- Exploit type: SQLi
- Reported Date: 2026-03-05
- Fixed Date: 2026-03-31
- CVE Number: CVE-2026-21630
Description
Affected Installs
Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3
Solution
Upgrade to version 5.4.4 or 6.0.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
- Exploit type: XSS
- Reported Date: 2026-03-11
- Fixed Date: 2026-03-31
- CVE Number: CVE-2026-21631
Description
Affected Installs
Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3
Solution
Upgrade to version 5.4.4 or 6.0.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
- Exploit type: XSS
- Reported Date: 2026-03-10
- Fixed Date: 2026-03-31
- CVE Number: CVE-2026-21632
Description
Affected Installs
Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3
Solution
Upgrade to version 5.4.4 or 6.0.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: High
- Probability: Low
- Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
- Exploit type: Arbitrary File Deletion
- Reported Date: 2026-03-16
- Fixed Date: 2026-03-31
- CVE Number: CVE-2026-23898
Description
Affected Installs
Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3
Solution
Upgrade to version 5.4.4 or 6.0.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: High
- Probability: Low
- Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
- Exploit type: Incorrect Access Control
- Reported Date: 2026-03-09
- Fixed Date: 2026-03-31
- CVE Number: CVE-2026-23899
Description
Affected Installs
Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3
Solution
Upgrade to version 5.4.4 or 6.0.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 4.0.0-5.4.1, 6.0.0-6.0.1
- Exploit type: XSS
- Reported Date: 2025-11-14
- Fixed Date: 2026-01-06
- CVE Number: CVE-2025-63082
Description
Affected Installs
Joomla! CMS versions 4.0.0-5.4.1, 6.0.0-6.0.1
Solution
Upgrade to version 5.4.2 or 6.0.2
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 3.9.0-5.4.1, 6.0.0-6.0.1
- Exploit type: XSS
- Reported Date: 2025-09-29
- Fixed Date: 2026-01-06
- CVE Number: CVE-2025-63083
Description
Affected Installs
Joomla! CMS versions 3.9.0-5.4.1, 6.0.0-6.0.1
Solution
Upgrade to version 5.4.2 or 6.0.2
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla! / Joomla! Framework
- SubProject: CMS / filter
- Impact: Moderate
- Severity: Moderate
- Probability: Moderate
- Versions: 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3
- Exploit type: XSS
- Reported Date: 2025-08-03
- Fixed Date: 2025-09-30
- CVE Number: CVE-2025-54476
Description
Affected Installs
Joomla! CMS versions 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3
Solution
Upgrade to version 4.4.14 or 5.3.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Probability: Low
- Versions: 4.0.0-4.4.13, 5.0.0-5.3.3
- Exploit type: User Enumeration
- Reported Date: 2025-09-04
- Fixed Date: 2025-09-30
- CVE Number: CVE-2025-54477
Description
Affected Installs
Joomla! CMS versions 4.0.0-4.4.13, 5.0.0-5.3.3
Solution
Upgrade to version 4.4.14 or 5.3.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: Framework
- Impact: High
- Severity: Low
- Probability: Low
- Versions: 1.0.0-2.1.1, 3.0.0-3.3.1
- Exploit type: SQL Injection
- Reported Date: 2025-03-17
- Fixed Date: 2025-04-02
- CVE Number: CVE-2025-25226
Description
Affected Installs
Database Package version: 1.0.0-2.1.1, 3.0.0-3.3.1
Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.
