Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

Project: Joomla!
SubProject: Framewok
Impact: Moderate
Severity: Moderate
Probability: Moderate
Versions: 3.0.0-5.4.5,6.0.0-6.1.0
Exploit type: XSS
Reported Date: 2026-05-04
Fixed Date: 2026-05-26
CVE Number: CVE-2026-48905

Description

Lack of input filtering leads to an XSS vector in the HTML filter code.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: JSST

Project: Joomla!
SubProject: Framewok
Impact: Moderate
Severity: Moderate
Probability: Moderate
Versions: 3.0.0-5.4.5,6.0.0-6.1.0
Exploit type: XSS
Reported Date: 2026-04-21
Fixed Date: 2026-05-26
CVE Number: CVE-2026-48903

Description

Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: JSST

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Probability: Low
Versions: 3.9.0-5.4.5,6.0.0-6.1.0
Exploit type: Mixed Content
Reported Date: 2026-04-20
Fixed Date: 2026-05-26
CVE Number: CVE-2026-48902

Description

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.

Affected Installs

Joomla! CMS versions 3.9.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: ZeroXJacks, Github

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Probability: Low
Versions: 4.0.0-5.4.5,6.0.0-6.1.0
Exploit type: Incorrect Cache Key Construction
Reported Date: 2025-11-14
Fixed Date: 2026-05-26
CVE Number: CVE-2026-48901

Description

The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: ZeroXJacks, Github

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Low
Probability: Low
Versions: 4.1.0-5.4.5,6.0.0-6.1.0
Exploit type: Incorrect Access Control
Reported Date: 2026-04-29
Fixed Date: 2026-05-26
CVE Number: CVE-2026-48900

Description

An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.

Affected Installs

Joomla! CMS versions 4.1.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Federico Brasili, Linkedin

Project: Joomla!
SubProject: CMS
Impact: High
Severity: Moderate
Probability: Moderate
Versions: 4.0.0-5.4.5,6.0.0-6.1.0
Exploit type: Incorrect Access Control
Reported Date: 2026-04-23
Fixed Date: 2026-05-26
CVE Number: CVE-2026-48899

Description

An improper access check allow unauthorized users to perform actions related to the installation of sampledata.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: 廖双, JSST

Project: Joomla!
SubProject: CMS
Impact: High
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.5,6.0.0-6.1.0
Exploit type: Privilege Escalation
Reported Date: 2026-04-15
Fixed Date: 2026-05-26
CVE Number: CVE-2026-48904

Description

An improper access check allows privelege escalation through the com_users group editing webservice endpoint.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Christos Papakonstantinou, Cantina

Project: Joomla!
SubProject: CMS
Impact: High
Severity: High
Probability: Low
Versions: 4.0.0-5.4.5,6.0.0-6.1.0
Exploit type: Privilege Escalation
Reported Date: 2026-04-15
Fixed Date: 2026-05-26
CVE Number: CVE-2026-48898

Description

An improper access check allows privlege escalation through the com_users batch task.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Adrian Junge aka vulno, Christos Papakonstantinou, Cantina

Project: Joomla!
SubProject: CMS
Impact: High
Severity: Moderate
Probability: Moderate
Versions: 4.0.0-5.4.5,6.0.0-6.1.0
Exploit type: Authentication Bypass
Reported Date: 2026-04-01
Fixed Date: 2026-05-26
CVE Number: CVE-2026-48897

Description

Incorrectly resetted session states to a vector that allows to bypass 2FA checks.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Morris Baumgarten-Egemole

Project: Joomla!
SubProject: CMS
Impact: High
Severity: Moderate
Probability: Moderate
Versions: 4.0.0-5.4.5,6.0.0-6.1.0
Exploit type: Authentication Bypass
Reported Date: 2026-04-01
Fixed Date: 2026-05-26
CVE Number: CVE-2026-48896

Description

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Doyensec in collaboration with Claude and Anthropic Research, Christos Papakonstantinou, Cantina

Page 1 of 31