• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • Documentation
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • Developer Network
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

News

[20250901] - Core - Inadequate content filtering within the checkAttribute filter code

Details
Published: 30 September 2025
  • Project: Joomla! / Joomla! Framework
  • SubProject: CMS / filter
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3
  • Exploit type: XSS
  • Reported Date: 2025-08-03
  • Fixed Date: 2025-09-30
  • CVE Number: CVE-2025-54476

Description

Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3

Solution

Upgrade to version 4.4.14 or 5.3.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Flydragon, Poi, Cwy, Xtrimi

[20250902] - Core - User-Enumeration in passkey authentication method

Details
Published: 30 September 2025
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.4.13, 5.0.0-5.3.3
  • Exploit type: User Enumeration
  • Reported Date: 2025-09-04
  • Fixed Date: 2025-09-30
  • CVE Number: CVE-2025-54477

Description

Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.13, 5.0.0-5.3.3

Solution

Upgrade to version 4.4.14 or 5.3.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Marco Schubert

[20250401] - Framework - SQL injection vulnerability in quoteNameStr method of Database package

Details
Published: 02 April 2025
  • Project: Joomla!
  • SubProject: Framework
  • Impact: High
  • Severity: Low
  • Probability: Low
  • Versions: 1.0.0-2.1.1, 3.0.0-3.3.1
  • Exploit type: SQL Injection
  • Reported Date: 2025-03-17
  • Fixed Date: 2025-04-02
  • CVE Number: CVE-2025-25226

Description

Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package.

Affected Installs

Database Package version: 1.0.0-2.1.1, 3.0.0-3.3.1

Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.

Solution

Upgrade to version 2.2.0 or 3.4.0

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Nicholas K. Dionysopoulos, akeeba.com

[20250402] - Core - MFA Authentication Bypass

Details
Published: 02 April 2025
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0 - 4.4.12, 5.0.0 - 5.2.5
  • Exploit type: Authentication Bypass
  • Reported Date: 2025-03-20
  • Fixed Date: 2025-04-08
  • CVE Number: CVE-2025-25227

Description

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

Affected Installs

Joomla! CMS versions: 4.0.0 - 4.4.12, 5.0.0 - 5.2.5

Solution

Upgrade to version 4.4.13 or 5.2.6

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Undisclosed Reporter

[20250301] - Core - Malicious file uploads via Media Manager

Details
Published: 11 March 2025
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Critical
  • Severity: Low
  • Probability: Low
  • Versions: 4.0.0-4.4.11, 5.0.0-5.2.4
  • Exploit type: Malicious file upload
  • Reported Date: 2025-02-25
  • Fixed Date: 2025-03-10
  • CVE Number: CVE-2025-22213

Description

Inadequate checks in the Media Manager allowed users with "edit" privileges to create executable PHP files.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.11, 5.0.0-5.2.4

Solution

Upgrade to version 4.4.12 or 5.2.5

Contact

The JSST at the Joomla! Security Centre.

Reported By:  ErPaciocco

Page 1 of 56

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  1. You are here:  
  2. Home
  3. News
  4. Security Centre

Joomla! CMS

  • Current Release Joomla! CMS 5 5.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 2.x
  • Development Status

Resources

  • Development Strategy
  • Product Strategy
  • Security Announcements
  • Report Security Issues
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Twitter
  • Joomla! on Facebook
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Services
  • Docs
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in

© 2005 - 2025 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.