Solution
Upgrade to version 2.2.0 or 3.4.0
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Moderate
- Probability: Moderate
- Versions: 4.0.0 - 4.4.12, 5.0.0 - 5.2.5
- Exploit type: Authentication Bypass
- Reported Date: 2025-03-20
- Fixed Date: 2025-04-08
- CVE Number: CVE-2025-25227
Description
Affected Installs
Joomla! CMS versions: 4.0.0 - 4.4.12, 5.0.0 - 5.2.5
Solution
Upgrade to version 4.4.13 or 5.2.6
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Critical
- Severity: Low
- Probability: Low
- Versions: 4.0.0-4.4.11, 5.0.0-5.2.4
- Exploit type: Malicious file upload
- Reported Date: 2025-02-25
- Fixed Date: 2025-03-10
- CVE Number: CVE-2025-22213
Description
Affected Installs
Joomla! CMS versions 4.0.0-4.4.11, 5.0.0-5.2.4
Solution
Upgrade to version 4.4.12 or 5.2.5
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Moderate
- Probability: Low
- Versions: 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
- Exploit type: ACL Violation
- Reported Date: 2024-08-26
- Fixed Date: 2025-01-07
- CVE Number: CVE-2024-40749
Description
Affected Installs
Joomla! CMS versions 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
Solution
Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: High
- Severity: Low
- Probability: Low
- Versions: 4.1.0-4.4.10, 5.0.0-5.2.3
- Exploit type: SQL Injection
- Reported Date: 2024-12-10
- Fixed Date: 2025-02-18
- CVE Number: CVE-2025-22207
Description
Affected Installs
Joomla! CMS versions 4.1.0-4.4.10, 5.0.0-5.2.3
Solution
Upgrade to version 4.4.11 or 5.2.4
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Moderate
- Probability: Low
- Versions: 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
- Exploit type: XSS
- Reported Date: 2024-09-19
- Fixed Date: 2025-01-07
- CVE Number: CVE-2024-40748
Description
Affected Installs
Joomla! CMS versions 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2
Solution
Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Moderate
- Probability: Low
- Versions: 4.0.0-4.4.9, 5.0.0-5.2.2
- Exploit type: XSS
- Reported Date: 2024-08-29
- Fixed Date: 2025-01-07
- CVE Number: CVE-2024-40747
Description
Affected Installs
Joomla! CMS versions 4.0.0-4.4.9, 5.0.0-5.2.2
Solution
Upgrade to version 4.4.10 or 5.2.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Moderate
- Probability: Low
- Versions: 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
- Exploit type: XSS
- Reported Date: 2024-07-22
- Fixed Date: 2024-08-20
- CVE Number: CVE-2024-40743
Description
Affected Installs
Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
Solution
Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Moderate
- Probability: Low
- Versions: 4.0.0-4.4.6, 5.0.0-5.1.2
- Exploit type: XSS
- Reported Date: 2024-07-22
- Fixed Date: 2024-08-20
- CVE Number: CVE-2024-27187
Description
Affected Installs
Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2
Solution
Upgrade to version 4.4.7 or 5.1.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Moderate
- Versions: 4.0.0-4.4.6, 5.0.0-5.1.2
- Exploit type: XSS
- Reported Date: 2024-07-22
- Fixed Date: 2024-08-20
- CVE Number: CVE-2024-27186
Description
Affected Installs
Joomla! CMS versions 4.0.0-4.4.6, 5.0.0-5.1.2
Solution
Upgrade to version 4.4.7 or 5.1.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Probability: Low
- Versions: 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
- Exploit type: Cache Poisoning
- Reported Date: 2024-05-23
- Fixed Date: 2024-08-20
- CVE Number: CVE-2024-27185
Description
Affected Installs
Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
Solution
Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Probability: Low
- Versions: 3.4.6-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2
- Exploit type: Open redirect
- Reported Date: 2024-03-20
- Fixed Date: 2024-08-20
- CVE Number: CVE-2024-27184
Description
Affected Installs
Joomla! CMS versions 3.4.6-3.10.16-elts,4.0.0-4.4.6, 5.0.0-5.1.2
Solution
Upgrade to version 3.10.17-elts, 4.4.7 or 5.1.3
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Moderate
- Probability: Low
- Versions: 3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1
- Exploit type: XSS
- Reported Date: 2024-06-09
- Fixed Date: 2024-07-09
- CVE Number: CVE-2024-26278
Description
Affected Installs
Joomla! CMS versions 3.7.0-3.10.15-elts, 4.0.0-4.4.5, 5.0.0-5.1.1
Solution
Upgrade to version 3.10.16-elts, 4.4.6 or 5.1.2
Contact
The JSST at the Joomla! Security Centre.