[20260302] - Core - SQL injection in com_content articles webservice endpoint

Project: Joomla!
SubProject: CMS
Impact: High
Severity: Low
Probability: Moderate
Versions: 4.0.0-5.4.3, 6.0.0-6.0.3
Exploit type: SQLi
Reported Date: 2026-03-05
Fixed Date: 2026-03-31
CVE Number: CVE-2026-21630

Description

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.3, 6.0.0-6.0.3

Solution

Upgrade to version 5.4.4 or 6.0.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Antonio Morales from GitHub Security Lab Taskflow Agent / vnth4nhnt from CyStack