• About us
    • Joomla Home
    • What is Joomla?
    • Benefits & Features
    • Project & Leadership
    • Trademark & Licensing
    • The Joomla Foundation
    • Support us
    • Contribute
    • Sponsor
    • Partner
    • Shop
    • Downloads
    • Extensions
    • Languages
    • Get a free site
    • Get a domain
    • User Guide
    • Training
    • Certification
    • Site Showcase
    • Announcements
    • Blogs
    • Magazine
    • Community Portal
    • Events
    • User Groups
    • Forum
    • Service Providers Directory
    • Volunteers Portal
    • Vulnerable Extensions List
    • What is Joomla Academy?
    • What is Google Summer of Code (GSoc)
    • Joomla License FAQs
    • Developer Network
    • Developer Manual
    • Security Centre
    • Issue Tracker
    • GitHub
    • API Documentation
    • Joomla! Framework

Joomla! Developer Network™

Download
Launch
  • Home
  • News
  • Project Roadmap
  • CMS
  • Framework
  • Tracker
  • About
  • Security

News

[20260712] - Core - Incorrect Access Control in com_fields webservice endpoints

Details
Published: 07 July 2026
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.6, 6.0.0-6.1.1
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-05-05
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48958

Description

An improper access check allows unauthorized users to create custom fields via webservices endpoints.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.6, 6.0.0-6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Federico Brasili

[20260711] - Core - Incorrect Access Control in com_privacy webservice endpoints

Details
Published: 07 July 2026
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.6, 6.0.0-6.1.1
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-06-12
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48957

Description

An improper access check allows unauthorized users to access com_privacy datasets.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.6, 6.0.0-6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Himanshu Anand

[20260710] - Core - Incorrect Access Control in com_modules

Details
Published: 07 July 2026
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.6, 6.0.0-6.1.1
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-05-22
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48956

Description

An improper access check allows users to display a list of modules in the frontend.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.6, 6.0.0-6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Warisjeet Singh (sin99xx)

[20260709] - Core - Incorrect Access Control in com_workflow

Details
Published: 07 July 2026
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 6.0.0-6.1.1
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-04-22
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48955

Description

An improper access check allows unauthorized users to access workflow stage and transition information.

Affected Installs

Joomla! CMS versions 6.0.0-6.1.1

Solution

Upgrade to version 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  廖双

[20260708] - Core - XSS through language overrides

Details
Published: 07 July 2026
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 3.0.0-5.4.6,6.0.0-6.1.1
  • Exploit type: XSS
  • Reported Date: 2026-05-15
  • Fixed Date: 2026-07-07
  • CVE Number: CVE-2026-48954

Description

Improper validation leads to a generic XSS vector in the language override feature.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5,6.0.0-6.1.1

Solution

Upgrade to version 5.4.7, 6.1.2

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Morris Baumgarten-Egemole

Page 1 of 64

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  1. You are here:  
  2. Home
  3. News
  4. Security Centre

Joomla! CMS

  • Current Release Joomla! CMS 6 6.x
  • View known Issues
  • Development Status
  • Download Nightly builds

Joomla! Framework

  • Current Release Joomla! Framework Logo 4.x
  • Development Status

Resources

  • Development Strategy
  • Product Strategy
  • Planned Features
  • Security Announcements
  • Report Security Issues
  • Generative AI policy
  • Usage Statistics
  • Statistics API Documentation
  • Joomla! API Documentation
  • Coding Standards Manual
  • JoomlaCode Archive

Mailing Lists

  • Developer Network Newsletter
  • General Extensions Mailing
  • CMS Mailing
  • Framework Mailing
  • Documentation Mailing

  • Joomla! on Facebook
  • Joomla! on X
  • Joomla! on Bluesky
  • Joomla! on Threads
  • Joomla! on YouTube
  • Joomla! on LinkedIn
  • Joomla! on Pinterest
  • Joomla! on Instagram
  • Joomla! on GitHub
  • Home
  • About
  • Community
  • Forum
  • Extensions
  • Services
  • User Guide
  • Developer
  • Shop
  • Accessibility Statement
  • Privacy Policy
  • Cookie Policy
  • Sponsor Joomla! with $5
  • Help Translate
  • Report an Issue
  • Log in
 A Digital Public Good.

© 2005 - 2026 Open Source Matters, Inc. All Rights Reserved.

Rochen
Joomla! Hosting by Rochen
We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.