Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.5,6.0.0-6.1.0
Exploit type: Path traversal
Reported Date: 2026-04-15
Fixed Date: 2026-05-26
CVE Number: CVE-2026-40384

Description

An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Doyensec in collaboration with Claude and Anthropic Research

Project: Joomla!
SubProject: CMS
Impact: High
Severity: High
Probability: Low
Versions: 3.2.1-5.4.5,6.0.0-6.1.0
Exploit type: Local File Inclusion
Reported Date: 2026-04-15
Fixed Date: 2026-05-26
CVE Number: CVE-2026-40383

Description

An improper validation of user-supplied input leads to a local file inclusion vulnerability.

Affected Installs

Joomla! CMS versions 3.2.1-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Doyensec in collaboration with Claude and Anthropic Research

Project: Joomla!
SubProject: CMS
Impact: High
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.5,6.0.0-6.1.0
Exploit type: Incorrect Access Control
Reported Date: 2026-04-15
Fixed Date: 2026-05-26
CVE Number: CVE-2026-35223

Description

An improper access check allows unauthorized access to com_config webservice endpoints.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Rishi Shakya, Qi Deng

Project: Joomla!
SubProject: CMS
Impact: High
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.5,6.0.0-6.1.0
Exploit type: SQLi
Reported Date: 2026-03-31
Fixed Date: 2026-05-26
CVE Number: CVE-2026-352212

Description

Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Adrian Junge aka vurlo, Federico Brasili

Project: Joomla!
SubProject: CMS
Impact: High
Severity: Moderate
Probability: Moderate
Versions: 5.4.0-5.4.5,6.0.0-6.1.0
Exploit type: SQLi
Reported Date: 2026-03-31
Fixed Date: 2026-05-26
CVE Number: CVE-2026-35221

Description

Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.

Affected Installs

Joomla! CMS versions 5.4.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Adrian Junge aka vurlo

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Moderate
Versions: 6.0.0-6.1.0
Exploit type: CSRF
Reported Date: 2026-03-28
Fixed Date: 2026-05-26
CVE Number: CVE-2026-35220

Description

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

Affected Installs

Joomla! CMS versions 6.0.0-6.1.0

Solution

Upgrade to version 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Sun HuangnSec

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.5, 6.0.0-6.1.0
Exploit type: XSS
Reported Date: 2026-04-14
Fixed Date: 2026-05-26
CVE Number: CVE-2026-30895

Description

Lack of output escaping leads to a XSS vector in the content history component.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5, 6.0.0-6.1.0

Solution

Upgrade to version 5.4.6 or 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: peterhulst

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 3.0.0-5.4.5, 6.0.0-6.1.0
Exploit type: XSS
Reported Date: 2026-04-01
Fixed Date: 2026-05-26
CVE Number: CVE-2026-30894

Description

Lack of output escaping leads to a XSS vector in the content history component.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5, 6.0.0-6.1.0

Solution

Upgrade to version 5.4.6 or 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phan Phan Hai Long

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.5, 6.0.0-6.1.0
Exploit type: XSS
Reported Date: 2026-04-01
Fixed Date: 2026-05-26
CVE Number: CVE-2026-25901

Description

Lack of output escaping leads to a XSS vector in the multilingual associations component.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5, 6.0.0-6.1.0

Solution

Upgrade to version 5.4.6 or 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: vnth4nhnt from CyStack, Pavel Kohout from Aisle Research

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 3.0.0-5.4.5, 6.0.0-6.1.0
Exploit type: XSS
Reported Date: 2026-03-28
Fixed Date: 2026-05-26
CVE Number: CVE-2026-25900

Description

Lack of output escaping leads to a XSS vector in the feed modules.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5, 6.0.0-6.1.0

Solution

Upgrade to version 5.4.6 or 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Mohamed Elabbas, Sun Huang

Page 2 of 31