[20260509] - Core - LFI in HTMLView layout parameter

Project: Joomla!
SubProject: CMS
Impact: High
Severity: High
Probability: Low
Versions: 3.2.1-5.4.5,6.0.0-6.1.0
Exploit type: Local File Inclusion
Reported Date: 2026-04-15
Fixed Date: 2026-05-26
CVE Number: CVE-2026-40383

Description

An improper validation of user-supplied input leads to a local file inclusion vulnerability.

Affected Installs

Joomla! CMS versions 3.2.1-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Doyensec in collaboration with Claude and Anthropic Research