Developer Network™

Download
Launch

Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-04-23
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48899

Description

An improper access check allow unauthorized users to perform actions related to the installation of sampledata.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  廖双, JSST

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Privilege Escalation
  • Reported Date: 2026-04-15
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48904

Description

An improper access check allows privelege escalation through the com_users group editing webservice endpoint.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Christos Papakonstantinou, Cantina

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Privilege Escalation
  • Reported Date: 2026-04-15
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48898

Description

An improper access check allows privlege escalation through the com_users batch task.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Adrian Junge aka vulno, Christos Papakonstantinou, Cantina

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Authentication Bypass
  • Reported Date: 2026-04-01
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48897

Description

Incorrectly resetted session states to a vector that allows to bypass 2FA checks.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Morris Baumgarten-Egemole

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Authentication Bypass
  • Reported Date: 2026-04-01
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-48896

Description

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Doyensec in collaboration with Claude and Anthropic Research, Christos Papakonstantinou, Cantina

  • Project: Joomla!
  • SubProject: CMS
  • Impact: Moderate
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Path traversal
  • Reported Date: 2026-04-15
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-40384

Description

An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Doyensec in collaboration with Claude and Anthropic Research

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: High
  • Probability: Low
  • Versions: 3.2.1-5.4.5,6.0.0-6.1.0
  • Exploit type: Local File Inclusion
  • Reported Date: 2026-04-15
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-40383

Description

An improper validation of user-supplied input leads to a local file inclusion vulnerability.

Affected Installs

Joomla! CMS versions 3.2.1-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Doyensec in collaboration with Claude and Anthropic Research

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: Incorrect Access Control
  • Reported Date: 2026-04-15
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-35223

Description

An improper access check allows unauthorized access to com_config webservice endpoints.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Rishi Shakya, Qi Deng

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Low
  • Versions: 4.0.0-5.4.5,6.0.0-6.1.0
  • Exploit type: SQLi
  • Reported Date: 2026-03-31
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-352212

Description

Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Adrian Junge aka vurlo, Federico Brasili

  • Project: Joomla!
  • SubProject: CMS
  • Impact: High
  • Severity: Moderate
  • Probability: Moderate
  • Versions: 5.4.0-5.4.5,6.0.0-6.1.0
  • Exploit type: SQLi
  • Reported Date: 2026-03-31
  • Fixed Date: 2026-05-26
  • CVE Number: CVE-2026-35221

Description

Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.

Affected Installs

Joomla! CMS versions 5.4.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By:  Adrian Junge aka vurlo

Page 1 of 31