Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Moderate
Versions: 6.0.0-6.1.0
Exploit type: CSRF
Reported Date: 2026-03-28
Fixed Date: 2026-05-26
CVE Number: CVE-2026-35220

Description

Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

Affected Installs

Joomla! CMS versions 6.0.0-6.1.0

Solution

Upgrade to version 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Sun HuangnSec

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.5, 6.0.0-6.1.0
Exploit type: XSS
Reported Date: 2026-04-14
Fixed Date: 2026-05-26
CVE Number: CVE-2026-30895

Description

Lack of output escaping leads to a XSS vector in the content history component.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5, 6.0.0-6.1.0

Solution

Upgrade to version 5.4.6 or 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: peterhulst

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 3.0.0-5.4.5, 6.0.0-6.1.0
Exploit type: XSS
Reported Date: 2026-04-01
Fixed Date: 2026-05-26
CVE Number: CVE-2026-30894

Description

Lack of output escaping leads to a XSS vector in the content history component.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5, 6.0.0-6.1.0

Solution

Upgrade to version 5.4.6 or 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phan Phan Hai Long

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.5, 6.0.0-6.1.0
Exploit type: XSS
Reported Date: 2026-04-01
Fixed Date: 2026-05-26
CVE Number: CVE-2026-25901

Description

Lack of output escaping leads to a XSS vector in the multilingual associations component.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5, 6.0.0-6.1.0

Solution

Upgrade to version 5.4.6 or 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: vnth4nhnt from CyStack, Pavel Kohout from Aisle Research

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 3.0.0-5.4.5, 6.0.0-6.1.0
Exploit type: XSS
Reported Date: 2026-03-28
Fixed Date: 2026-05-26
CVE Number: CVE-2026-25900

Description

Lack of output escaping leads to a XSS vector in the feed modules.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.5, 6.0.0-6.1.0

Solution

Upgrade to version 5.4.6 or 6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Mohamed Elabbas, Sun Huang

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Probability: Moderate
Versions: 3.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: Incorrect Access Control
Reported Date: 2026-03-11
Fixed Date: 2026-03-31
CVE Number: CVE-2026-21629

Description

The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: JSST

Project: Joomla!
SubProject: CMS
Impact: High
Severity: Low
Probability: Moderate
Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: SQLi
Reported Date: 2026-03-05
Fixed Date: 2026-03-31
CVE Number: CVE-2026-21630

Description

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Antonio Morales from GitHub Security Lab Taskflow Agent / vnth4nhnt from CyStack

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: XSS
Reported Date: 2026-03-11
Fixed Date: 2026-03-31
CVE Number: CVE-2026-21631

Description

Lack of output escaping leads to a XSS vector in the multilingual associations component

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Shirsendu Mondal & Md Tanzimul Alam Fahim, UNC Pembroke

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: XSS
Reported Date: 2026-03-10
Fixed Date: 2026-03-31
CVE Number: CVE-2026-21632

Description

Lack of output escaping for article titles leads to XSS vectors in various locations.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: peter vanderhulst

Project: Joomla!
SubProject: CMS
Impact: High
Severity: High
Probability: Low
Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: Arbitrary File Deletion
Reported Date: 2026-03-16
Fixed Date: 2026-03-31
CVE Number: CVE-2026-23898

Description

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phil Taylor

Page 2 of 31