Developer Network™

Download
Launch

News

[20260301] - Core - ACL hardening in com_ajax

Details
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Probability: Moderate
  • Versions: 3.0.0-5.4.3, 6.0.0-6.0.3
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-03-11
  • Fixed Date: 2026-03-31
  • CVE Number: CVE-2026-21629

Description

The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  JSST

[20260302] - Core - SQL injection in com_content articles webservice endpoint

Details
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Low
  • Probability: Moderate
  • Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
  • Exploit type: SQLi
  • Reported Date: 2026-03-05
  • Fixed Date: 2026-03-31
  • CVE Number: CVE-2026-21630

Description

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Antonio Morales from GitHub Security Lab Taskflow Agent / vnth4nhnt from CyStack

[20260303] - Core - XSS vector in com_associations comparison view

Details
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
  • Exploit type: XSS
  • Reported Date: 2026-03-11
  • Fixed Date: 2026-03-31
  • CVE Number: CVE-2026-21631

Description

Lack of output escaping leads to a XSS vector in the multilingual associations component

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Shirsendu Mondal & Md Tanzimul Alam Fahim, UNC Pembroke

[20260304] - Core - XSS vectors in various article title outputs

Details
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
  • Exploit type: XSS
  • Reported Date: 2026-03-10
  • Fixed Date: 2026-03-31
  • CVE Number: CVE-2026-21632

Description

Lack of output escaping for article titles leads to XSS vectors in various locations.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  peter vanderhulst

[20260305] - Core - Arbitrary file deletion in com_joomlaupdate

Details
  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
  • Exploit type: Arbitrary File Deletion
  • Reported Date: 2026-03-16
  • Fixed Date: 2026-03-31
  • CVE Number: CVE-2026-23898

Description

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Phil Taylor

Page 1 of 57