Security Announcements

This feed provides announcements of resolved security issues in Joomla! software releases.

For more information about the Joomla! Security Strike Team (JSST) and its processes, please review our Security article.

To report potential security issues, please follow the guidelines in the above referenced article. Please note that we are only able to provide support for the Joomla! CMS, Joomla! Framework, and *.joomla.org network of websites.

You can subscribe to notifications from this feed through a RSS reader.

Project: Joomla!
SubProject: CMS
Impact: Low
Severity: Low
Probability: Moderate
Versions: 3.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: Incorrect Access Control
Reported Date: 2026-03-11
Fixed Date: 2026-03-31
CVE Number: CVE-2026-21629

Description

The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.

Affected Installs

Joomla! CMS versions 3.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: JSST

Project: Joomla!
SubProject: CMS
Impact: High
Severity: Low
Probability: Moderate
Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: SQLi
Reported Date: 2026-03-05
Fixed Date: 2026-03-31
CVE Number: CVE-2026-21630

Description

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Antonio Morales from GitHub Security Lab Taskflow Agent / vnth4nhnt from CyStack

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: XSS
Reported Date: 2026-03-11
Fixed Date: 2026-03-31
CVE Number: CVE-2026-21631

Description

Lack of output escaping leads to a XSS vector in the multilingual associations component

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Shirsendu Mondal & Md Tanzimul Alam Fahim, UNC Pembroke

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: XSS
Reported Date: 2026-03-10
Fixed Date: 2026-03-31
CVE Number: CVE-2026-21632

Description

Lack of output escaping for article titles leads to XSS vectors in various locations.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: peter vanderhulst

Project: Joomla!
SubProject: CMS
Impact: High
Severity: High
Probability: Low
Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: Arbitrary File Deletion
Reported Date: 2026-03-16
Fixed Date: 2026-03-31
CVE Number: CVE-2026-23898

Description

Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phil Taylor

Project: Joomla!
SubProject: CMS
Impact: High
Severity: High
Probability: Low
Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: Incorrect Access Control
Reported Date: 2026-03-09
Fixed Date: 2026-03-31
CVE Number: CVE-2026-23899

Description

An improper access check allows unauthorized access to webservice endpoints.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Phil Taylor

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.1, 6.0.0-6.0.1
Exploit type: XSS
Reported Date: 2025-11-14
Fixed Date: 2026-01-06
CVE Number: CVE-2025-63082

Description

Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.1, 6.0.0-6.0.1

Solution

Upgrade to version 5.4.2 or 6.0.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: Sho Sugiyama of SUZUKI MOTOR CORPORATION

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 3.9.0-5.4.1, 6.0.0-6.0.1
Exploit type: XSS
Reported Date: 2025-09-29
Fixed Date: 2026-01-06
CVE Number: CVE-2025-63083

Description

Lack of output escaping leads to a XSS vector in the pagebreak and pagenavigation plugins.

Affected Installs

Joomla! CMS versions 3.9.0-5.4.1, 6.0.0-6.0.1

Solution

Upgrade to version 5.4.2 or 6.0.2

Contact

The JSST at the Joomla! Security Centre.

Reported By: peterhulst

Project: Joomla! / Joomla! Framework
SubProject: CMS / filter
Impact: Moderate
Severity: Moderate
Probability: Moderate
Versions: 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3
Exploit type: XSS
Reported Date: 2025-08-03
Fixed Date: 2025-09-30
CVE Number: CVE-2025-54476

Description

Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.

Affected Installs

Joomla! CMS versions 3.0.0-3.10.20-elts, 4.0.0-4.4.13, 5.0.0-5.3.3

Solution

Upgrade to version 4.4.14 or 5.3.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Flydragon, Poi, Cwy, Xtrimi

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Low
Probability: Low
Versions: 4.0.0-4.4.13, 5.0.0-5.3.3
Exploit type: User Enumeration
Reported Date: 2025-09-04
Fixed Date: 2025-09-30
CVE Number: CVE-2025-54477

Description

Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method.

Affected Installs

Joomla! CMS versions 4.0.0-4.4.13, 5.0.0-5.3.3

Solution

Upgrade to version 4.4.14 or 5.3.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Marco Schubert

Page 1 of 29