[20260510] - Core - Path traversal in com_media webservice endpoint

Project: Joomla!
SubProject: CMS
Impact: Moderate
Severity: Moderate
Probability: Low
Versions: 4.0.0-5.4.5,6.0.0-6.1.0
Exploit type: Path traversal
Reported Date: 2026-04-15
Fixed Date: 2026-05-26
CVE Number: CVE-2026-40384

Description

An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.

Affected Installs

Joomla! CMS versions 4.0.0-5.4.5,6.0.0-6.1.0

Solution

Upgrade to version 5.4.6,6.1.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Doyensec in collaboration with Claude and Anthropic Research