• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • User Guide
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • What is Joomla Academy?
    • What is Google Summer of Code (GSoc)
    • Joomla License FAQs
    • Developer Network
    • Developer Manual
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

[20260712] - Core - Incorrect Access Control in com_fields webservice endpoints

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.6, 6.0.0-6.1.1
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-05-05
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48958

Description

An improper access check allows unauthorized users to create custom fields via webservices endpoints.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.6, 6.0.0-6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Federico Brasili

[20260711] - Core - Incorrect Access Control in com_privacy webservice endpoints

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.6, 6.0.0-6.1.1
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-06-12
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48957

Description

An improper access check allows unauthorized users to access com_privacy datasets.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.6, 6.0.0-6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Himanshu Anand

[20260710] - Core - Incorrect Access Control in com_modules

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.6, 6.0.0-6.1.1
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-05-22
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48956

Description

An improper access check allows users to display a list of modules in the frontend.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.6, 6.0.0-6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Warisjeet Singh (sin99xx)

[20260709] - Core - Incorrect Access Control in com_workflow

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 6.0.0-6.1.1
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-04-22
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48955

Description

An improper access check allows unauthorized users to access workflow stage and transition information.

Affected Installs

Joomla! CMS versions 6.0.0-6.1.1

Solution

Upgrade to version 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  廖双

[20260708] - Core - XSS through language overrides

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.0.0-5.4.6,6.0.0-6.1.1
  • Exploit type: XSS
  • Reported Date: 2026-05-15
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48954

Description

Improper validation leads to a generic XSS vector in the language override feature.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5,6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Morris Baumgarten-Egemole

[20260707] - Core - XSS in the generic image output layout

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.6,6.0.0-6.1.1
  • Exploit type: XSS
  • Reported Date: 2026-05-15
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48953

Description

Lack of escaping leads to an XSS vulnerability in the generic image output layout.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Pavel Kohout, Aisle Research

[20260706] - Core - XSS in com_installer

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.6,6.0.0-6.1.1
  • Exploit type: XSS
  • Reported Date: 2026-05-21
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48952

Description

Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  廖双

[20260705] - Core - XSS in various modalreturn layouts

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.6,6.0.0-6.1.1
  • Exploit type: XSS
  • Reported Date: 2026-05-07
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48951

Description

Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jorian Woltjer

[20260704] - Core - XSS in com_templates

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.6,6.0.0-6.1.1
  • Exploit type: XSS
  • Reported Date: 2026-05-07
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48950

Description

Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jorian Woltjer

[20260703] - Core - XSS in MFA method management

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.2.0-5.4.6,6.0.0-6.1.1
  • Exploit type: XSS
  • Reported Date: 2026-05-07
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48949

Description

Lack of validation leads to an XSS vulnerability in the MFA management views.

Affected Installs

Joomla! CMS versions 4.2.0-5.4.5,6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jorian Woltjer

[20260702] - Core - Incorrect Access Control in com_contact vcf download

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 3.0.0-5.4.6,6.0.0-6.1.1
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-05-07
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48948

Description

An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5,6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jorian Woltjer

[20260701] - Core - Incorrect Access Control in com_media webservice endpoints

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Probability: Low
  • Versions: 4.1.0-5.4.6,6.0.0-6.1.1
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-05-05
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48947

Description

An improper access check allows privileged users to overwrite media files without editing permissions.

Affected Installs

Joomla! CMS versions 4.1.0-5.4.6,6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Federico Brasili

[20260520] - Framework - Inadequate content filtering within the cleanAttributes filter code

  • Project: Joomla!
  • SubProject: Framewok
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 3.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: XSS
  • Reported Date: 2026-05-04
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48905

Description

Lack of input filtering leads to an XSS vector in the HTML filter code.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Jesper den Boer

[20260519] - Framework - Inadequate content filtering within the checkAttribute filter code

  • Project: Joomla!
  • SubProject: Framewok
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 3.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: XSS
  • Reported Date: 2026-04-21
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48903

Description

Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  JSST

[20260518] - Core - Transport encryption downgrade for password and username reset links

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 3.9.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Mixed Content
  • Reported Date: 2026-04-20
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48902

Description

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

Affected Installs

Joomla! CMS versions 3.9.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  ZeroXJacks, Github

[20260517] - Core - Incorrect Cache Key Construction for InputFilter objects

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Incorrect Cache Key Construction
  • Reported Date: 2025-11-14
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48901

Description

The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  ZeroXJacks, Github

[20260516] - Core - Incorrect Access Control in com_scheduler

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Probability: Low
  • Versions: 4.1.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-04-29
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48900

Description

An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.

Affected Installs

Joomla! CMS versions 4.1.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Federico Brasili, Linkedin

[20260515] - Core - Incorrect Access Control in sample data plugins

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-04-23
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48899

Description

An improper access check allow unauthorized users to perform actions related to the installation of sampledata.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  廖双, JSST

[20260514] - Core - Privilege escalation through com_users webservice endpoints

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Privilege Escalation
  • Reported Date: 2026-04-15
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48904

Description

An improper access check allows privelege escalation through the com_users group editing webservice endpoint.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Christos Papakonstantinou, Cantina

[20260513] - Core - Privilege escalation through com_users batch task

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Privilege Escalation
  • Reported Date: 2026-04-15
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48898

Description

An improper access check allows privlege escalation through the com_users batch task.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Adrian Junge aka vulno, Christos Papakonstantinou, Cantina

[20260512] - Core - MFA Authentication Bypass

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Authentication Bypass
  • Reported Date: 2026-04-01
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48897

Description

Incorrectly resetted session states to a vector that allows to bypass 2FA checks.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Morris Baumgarten-Egemole

[20260511] - Core - MFA Authentication Bypass

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Authentication Bypass
  • Reported Date: 2026-04-01
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48896

Description

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Doyensec in collaboration with Claude and Anthropic Research, Christos Papakonstantinou, Cantina

[20260510] - Core - Path traversal in com_media webservice endpoint

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Path traversal
  • Reported Date: 2026-04-15
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-40384

Description

An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Doyensec in collaboration with Claude and Anthropic Research

[20260509] - Core - LFI in HTMLView layout parameter

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 3.2.1-5.4.5,6.0.0-6.1.0
  • Exploit type: Local File Inclusion
  • Reported Date: 2026-04-15
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-40383

Description

An improper validation of user-supplied input leads to a local file inclusion vulnerability.

Affected Installs

Joomla! CMS versions 3.2.1-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Doyensec in collaboration with Claude and Anthropic Research

[20260508] - Core - Improper access check in com_config webservice endpoints

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-04-15
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-35223

Description

An improper access check allows unauthorized access to com_config webservice endpoints.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Rishi Shakya, Qi Deng

Page 1 of 13

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  1. You are here:  
  2. Home
  3. Security Announcements

Joomla! CMS

  • Current Release Joomla! CMS 6 6.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 4.x
  • Development Status

Resources

  • Development Strategy
  • Product Strategy
  • Planned Features
  • Security Announcements
  • Report Security Issues
  • Generative AI policy
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Facebook
  • Joomla! on X
  • Joomla! on Bluesky
  • Joomla! on Threads
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Services
  • User Guide
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in
 A Digital Public Good.

© 2005 - 2026 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.